Introduction

The European Union's Digital Operational Resilience Act (DORA) is an upcoming regulatory proposal designed to unify, strengthen, and harmonize the standard of digital resilience frameworks across the financial sector. The proposed regulation is poised to have significant implications across the financial industry, including banks, credit and payment institutions, investment firms, and notably, insurance and reinsurance firms. This paper seeks to explore the implications of DORA with a specific focus on the insurance industry. 

Overview of DORA

DORA was drafted in response to the increasing digitalization of the financial sector and the corresponding surge in cyber threats. It aims to create an integrated framework that will enhance the industry's operational resilience against these threats.

DORA primarily covers five areas:

• ICT Risk Management: DORA mandates that institutions maintain operational resilience, expanding the definition of risk to include technology-dependent processes and tools.

• ICT Incident Reporting: Under DORA, financial institutions must extend incident reporting to include incidents within critical third-party providers.

• Digital Operational Resilience Testing: Institutions must complete broad threat-led penetration testing that includes third-party service providers.

• ICT Third-Party Risk Management: Third-party providers must provide services consistent with DORA requirements.

• Information Intelligence and Sharing: DORA encourages financial institutions to voluntarily share cyber threat intelligence across the industry.

Impact on the Financial Industry

The financial industry, by its very nature, is vulnerable to ICT risks, and with the rising reliance on third-party service providers, the risk is ever-increasing. DORA is designed to combat these risks effectively and comprehensively. As such, it has broad implications for the sector, mandating a more granular, comprehensive, and holistic approach to ICT risk management.

DORA and the Insurance Industry

While the scope of DORA extends to the entire financial industry, the insurance sector is a key target, considering its significant reliance on digital technologies and third-party services.

Third-Party Risk Management

Insurance companies extensively outsource their ICT systems, with a significant portion of key services outsourced to third-party providers. Under DORA, insurers will be required to ensure these providers comply with DORA's ICT risk management, incident reporting, and resilience testing requirements. As a result, insurers may need to renegotiate contracts or even change suppliers to meet DORA’s expectations.

Digital Operational Resilience Testing

Insurance companies will also be required to complete digital operational resilience testing, including broader threat-led penetration testing. This will be instrumental in identifying potential vulnerabilities and ensuring that cybersecurity measures are fit for purpose. As threats evolve rapidly, these assessments will need to be continuously updated and improved.

Information Sharing

DORA encourages insurers to voluntarily share information about cyber threats across the industry. This proactive measure will facilitate a collaborative approach to managing and mitigating cyber threats.

Impact on Organizational Structure

The implementation of DORA may necessitate organizational changes within insurance companies, including the establishment of agile teams and processes to manage the new requirements. Furthermore, there will be a need for increased collaboration between internal functions, external partners, and technology vendors.

Conclusion

DORA represents a significant step forward in enhancing the digital resilience of the financial sector, with notable implications for the insurance industry. While its implementation may present initial challenges, its strategic benefits cannot be underestimated. Insurers that effectively leverage DORA can significantly enhance their operational resilience, reduce costs and risks, and secure a competitive edge in the increasingly digital marketplace. The proactive and strategic implementation of DORA could mark the beginning of a new era of digital operational resilience in the insurance industry.