Preparing for DORA: What do these new regulations mean for finance and insurance firms?
When it comes to insurance and financial services, the ability to offer clients peace of mind is the key to ensuring the sector's continued longevity. Cyberattacks are evolving in frequency and sophistication, with criminals selecting progressively more ambitious targets, and even minor IT outages, whether they're caused by human error or 'acts of God', will have a serious effect on firms' operations, negatively affecting both profitability and brand reputation. With this in mind, firms must reconsider the way they approach operational resilience, particularly regarding the way access rights for critical systems and data are managed.
While finance and insurance firms will already have robust data protection measures, the sector's ongoing digital transformation journey means that best practice must evolve, not only to ensure the continued integrity of clients' sensitive data, but to support the interconnected workflows that firms increasingly depend on.
This is a complex, constantly evolving subject, but fortunately, the impending DORA regulation is anticipated to offer an effective roadmap to higher operational resilience for the finance sector, and a new model for effectively managing digital identities.
With this new regulation coming into full force on January 17th 2025, it is essential that any organisations that deliver insurance or financial services of any sort are aware of how DORA will impact their operations and take action, putting measures in place to ensure the highest level of operational resilience is maintained. With this in mind, let's take a closer look at DORA's five pillars…
What is DORA?
Introduced on 16th January 2023, the Digital Operational Resilience Act (Regulation (EU) 2022/2554) is a new EU financial regulation that expands the risk categories that apply to firms offering financial and insurance services to encompass a new standard of operational resilience, with a particular focus on ICT risk. The Act is made up of the following five pillars, which consolidate and update a number of existing regulations:
- ICT Risk Management. All ICT systems, processes, and assets must be subject to regular review, with continuous monitoring in place. This must be supported by an effective backup policy and business continuity plan, also subject to regular testing and review.
- ICT-related Incident Management, Classification & Reporting: Clear standards and best practice regarding the reporting and management of any ICT security incidents, in order to enable a more robust, proactive approach to cyber security and business continuity.
- Digital Operational Resilience Testing: Implementing ongoing evaluations of the organisation's operational resilience, including threat-led penetration testing and comprehensive audits of all systems and procedures.
- ICT Third Party Risk Management: A new, highly rigorous approach to managing access rights, suitable for modern interconnected workflows, accommodating the wide range of suppliers and partners organisations engage with.
- Information Sharing Arrangements: Establishing best practice around the sharing of information between organisations offering insurance and financial services, in order to ensure operational resilience can co-exist with seamless, secure flows of data.
As of the 17th January 2024, the final draft of DORA's technical specifications is under review by the European Commission, after which it will come into effect twenty days after its publication in the Official Journal of the European Union. Although this is an EU regulation, it is important to note that it is likely to impact any UK businesses that handle financial data as part of their day-to-day operations.
Be prepared!
The measures your organisation must take to achieve compliance with DORA will largely depend on both the point you have reached in your unique digital journey, and the final form the new regulation takes before the formal launch date in 2025. With numerous factors to consider across the five pillars, a proactive approach, supported by a trusted technology partner, is essential to not only achieving compliance, but ensuring the new best practice is embedded across all levels of your organisation. DORA's requirements must be reflected in all network contracts and SLAs, and all solutions must be engineered with full compliance and the highest level of resilience inherent in the design.
Don't leave any of this to chance! Get in touch with our team today, and we will work with you to turn these new compliance challenges into opportunities to boost resilience, enable seamless flows of data, and – ultimately – strengthen client confidence.
Stay Informed
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.
