Safeguarding Insurers in the Digital Realm: The Impact of DORA Regulatory Changes
Digital transformation became the dominant buzzword in insurance technology in recent years. For forward-thinking insurers, the choice was crystal clear: either embrace transformation, modernise operations, and digitalise processes, or lag behind the rapidly evolving industry.
As insurers scrambled to leap into the digital realm, progress and growth accelerated. Optimisation, speed, and quality of service soared. Customers were delighted by the new era of customer-centric services that revolved around them. However, on the other side of the coin, rapid digitalisation and reliance on digital technologies and third-party services resulted in a surge of security risks. Those risks include severe operational service disruptions caused by cyber-attacks, and information and communication technology (ICT) issues.
To ensure the protection of insurance organizations from digital risks, it is critical that risk and compliance management work in close collaboration with IT and information security. The Digital Operational Resilience Act (DORA), which will go into effect in the European Union by January 2025, will make a significant impact on the insurance industry by setting standards for IT systems, cybersecurity, and operational risk management. DORA introduces stringent regulations to bolster the digital operational resilience of financial and insurance organizations, mitigating risks while supporting digital innovation and competition.
The vast implications of DORA on insurers and reinsurers affect critical functions such as payments, claims management, and digital insurance underwriting. Under DORA, payments for life claims products will be considered as critical payments, which face scrutiny similar to banking payments. This will include claim payments for products such as income protection, serious illness, personal accident, death benefits etc., thereby placing life and health insurers under an urgent countdown to comply.
DORA covers the following areas impacting insurers:
- Third-Party Risk Management
In today’s interconnected ecosystem, insurance companies often outsource their ICT systems and services to third-party providers, to help deliver optimal services to their customers. DORA requires insurers to have clear management over those providers to ensure they comply with ICT risk management, resilience testing, and incident reporting requirements. This may require insurers to renegotiate contracts or even change suppliers to meet DORA’s framework. - Digital Operational Resilience Testing
Insurers will also need to conduct systematic tests of their digital infrastructure to assess the resilience of their operations. They will need to be fully aware of potential threats and develop plans to manage disruptions and outages. Insurers also must assess the security implications of new products and services, as well as any changes to existing products and services. Given the rapid pace of evolving threats, these evaluations must be consistently updated and enhanced. - Information Sharing
Under DORA, insurers must take proactive measures to voluntarily share information about cyber threats across the industry. This will encourage a collaborative responsibility to identify and mitigate security breaches across the insurance ecosystem. Part of DORA’s incident management protocols and recovery planning include clear and effective internal and external communication plans for informing customers and other stakeholders.
Preparing for a New Era of Resilience
To align with the new regulations, insurers are currently integrating DORA into their existing risk framework. DORA is an important milestone in the insurance sector because for the first time, cybersecurity and digital operational resilience are recognised by law as essential for ensuring financial stability and market integrity in the interconnected, digital age. Millions of people depend on the insurance industry in their hour of need, so challenges like cyber threats need to be systematically addressed.
In January of 2024, for example, data on more than 33 million people in France, approximately half the population, was compromised in a cyberattack of two leading IT providers serving numerous insurance companies. According to an annual DNB survey on information security, more than 15% of pension funds and insurance firms in the Netherlands suffered significant damage from cybercrime in 2021.
By harmonising the framework of governance, risk management, and security testing, to ensure resilience and unrestricted growth, DORA is a significant step forward for insurers. Insurers that meet DORA’s standards of data efficiency and security prioritise trust, performance, and cost-effectiveness, and gain a competitive edge. By outsourcing to DORA-compliant, proven experts, insurers can reduce the high costs of navigating the regulatory landscape in-house.
Fast Track to Operational Excellence
Leading software providers like Sapiens empower insurers with a proven, cloud-based platform that’s robust, secure, and scalable. Not only is this essential to supporting DORA regulations, but it’s critical for achieving operational efficiency of the highest calibre, reducing costs and risks, and securing a competitive advantage.
DORA is driving a surge of IT outsourcing by insurers to trusted DORA-compliant partners like Sapiens that can offer a seal of approval that their data will be handled with the utmost care and diligence. DORA compliance isn’t just a set of rules, but rather a symbol of dedication to the highest standards in data management.
In preparation for DORA, Sapiens established an internal task force last year to review DORA requirements, assess Sapiens’ services affected by DORA, and plan internal tasks to be completed by January 2025. Sapiens is available to answer any questions its customers may have regarding DORA.
Contact us to learn how Sapiens can empower your organization to prepare for a new era of digital operational resilience.
