On 27 December 2022, the Digital Operations Resilience Act (DORA) was published in the Official Journal of the EU.
It includes a regulation and a directive on digital operational resilience for the financial sector, including insurance. Payments, claims management, and digital insurance underwriting earn special mention as critical functions.
Why is DORA important when we’re considering the business and insurance industry space?
For the first time, cybersecurity and digital operational resilience are recognised in law as vital for ensuring financial stability and market integrity in the digital age and are elevated to the same level as common prudential or market conduct standards.
While DORA refers to “harmonisation” of previously uneven national regulatory or supervisory approaches which could have distorted competition between the same type of financial entities operating in different EU Member States, it intentionally introduces new, more stringent Information and Communication Technology (ICT) risk management and ICT-related incident reporting requirements compared to those laid down in EU financial services law.
How long has DORA been in the planning pipeline, and have events in recent years (digital transformation/Covid) accelerated its timeline?
DORA is one of the three key planks of the European Commission’s Digital Finance Package, and builds on the work in the FinTech Action Plan of 2018, but the best way to plot its path into existence is to look at the development of the financial services sector over the last decade.
Digitization and digital innovation, driven in large part by fintech and insurtechs, have really taken off over this period.
The COVID pandemic was also a catalyst for further digitization.
Just how much more additional regulation will DORA add to companies, and who will carry the burden of this regulation?
The detail of the act is fairly prescriptive, imposing new responsibilities around network design, management and monitoring, maintenance of redundant infrastructure and availability of systems, establishing minimum standards for backup and restore right through to threat-level penetration testing for some organisations and putting legacy systems (which are commonplace across the insurance industry) very firmly under the microscope.
As regards who will carry the burden, DORA refers repeatedly to placing new obligations on “ICT third-party service providers.” Here at FINEOS, we’ve studied the act carefully as it moved through the stages to ensure that the FINEOS Platform remains industrial-strength and compliant, and we seamlessly support our client insurers as the regulation comes into force.
However, a casual reader of the act can easily get thrown by the use of the term “third party,” thinking that it applies only to organisations like FINEOS. It doesn’t. DORA recognises that intra-group provision of ICT services within an insurance group is no less risky than the provision of ICT services by third-party providers and should, therefore, be subject to the same regulatory framework. So, the act can be seen as placing a similar onerous responsibility on an insurer’s IT function within the group. This might come as quite a shock to some insurance CIOs.
What impact will DORA have on the insurance industry?
There is often a tendency to react to increasing regulation with words like “bureaucracy” and a resistance to perceived interference in our industry, but challenges like the cyber
By raising the resilience of the industry as a whole, I believe that the impact of this regulation will only be good for the community we serve, the insureds.
Similarly, by harmonising to a higher standard, DORA will remove legislative disparities and improve competition, which is better for insurers and consumers.
How you think the landscape will develop and react as a result of these new regulations? Will businesses be stronger?
Right now, there is a debate ongoing among the technology vendors which serve the insurance industry between on-premises and cloud, and within the cloud faction, between public and private cloud. I believe that DORA pretty much settles both of these discussions.
One of the recitals to the act states, “[I]t has become inconceivable to provide financial services without the use of cloud computing services, software solutions and data-related services.” I believe the act is written substantially from that viewpoint.
As an example, under the act, members of an insurer’s management team must develop sufficient ICT skills and actively keep up to date with technology trends to understand and assess ICT risk in their external or intra-group provider relationships. Today the C-suite of an insurer leans heavily on the CIO and experts within her team to lead this, but as the act refers to “an appropriate level of independence… to avoid conflicts of interest,” this works where the CIO oversees external relationships but becomes tangled if the CIO’s team delivers or maintains the service. Over time this will make the decision to invest further in on-premises or private cloud initiatives ever more fraught.
Longer term, I see business advantage for insurers moving away from the development and ownership of digital technology to the expert use of such technology by business users. Through this focus, insurance businesses will be stronger.
What strategies should companies employ in preparation for the changes DORA will bring?
For insurers, and insurance CIOs in particular, I think that DORA is the death knell of many older on-premises and legacy systems and those CIOs who grasp the nettle will ultimately succeed as they will transition in a planned and unrushed manner.
For insurtechs which can be categorized as insurance technology startups, I think DORA creates myriad opportunities to provide value to insurers and positive tailwinds. These businesses need to demonstrate that they can meet the high bar set by DORA.
For insurtechs which can be categorized as insurance company startups, I think DORA redefines expectations on these businesses. Unless they are really small (fewer than 10 employees, less than €2M turnover) they are going to have to take on the incumbents without a safety net such as the UK’s FCA Regulatory Sandbox.
I hope you’ll forgive me for ending on the Cassius quote from “Julius Caesar”: “It is not in the stars to hold our destiny but in ourselves.”
About Paul Donnelly
Paul Donnelly is the Executive Vice President, EMEA at FINEOS, a leading provider of core systems for life, accident and health insurers globally with seven of the 10 largest group life and health carriers in the US as well as a 70% market share of group insurance in Australia.
He is a passionate advocate of design and user experience, incorporating best-practice techniques and principles to build products that inspire users, and places great store in rigorous market analysis, segmentation, and value proposition alignment.
Donnelly is also the former EVP, EMEA of Munich Re, where he spent almost 14 years, and his 30+ years of experience include roles in telecommunications, software development and entrepreneurship.