DORA: What is it and how is it revolutionizing the way European insurers manage and mitigate risk?

Europe’s financial sector is coming into a new era of regulation. As part of a digital package to allow Europe’s financial sector to leverage the benefits of tech and innovation, the European Union introduced the Digital Operational Resilience Act (DORA), recently adopted by the European Parliament.

The Act is a response to the detrimental impact of major information and communication technology (ICT) incidents and aims to fortify the digital operational resilience of the financial sector, including insurance companies. In fact, its implementation in the insurance industry has the potential to revolutionize how insurers manage and mitigate cyber risks.

There are five main pillars of DORA:

In essence, DORA holds financial groups accountable for the security of the tech vendors they employ. And it applies to third parties that provide critical ICT services to the insurance industry, such as cloud computing services, software (e.g. underwriting platforms for e-trade business), data analytics services and data centres.

It is a regulatory response to the sector’s increasing reliance on third-party tech providers in which the loss of one node hits the entire system. The International Monetary Fund has noted that reliance on common service third-party providers means attacks have a higher probability of having systemic implications and could make entire sectors vulnerable – losses can be high and become macro-critical.

As such, it places certain requirements on firms in the industry, including rapid reporting of cybersecurity incidents, visibility in third-party dependencies and capacity to respond to audit requests.

As we approach DORA’s implementation in 2023 and 2024, the crucial question is: what tools will insurers adopt to comply with DORA, and will the European Insurance and Occupational Pensions Authority (EIOPA) – the sector’s main regulatory institution – consider tech solutions as part of the DORA technical standards?

One viable option is cyber risk ratings, which objectively assess an organization’s cybersecurity posture based on various factors, including network security, data protection and incident response capabilities. Managing cyber risk across the digital supply chain is also increasingly critical. According to SecurityScorecard’s joint research with the Cyentia Institute, 98% of organizations have a relationship with at least one third-party that has experienced a breach in the last two years.

Insurers already employ cyber risk ratings to evaluate the risk of a cyberattack and determine appropriate coverage pricing. Utilizing this tool to manage their own third-party risk and comply with DORA is a logical progression. By adopting cyber risk ratings, insurers can manage their third-party risks effectively and make informed underwriting decisions. Given DORA’s requirements, adopting cyber risk ratings becomes increasingly vital as insurers must demonstrate their ability to identify, assess and manage cyber risks.

Given the systemic implications of third-party cyber risk, EIOPA should introduce mandatory cyber risk ratings in the form of technical standards. These standards can provide detailed guidelines on ICT requirements and reporting obligations that insurers must follow to comply with DORA.

A precedent exists with the European Banking Authority (EBA) technical standards for the Payment Services Directive (PSD2) – introduced to enhance customer protection during payment transactions and promote business innovation – which outlined in-depth how technology standards in authentication should be managed while remaining tech-neutral.

It is a global trend; legislation will mandate cyber risk ratings in France. In addition, the French Cyberscore Law creates the obligation for a cybersecurity certification for digital platforms intended for the public. It comes into force on 1 October 2023.

The French Cyberscore Law should be a model for EIOPA, which has much room to interpret DORA technical standards. For example, research from IBM found a supply chain compromise caused nearly one-fifth of data breaches, and these compromises made breaches more expensive and resulted in longer life cycles.

The research also showed that a supply chain breach took 26 days longer to identify and contain than the global average. This risk level is unacceptable in systemically important financial services, particularly in insurance.

By prompting insurers to adopt innovative tools like cyber risk ratings and by potentially introducing mandatory technical standards through EIOPA, DORA fosters a more resilient and secure financial sector.