This article is by René Schoenauer, Director of EMEA Product Marketing, Guidewire Software, and it takes a look at DORA regs, how it impacts governance, data breaches, denial of service and more.
For insurers and the wider insurtech industry who are building and running apps and data in the cloud, the EU’s Digital Operations Resilience Act, or DORA, is a regulatory supertanker steaming into view. DORA is the European Union’s attempt to improve IT security and operational resilience in companies within the European Union Financial Sector. This also concerns companies providing software and associated services in this sector.
DORA does a lot of good in how it provides a unified Information and Communication Technology (ICT) risk management standard in Europe. It will replace multiple ICT risk management frameworks with a single unified approach for addressing ICT-related incidents in Europe’s financial and insurance industry.
Further, DORA addresses operational resilience within the financial industry so that business continuity can be guaranteed, even while an organisation is subject to a disrupting event, such as during a cyberattack. It requires Critical ICT Third-Party providers (CTPPs) in outsourcing arrangements to conform to regulatory standards, a requirement that will be defined and supervised by European Supervisory Authorities (ESAs), such as the EIOPA for the insurance industry.
These are very much regulations written for the cloud age because of how DORA’s rules affect third party ICT providers including insurtechs who have had key capabilities for cloud-based insurance processes outsourced to them.
For credible insurtechs who want a deep and long relationship with insurers, DORA should accelerate the good work being done around strengthening cybersecurity, good governance, and operational resilience. And vice versa, of course, as insurers will want to see proof of these credentials in whoever they access cloud services from.
With DORA set to be applied within less than 12 months, on 17th January 2025, there is not much time left in which to become fully compliant.
However, those insurers who have deployed some or most of their operations into the cloud may have the advantage of being able to adapt and respond more quickly to DORA. This contrasts with how the industry had to align with GDPR several years ago. Despite the preparation in advance before that regulation came into effect, the reality was that unyielding legacy systems were not very friendly to change. Since then the need for flexible, agile, and secure systems was again highlighted by the Covid-19 pandemic and all the disruptions it brought to the world.
There is no doubt that complete adaptation to new market conditions like DORA involves the coordination of many different moving parts. Processes, people, and technology need to come together to succeed in the changed environment. However, when the software used by an organisation is flexible, regularly updated, and secure, the situation is much easier. In the case of the new generation of Software-as-a-Service offerings, vendors will often have multiple clients and most of these are facing the same regulatory demands that everyone must respond to in adapting to their respective needs.There are several key requirements that insurers need to know about DORA when they evaluate their critical ICT third-party providers’ compliance. These include:
● Incident response: Is there evidence of governance frameworks in place, including SOC 2 and ISO 27001, which address the security fundamentals as well as any response to security incidents within a cloud environment? Adherence to these requirements must be agreed contractually.
● Governance and monitoring: DORA compliance is currently set to be determined through a combination of inspections and the availability of specific information including service details, incident reporting logs, and greater detail of implemented cyber risk defences to the outsourced third party. Again, insurers must make sure this is specified in detail.
● Operational resilience: Under DORA there is a need to comply with specific regulatory requirements regarding operational resilience. This has to rely on more than just the operational resiliency of the cloud provider itself and extends to the strength of the insurance SaaS provider’s operating model, as well as how transparent and rigorous those specifications are in the contract. Notably, these cannot be tick box exercises with requirements for penetration testing to evaluate the robustness of cyber defences as well as other regular scans to smoke out any vulnerabilities and gaps.
Like GDPR and COVID before it, the advent of DORA reminds the insurance industry that change is a certainty. However, with the right systems in place, the adherence to DORA does not have to be painful and when adopted well can accelerate the ability of the insurance industry to become much more agile and responsive to wider market dynamics.
Be the first to comment