Exploring the Impact of DORA on the Future of the Insurance Sector
Advisense recently conducted a study interviewing 20 insurance companies about the anticipated impacts of the Digital Operational Resilience Act (DORA). In this article, we outline what DORA means for the Insurance sector and its actors.
The Digital Operational Resilience Act (DORA) is a proposed regulation by the European Commission aimed at enhancing the operational resilience of the financial sector in the European Union.
DORA seeks to harmonise existing rules pertaining to the management of Information and Communication Technology (ICT) including governance, risk management, incident reporting, security testing, and third-party risk management. The ultimate goal of DORA is to ensure that there is operational resilience against cyber-attacks and the effective management of third-party risks.
DORA was adopted in December 2022 and is scheduled to enter into force on January 17, 2025. In the meantime, the EU will publish Regulatory Technical Standards (RTS or TS) to provide detailed guidance and assistance to financial companies implementing DORA. The first draft of the Technical Standards is expected to be published during the summer of 2023.
The impacts of DORA on the insurance sector
The insurance sector is currently undergoing a major transformation due to the ongoing societal mega change of digitalization. The insurance sector is increasingly digitalising internal processes to capitalise on the benefits of optimisation, speed and improved quality of service. Simultaneously they are also digitalising customer interfaces, to meet customer needs and expectations. Moreover, the insurance sector is experiencing the entry of InsurTech companies challenging the traditional business models with their strong technological foundations.
Digitalisation and operational resilience in the insurance sector, two sides of the same coin
Whilst the benefit of digitalisation is clear, it also brings with it risks and challenges that need to be addressed. To avoid disruptions in services and ensure customer trust, it is imperative for insurance companies to develop high digital operational resilience. DORA will affect the insurance sector in several ways. Firstly, it will require insurance companies to systematically assess and manage risks in their digital infrastructure systematically and rigorously. This will involve insurance companies gaining a comprehensive understanding of their ICT risks and developing a clear insight into the correlation of their system architecture. Insurance companies will need to be fully aware of potential threats and vulnerabilities and develop plans to address them, both current and future ones. Furthermore, the information security protection of insurance companies requires the development of a stringent security testing framework. This framework should assess the security implications of new products and services. As well as changes to existing products and services. Safeguarding the company’s security ability during its evolution into the digital realm. To ensure the protection of insurance companies from digital risks, it is therefore crucial that Risk and Compliance management work in close collaboration with IT and Information Security management, to ensure the protection of the insurance company.
DORA will also require insurance companies to have clear plans in place to manage disruptions and outages in their digital infrastructure. This includes establishing incident management protocols and guidelines, and clear strategies to restore system following an incident. Clear and effective internal and external communication plans for informing customers and other stakeholders are an essential aspect of recovery planning.
Finally, DORA will require insurance companies to have clear management over third-party providers. In today’s interconnected world, insurance companies cannot provide services to the market as stand-alone companies. Rather they must rely on other service providers and infrastructures providers to deliver optimal services to their customers. While the benefits of third-party collaboration usually outweigh the associated risks, they should not be underestimated. Insurance companies must exert the same level of control and risks security management on third party providers as if handled in-house. This aligns with the old pithy saying “trust is good, but control is better”.
- Insights from Insurance Industry Experts on DORA
FCG, interviewed approximately 20 insurance companies, for a concise yet high-level survey in the Nordics. These insurance companies consisted of a mix of large and small, life and non-life, insurance companies, captives and start-ups. The survey focused on understanding how DORA is expected to change the risk management framework, incident management processes, outsourcing practices and information and cyber security management within the insurance sector.
All respondents unanimously indicated to the need to update and modify their risk framework to align with the requirements of DORA. These changes primarily involve better integrating the ICT risk management framework into the current risk management framework. This of course will require adjustments in the overall risk management framework, including the risk policy, risk appetite framework, risk monitoring, risk reporting and risk management processes. A notable distinction can be made between the insurance sector and the banking sectors approach to Dora integration. Whilst the insurance sector aims to integrate DORA into its existing risk framework, the banking sector is currently evaluating if the proposed risk management framework in DORA is to be implemented separately. Although the changes are not considered significant, there is a slight shift in focus with the proposed DORA risk framework towards proactive risk management, whilst also not undermining the importance of risk control.
Many respondents acknowledged the need to invest time and effort into further detailing the incident management process, including categorization schemes and more detailed reporting routines. Educational activities and awareness campaigns were deemed essential to ensure the identification and reporting of all incidents. Some companies anticipated modification to their incident management systems, either as standalone solutions or as part of the broader GRC-system, to align with the DORA requirements.
The outsourcing governance framework is an area which raised significant uncertainty among the respondents, particularly due to the lack of clarity surrounding the extended scope of ICT third- party providers. a. They expressed their concern, that this section of DORA brings significant changes to the current outsourcing governance framework. As a result, significant investments in time and resources will be required for expanding outsourcing strategies, pre-assessments, information security requirements, due diligence and exit strategies to align with DORA enhanced insight. Management and control of services provided by third–party providers will also be crucial and require substantial efforts.
Information security management is an area where the respondents indicated the need for significant investment, particularly in the development of the security testing framework. This is an area where the respondents already employ a risk-based approach, where DORA now raises the bar. Respondents stated that a specific security testing framework will need to be developed to ensure compliance with DORA. Achieving a balance between financial investments and security benefits will be critical in this area.
Most respondents expressed confidence around operational resilience as most respondents already have established business continuity plans. However, they recognised the need to expand the resilience capabilities beyond traditional business continuity management. Analysing and managing the overall ability to demonstrate operational resilience will be crucial moving forward.
In conclusion, FCG’s high-level survey shows that outsourcing governance and security testing are the areas demanding the largest investment of time and effort from insurance companies. Interesting discussions are being held regarding changes to the risk management framework and practices. Indicating a future divergence between sectors. Lastly, while incident management is an area where the respondents felt confident, internal awareness and reporting still pose great a challenge.