New DORA regulation: the challenge for insurers to strengthen their IT and cyber risk management

New DORA regulation: the challenge for insurers to strengthen their IT and cyber risk management

Thu 23 Mar 2023

Since the onset of 2023, regulatory news has been adorned with the latest European legislation, under the acronym DORA, adopted on 10 November 2022 by the European Parliament. Standing for the Digital Operational Resilience Act, it will apply to the members of the European Union from 2025, and concerns companies in the financial sector specifically.

A response to cyber threats based on 4 main pillars

DORA responds to a context marked by crises and incidents threatening the continuity of global economic activity. These events have a more specific impact on financial institutions, since they are the bearers of economic solidity and have in recent years given an inescapable place to digital tools, robotisation and artificial intelligence in their IT systems, therefore making themselves more vulnerable.

The 4 main pillars of DORA are therefore aimed at better managing cyber and IT risks:

  • The first pillar of DORA focuses on the management of risks related to Information and Communication Technologies (ICT), thus reinforcing pre-existing requirements: implementation of a risk management framework including the identification of critical and important functions, the associated risks, and a mapping of ICT assets.
  • The second pillar concerns the reporting of ICT incidents and introduces a standard methodology for classifying incidents.
  • The third pillar focusses on the preventive aspect, by introducing very thorough operational resilience testing (TLPT). This pillar contains many new features. For example, companies will have to define an advanced testing programme, carried out by independent parties and including a series of specific assessments, tests and methodologies.
  • Finally, the fourth pillar of the DORA regulation establishes a classification of critical third-party suppliers. These third parties will be monitored by the ACPR, which will be able to conduct on-site audits, issue recommendations and impose financial penalties in the event of non-compliance.

A direct impact on insurers

For insurers, many challenges lie ahead, as various measures will have to be put in place or reinforced to comply with these new requirements. From now on, incidents classified as major will have to be reported to the competent regulatory authority and a follow-up report will have to be drawn up for the market players. A review of the security policy will also be required on an annual basis and in the event of the occurrence of major incidents, in accordance with the instructions of the supervisory authorities or the conclusions of the relevant resilience tests or audit processes.

In addition, the contractual conditions with ICT providers will have to be reviewed, especially about the termination and post-contractual phases. Several large companies have already decided to set up additional reflections around IT risk management, to better understand the relationships with the identified critical ICT suppliers and the advanced resilience tests to be defined. However, DORA also represents an undeniable source of opportunities by making it possible to bring existing directives into line with each other and by establishing itself as an umbrella regulation, for example concerning the reporting of security incidents.

Indeed, the ambition of this new regulation to capitalise on the rules in force to establish a homogeneous and unique European framework, allowing insurers to optimise their internal processes. This is the case, for example, for the advanced testing programme: all penetration tests for financial institutions carried out in any member state will be valid for other European countries, enabling financial actors to rationalise their compliance costs and will no longer require systematic recourse to bilateral agreements for the recognition of these tests.

An opportunity to improve risk management, but a practical application yet to be specified

DORA therefore aspires to enrich, clarify, and coordinate the pre-existing requirements by adding a governance and top management involvement issue that may have seemed too weak in the previous regulations. These requirements therefore allow for a more fluid and above all more exhaustive management of cyber and IT risks, which is necessary for insurers to fully control their business.

This regulation thus responds to the current concerns of insurers, since the threats are real as demonstrated by the multiple cyber-attacks suffered by several French insurers in recent years. A quick understanding of this regulation and its operational, strategic, and organisational impacts, as well as an adapted framework in these actions will allow insurers to approach this compliance calmly.

Several grey areas remain, resulting from the fact that the text has not yet been transposed into level 2 and 3 texts. As the ACPR has 6 to 18 months to publish the Regulatory Technical Standards (RTS), will there be enough time to comply before the regulation is implemented? As the scope of the tests is very broad, will all insurers have sufficient resources to comply with the regulation? Will the compliance of clauses in supplier contracts with those required by DORA be enforced? These are all questions that need to be kept under review, and which will require further in-depth analysis.