DORA: What is it and how is it revolutionizing the way European insurers manage and mitigate risk?

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Dan Morgan, Senior Government Affairs Director for Europe & APAC, SecurityScorecard

• The European Union’s Digital Operational Resilience Act (DORA) was introduced to protect financial companies from major information and communication technology (ICT) risks.
• DORA holds financial groups, including insurance companies, accountable for the security of the tech vendors they employ, as third parties have increased the sector’s vulnerability.
• Cyber risk ratings are a viable tech solution, as per DORA, that could objectively assess an insurance company’s cybersecurity posture.

Europe’s financial sector is coming into a new era of regulation. As part of a digital package to allow Europe’s financial sector to leverage the benefits of tech and innovation, the European Union introduced the Digital Operational Resilience Act (DORA), recently adopted by the European Parliament.

The Act is a response to the detrimental impact of major information and communication technology (ICT) incidents and aims to fortify the digital operational resilience of the financial sector, including insurance companies. In fact, its implementation in the insurance industry has the potential to revolutionize how insurers manage and mitigate cyber risks.

How does DORA work?

There are five main pillars of DORA:

• Risk management.
• Incident reporting.
• Digital operational resilience testing.
• ICT third-party risk management.
• Sharing of information and intelligence.

In essence, DORA holds financial groups accountable for the security of the tech vendors they employ. And it applies to third parties that provide critical ICT services to the insurance industry, such as cloud computing services, software (e.g. underwriting platforms for e-trade business), data analytics services and data centres.

It is a regulatory response to the sector’s increasing reliance on third-party tech providers in which the loss of one node hits the entire system. The International Monetary Fund has noted that reliance on common service third-party providers means attacks have a higher probability of having systemic implications and could make entire sectors vulnerable – losses can be high and become macro-critical.

As such, it places certain requirements on firms in the industry, including rapid reporting of cybersecurity incidents, visibility in third-party dependencies and capacity to respond to audit requests.

As we approach DORA’s implementation in 2023 and 2024, the crucial question is: what tools will insurers adopt to comply with DORA, and will the European Insurance and Occupational Pensions Authority (EIOPA) – the sector’s main regulatory institution – consider tech solutions as part of the DORA technical standards?

Discover

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity drives global action to address systemic cybersecurity challenges and improve digital trust. It is an independent and impartial platform fostering collaboration on cybersecurity in the public and private sectors.

• Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training to a new generation of cybersecurity experts.
• The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
• The Forum has improved cyber resilience in aviation while working with Deloitte and more than 50 other companies and international organizations.
• The Forum is developing a unique exchange platform for cybersecurity leaders across the electricity industry in collaboration
• The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
• The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

Technical solutions strengthen security at scale

One viable option is cyber risk ratings, which objectively assess an organization’s cybersecurity posture based on various factors, including network security, data protection and incident response capabilities. Managing cyber risk across the digital supply chain is also increasingly critical. According to SecurityScorecard’s joint research with the Cyentia Institute, 98% of organizations have a relationship with at least one third-party that has experienced a breach in the last two years.

Insurers already employ cyber risk ratings to evaluate the risk of a cyberattack and determine appropriate coverage pricing. Utilizing this tool to manage their own third-party risk and comply with DORA is a logical progression. By adopting cyber risk ratings, insurers can manage their third-party risks effectively and make informed underwriting decisions. Given DORA’s requirements, adopting cyber risk ratings becomes increasingly vital as insurers must demonstrate their ability to identify, assess and manage cyber risks.

Given the systemic implications of third-party cyber risk, EIOPA should introduce mandatory cyber risk ratings in the form of technical standards. These standards can provide detailed guidelines on ICT requirements and reporting obligations that insurers must follow to comply with DORA.

https://cdn.jwplayer.com/players/uyWNP5Uw-ncRE1zO6.html

A precedent exists with the European Banking Authority (EBA) technical standards for the Payment Services Directive (PSD2) – introduced to enhance customer protection during payment transactions and promote business innovation – which outlined in-depth how technology standards in authentication should be managed while remaining tech-neutral.

It is a global trend; legislation will mandate cyber risk ratings in France. In addition, the French Cyberscore Law creates the obligation for a cybersecurity certification for digital platforms intended for the public. It comes into force on 1 October 2023.

The French Cyberscore Law should be a model for EIOPA, which has much room to interpret DORA technical standards. For example, research from IBM found a supply chain compromise caused nearly one-fifth of data breaches, and these compromises made breaches more expensive and resulted in longer life cycles.

The research also showed that a supply chain breach took 26 days longer to identify and contain than the global average. This risk level is unacceptable in systemically important financial services, particularly in insurance.

By prompting insurers to adopt innovative tools like cyber risk ratings and by potentially introducing mandatory technical standards through EIOPA, DORA fosters a more resilient and secure financial sector.