What is DORA (The Digital Operational Resilience Act)?
The Digital Operational Resilience Act (DORA) will significantly impact both traditional insurance companies and insurtech firms by introducing stringent requirements for digital operational resilience. Here are the main ways DORA will affect these sectors:
Impact on Insurance Companies
Enhanced ICT Risk Management: Insurance companies will need to implement comprehensive ICT risk management frameworks to identify, protect, and mitigate risks. This involves continuous risk assessments, documenting dependencies between systems, and developing robust cybersecurity policies.
Incident Reporting: Insurers must establish systems to classify and report ICT-related incidents to regulatory authorities. They are required to provide initial notifications, progress updates, and final reports for significant incidents, ensuring thorough documentation and analysis of root causes.
Operational Resilience Testing: Regular testing of ICT systems is mandatory, including annual vulnerability assessments and threat-led penetration testing (TLPT) every three years for larger firms. These tests help evaluate and improve the effectiveness of cybersecurity defenses and response plans.
Third-Party Risk Management: Insurers must manage risks associated with third-party ICT service providers, conducting thorough assessments and maintaining a register of all contracts. This ensures that critical third-party providers comply with DORA’s resilience standards.
Impact on Insurtech Firms
Compliance with High Standards: Insurtech firms must demonstrate that they meet DORA’s stringent requirements, which can provide a competitive edge. This involves adopting advanced ICT risk management practices and ensuring robust incident response capabilities.
Opportunities for Innovation: DORA creates opportunities for insurtechs to offer solutions that help traditional insurers meet regulatory requirements. This includes developing technologies for risk management, incident reporting, and resilience testing.
Information Sharing: While not mandatory, DORA encourages information sharing about cyber threats among financial entities. This can benefit insurtechs by fostering collaboration and enhancing collective cybersecurity defenses.
Regulatory Oversight: Insurtechs providing critical ICT services will be subject to direct oversight by designated regulators. This includes potential penalties for non-compliance, which underscores the importance of maintaining high security standards.
Practical Steps for Preparation
Insurance and insurtech firms should begin preparing for DORA by conducting gap analyses of their current ICT systems and processes. Developing comprehensive risk management frameworks, establishing incident reporting mechanisms, and engaging in regular resilience testing are crucial steps. Additionally, firms should ensure that they have robust third-party risk management practices in place to comply with DORA’s requirements by the January 2025 deadline.
By adhering to these requirements, both traditional insurers and insurtech firms can enhance their digital operational resilience, ensuring they can withstand and recover from ICT-related disruptions effectively.
Commentary:
Andy Schneider, Field CISO EMEA at Lacework, says: “DORA focuses on the financial sector and will come into effect on January 17, 2025. It applies to financial entities (including brokerages, insurance, credit institutions, investment managers, crowdfunding providers, crypto entities, and more) doing business in or with the EU. It also applies to information and communication technology (ICT) third-party service providers deemed critical by European regulators.
"DORA aims to improve the digital safety of the financial sector by setting up a system for managing risks and reporting incidents, and establishing testing requirements. Like NIS2, it holds management more responsible for cybersecurity, focuses on securing the supply chain, and encourages the use of modern detection technologies to surface unusual behaviour. It also emphasises the importance of governance and the role of senior management in overseeing cybersecurity efforts.
"It introduces corporate fines for non-compliance of up to 2% of annual turnover and personal fines for employees of up to €1 million, with critical third parties also subject to fines of up to €500,000.
"The foundation of NIS2 and DORA is strong risk management. Organisations must implement comprehensive cyber risk management processes, including risk analysis, risk detection, risk response, vulnerability management, and employee training. Business continuity and digital resilience are key themes, requiring organisations to have plans in place to maintain operations during disruptions.
Within DORA, there’s a shift happening to focus more on detection rather than just compliance-oriented security. Detection is crucial to identify if an intrusion or breach is happening, and if those happen, there are strict reporting requirements. Without detection, there’s no way to report anything.”
**************
Make sure you check out the latest industry news and insights at InsurTech Digital and also sign up to our global conference series - FinTech LIVE 2024
**************
InsurTech Digital is a BizClik brand
**************
- Allianz: Insurers Focus on Growth Despite Compliance HurdlesDigital Strategy
- Insurers Face Legacy System Exodus as Climate Risk GrowsTechnology & AI
- Study: Cyber Breach Recovery Times Exceed Insurance CoverageTechnology & AI
- Capgemini: Insurers Struggle to Extract Value From CloudDigital Strategy