Cyber risk ratings could build digital resiliency within the insurance industry. Image: Unsplash/Vlad Deep
Listen to the article
- The European Union’s Digital Operational Resilience Act (DORA) was introduced to protect financial companies from major information and communication technology (ICT) risks.
- DORA holds financial groups, including insurance companies, accountable for the security of the tech vendors they employ, as third parties have increased the sector’s vulnerability.
- Cyber risk ratings are a viable tech solution, as per DORA, that could objectively assess an insurance company’s cybersecurity posture.
Europe’s financial sector is coming into a new era of regulation. As part of a digital package to allow Europe’s financial sector to leverage the benefits of tech and innovation, the European Union introduced the Digital Operational Resilience Act (DORA), recently adopted by the European Parliament.
The Act is a response to the detrimental impact of major information and communication technology (ICT) incidents and aims to fortify the digital operational resilience of the financial sector, including insurance companies. In fact, its implementation in the insurance industry has the potential to revolutionize how insurers manage and mitigate cyber risks.
How does DORA work?
There are five main pillars of DORA:
- Risk management.
- Incident reporting.
- Digital operational resilience testing.
- ICT third-party risk management.
- Sharing of information and intelligence.
In essence, DORA holds financial groups accountable for the security of the tech vendors they employ. And it applies to third parties that provide critical ICT services to the insurance industry, such as cloud computing services, software (e.g. underwriting platforms for e-trade business), data analytics services and data centres.
It is a regulatory response to the sector’s increasing reliance on third-party tech providers in which the loss of one node hits the entire system. The International Monetary Fund has noted that reliance on common service third-party providers means attacks have a higher probability of having systemic implications and could make entire sectors vulnerable – losses can be high and become macro-critical.
As such, it places certain requirements on firms in the industry, including rapid reporting of cybersecurity incidents, visibility in third-party dependencies and capacity to respond to audit requests.
As we approach DORA’s implementation in 2023 and 2024, the crucial question is: what tools will insurers adopt to comply with DORA, and will the European Insurance and Occupational Pensions Authority (EIOPA) – the sector’s main regulatory institution – consider tech solutions as part of the DORA technical standards?
How is the Forum tackling global cybersecurity challenges?
Technical solutions strengthen security at scale
One viable option is cyber risk ratings, which objectively assess an organization’s cybersecurity posture based on various factors, including network security, data protection and incident response capabilities. Managing cyber risk across the digital supply chain is also increasingly critical. According to SecurityScorecard’s joint research with the Cyentia Institute, 98% of organizations have a relationship with at least one third-party that has experienced a breach in the last two years.
Insurers already employ cyber risk ratings to evaluate the risk of a cyberattack and determine appropriate coverage pricing. Utilizing this tool to manage their own third-party risk and comply with DORA is a logical progression. By adopting cyber risk ratings, insurers can manage their third-party risks effectively and make informed underwriting decisions. Given DORA’s requirements, adopting cyber risk ratings becomes increasingly vital as insurers must demonstrate their ability to identify, assess and manage cyber risks.
Given the systemic implications of third-party cyber risk, EIOPA should introduce mandatory cyber risk ratings in the form of technical standards. These standards can provide detailed guidelines on ICT requirements and reporting obligations that insurers must follow to comply with DORA.
A precedent exists with the European Banking Authority (EBA) technical standards for the Payment Services Directive (PSD2) – introduced to enhance customer protection during payment transactions and promote business innovation – which outlined in-depth how technology standards in authentication should be managed while remaining tech-neutral.
It is a global trend; legislation will mandate cyber risk ratings in France. In addition, the French Cyberscore Law creates the obligation for a cybersecurity certification for digital platforms intended for the public. It comes into force on 1 October 2023.
The French Cyberscore Law should be a model for EIOPA, which has much room to interpret DORA technical standards. For example, research from IBM found a supply chain compromise caused nearly one-fifth of data breaches, and these compromises made breaches more expensive and resulted in longer life cycles.
The research also showed that a supply chain breach took 26 days longer to identify and contain than the global average. This risk level is unacceptable in systemically important financial services, particularly in insurance.
By prompting insurers to adopt innovative tools like cyber risk ratings and by potentially introducing mandatory technical standards through EIOPA, DORA fosters a more resilient and secure financial sector.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
The views expressed in this article are those of the author alone and not the World Economic Forum.