Here’s what the mandatory DORA regulation for insurance companies and fund managers entails

Cyberattacks are becoming more and more sophisticated. According to a report by Cybersecurity Ventures, in 2023 an attack occurred every 39 seconds, or more than 2,200 per day. The European Union estimates the global annual cost of cybercrime to be over 5 trillion euros.

In light of this situation, the EU, through the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA), has established a regulatory framework for financial institutions to enhance their operational resilience and cybersecurity. The aim is to improve protection against risks arising from the cyber environment and ICT.

This regulatory framework, known as the Digital Operational Resilience Regulation or DORA Regulation, entered into force on January 16, 2023. From that date, financial institutions will have two years to comply, as it will become mandatory for all players in the European sector on January 17, 2025.

“The finance sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyberattacks or incidents,” the EIOPA states. “When not managed properly, ICT risks can lead to disruptions of financial services. This in turn, can have an impact on other companies, sectors, and even on the rest of the economy, which underlines the importance of the digital operational resilience of the finance sector. This is where the DORA regulation comes into play,” they add.

The text establishes criteria for the classification, management, and reporting of ICT risks.  It also includes comprehensive recurring testing of these systems and a set of requirements for managing and monitoring ICT-related risks in the finance sector. This strengthens information security and eliminates potential gaps and conflicts that may arise within financial institutions. 

The scope of the regulation encompasses all actors in the European financial sector, which includes insurance companies and reinsurers, insurance intermediaries, alternative mutual fund managers, and management companies.

This new regulation expands its scope beyond traditional financial institutions to include the management of technology services by third parties and organizations such as insurance companies and reinsurers.

"The requirements of the regulation are very specific and demanding, which, overall, will force the insurance industry to accelerate its pace of improvement in this area. This will bring them to a level similar to that of banking, which has traditionally been more mature in this area, as they were the first targets of cybercriminals," explains Jacinto Muñoz Muñoz, Manager of Operational Resilience and Crisis Management at MAPFRE. "In terms of opportunities, the DORA regulation should help the insurance industry to improve its cybersecurity and digital operational resilience maturity, giving it better protection against cyber risk,” he adds.  

In the specific case of Spain, the Spanish Association of Insurance and Reinsurance Brokers (ADECOSE) has exempted small and medium-sized enterprises (SMEs) and insurance intermediaries with fewer than 250 employees from this regulation, due to their specific characteristics and needs within the sector. 

The DORA regulation sets out specific requirements in four main areas:

1. ICT risk management and governance. Organizations must have comprehensive ICT risk management frameworks that identify and classify critical assets. They must also conduct periodic risk assessments.

2. Incident reporting. Systems need to be in place for “monitoring, managing, logging, classifying, and reporting” ICT-related incidents.

3. Operational resilience testing and threat sharing. ICT systems must be tested regularly to evaluate their performance, identify ‌vulnerabilities, and repair them in a timely manner. In addition, financial institutions must establish agreements to share information and intelligence about threats and vulnerabilities.

4. Third-party risk management. It’s a requirement for companies in the sector to take “an active role in managing ICT third-party risk.” Service providers must also comply with the requirements of the DORA regulation.

For financial institutions, the regulation serves as a guide and framework for preventing technology-related risks, allowing the sector to continue its growth trajectory while minimizing the risk to its assets and those of its customers.

At MAPFRE, we’re aware of cyber risks and have been working continuously and systematically to improve our security posture for years.

“To adapt to this framework, we have analyzed and provided feedback on the various drafts that have been published. After the final approval, we conducted an initial compliance analysis of the regulation and defined an action plan to address the gaps identified. Not only are we currently implementing this plan, but we’re also modifying it to add new requirements arising from the secondary regulations associated with DORA,” says Jacinto Muñoz Muñoz.

From a strategic or operational standpoint, the DORA regulation won’t imply a substantial change in the way MAPFRE approaches cybersecurity. In the words of MAPFRE’s Manager of Operational Resilience and Crisis Management, it “will require additional formalization of certain tasks we already perform, such as registering and monitoring of ICT service providers.”

There are still six months left to comply with the new regulation. But this isn’t the only challenge insurance companies are facing, as they also have other tasks ahead, such as reviewing the Solvency II regulations or the newly proposed Insurance Recovery and Resolution Directive (IRRD).

RELATED ARTICLES: