SUPPORTING DIGITALISATION

OPINION: CYBERSECURITY

Strengthening the industry’s cyber resilience

Insights into the implementation of the Digital Operational Resilience Act

The increasing digitalisation of the economy has sparked concerns among policymakers, businesses, citizens, and entire sectors, as this trend also increases the threat of cyber risk. With the adoption of the 2016 Network and Information System (NIS1) Directive, the EU saw its first-ever cybersecurity and reporting requirements for operators of essential services and digital service providers across the European Union. As such, NIS1 has played a crucial role in enhancing cybersecurity and resilience in the EU. However, it created an uneven playing field in the insurance sector, as some countries included insurance companies when transposing the directive (such as France for instance) and others did not.

When the European Commission put forward a proposal for a revision of the NIS (NIS2) Directive in September 2020, it also launched a proposal for a Digital Operational Resilience Act (DORA), setting a framework for cyber-resilience in the financial sector.

DORA was adopted in December 2022 and welcomed by insurers because it harmonises the practices among all European insurers and leads the sector towards a common, high cybersecurity level, based on a framework that was specifically designed for the financial sector. In practice, it means that NIS2 does not apply to insurers, but that instead only DORA does, even in the few countries, including France, which had decided to make use of the option to require a certain number of insurers to comply with the requirements of NIS1. DORA is therefore a positive evolution for the industry.

Development of level 2 measures

The legislative process is however not yet finished, as the European Supervisory Authorities (ESAs) are currently finalising the “level 2 measures”, which consist of a number of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

Within this framework and considering the current context of high cyber-attack risks, the insurance sector has since 2023 devoted considerable resources and energy towards compliance with DORA, performing gap analyses and defining roadmaps. Most insurers were able to partly build on existing practices, since the proposed level 2 measures take into consideration already existing European and international standards, which was a strong request from the market. However, full compliance with DORA by January 2025 (the legal requirement) will still represent a major challenge, both in terms of the technical, and IT-related aspects of the requirements, as well as in terms of the contractual and risk management-related aspects.

The insurance industry keenly contributed to the work of the European Supervisory Authorities in developing the level 2 measures and appreciates the quality of the work that was done by the authorities and the major effort they made to establish a dialogue with the industry and explain the reasoning behind the texts during very informative public events. This dialogue also took place at national level, where many insurance federations and companies had the opportunity to discuss the draft RTS and ITS with their national supervisory authorities. All these exchanges were fruitful and supported the industry in its efforts to comply with this new comprehensive and robust framework.

The level 2 measures published so far, released in two separate “batches”, pertain to several key points for companies. The first batch focused on risk management tools, methods, process and policies, major incident classification, the register of information on contractual agreements with providers, and the policy on the use of ICT services supporting critical or important functions. The second batch focused on the conditions for subcontracting ICT services supporting critical or important functions, defining the timeframe and the reports of major incidents notification, and creating the DORA threat-led-penetration-testing (TLPT) framework, based on an already existing European framework (TIBER-EU).

Considering the impact of the proposed measures, the industry strongly encouraged the ESAs to integrate more proportionality throughout the text of the level 2 measures, and to ensure a more risk- based approach in view of ensuring that all entities of different sizes in all markets would be able to comply with the regulation. Another key point raised was the need to avoid excessive complexity, and the need to duly respect the mandate given in the DORA level 1 text.

“Striking a balance between compliance and operational agility is key in cybersecurity management. From an industry perspective, it is key to foster resilience, while avoiding burdensome constraints during a critical incident.”

Key challenges for the industry

On the topic of major incident reporting, the industry stressed that a balance would have to be found between ensuring an effective notification to the authorities and allowing the entity to allocate sufficient resources to the resolution of the incident. It thus seems important not to lay a disproportionate administrative burden on entities during a crisis, as it may impair their capacity to contain the incident. Therefore, the industry encouraged a simpler architecture of the criteria to classify an incident as major, as well as manageable time limits, adapted to each financial sector when appropriate. While the ESAs have taken on board the recommendation to set up a simpler system, the proposed incident reporting process will still require gathering, analysing, and filing a significant amount of data to the authorities in a very short timeframe.

Several level 2 measures will have a direct impact on the contractual relationship between insurers and third-party service providers, and their subcontracting chain. The measures initially envisaged by the ESAs were very ambitious, and here the industry recommended taking a more proportionate approach. Irrespective of the precise wording of the final text, a period of complicated negotiations with third-party service providers lies ahead for financial entities. The industry is keen to ensure these negotiations are fruitful and is hopeful that the newly established “Oversight Forum”, bringing together the ESAs’ chairpersons and a high-level representative from a national competent authority, as well as any standard contractual clauses, prepared by the ESAs, will support the efforts.

Finally, a framework for threat-led penetration testing was defined as part of the proposed level 2 measures. The approach taken, in accordance with the level 1 text, and very close to the TIBER-EU framework, did not come as a surprise, and is generally welcome. Two main issues nonetheless are particularly concerning. First, the scope must be strictly limited to entities with a sufficient level of maturity and a particular systemic character, considering the cost and the risk attached to TLPTs. Second, the proposed criteria for internal and external testers seem very restrictive in a market with a shortage of profile availability. This could lead to practical issues if entities are neither properly targeted, nor able to prepare or to find the proper resources.

In conclusion, insurance companies are highly conscious of the risks that cyber threats pose to the financial sector and society in general, and they are fully committed to contributing to the challenge by improving their own cyber resilience. DORA is a step in the right direction, and the sector will thus continue its engagement to make DORA a success and to maintain its significant efforts to be ready when DORA enters into force in January 2025.