Financial institutions have four months to implement the European Digital Operational Resilience Act (DORA). What is important for insurers in this phase? Rudrani Djwalapersad, Partner and Cybersecurity Lead at EY: "See the glass half full, because the gap analysis also shows where you already meet. Don't forget to make that clear."
About Rudrani
Rudrani Djwalapersad studied Business Administration and did a master's degree in Financial Law. Even then, she wanted to become a consultant, but didn't think about cybersecurity at all. In recent years, she has learned that (digital) information is becoming increasingly important. And that cyber attacks can have a huge impact on business continuity. That triggered her as a consultant with an eye for strategy, processes and people. Now, together with her team, she is making companies more digitally resilient and calls herself a business expert who understands cyber.
The devil is in the detail
The deadline, January 17, 2025, for the implementation of the DORA requirements is in sight. The days of gap analyses are behind us and financial institutions, including insurers, are in the middle of the implementation phase. But, how are they doing? First of all, Djwalapersad emphasises that the DORA publications are based on existing laws, regulations and standards on cybersecurity, of which the DNB Good Practice is one. "But be careful, because the devil is in the detail. The DORA requirements and Regulatory Technical Standards (RTS) sometimes include additional input that leads to new requirements. Think of reporting on costs and losses related to major incidents. And the Register of Information, in which you have to register all ICT suppliers with data points that are not immediately available and therefore you have to request them."
Cooperate
It's not just the institutions themselves that are hard at work. Umbrella organisations are also committed to their supporters. For example, industry associations DUFAS, VV&A, the Pension Federation and the Dutch Association of Insurers have drawn up market standards that help with contracts with ICT suppliers. Djwalapersad: "I think that's positive. DORA is not something to compete on. Collaboration is key and that's why we encourage it. Talk to each other to test your approach and establish a baseline together."
Challenges of Implementation Phase
Djwalapersad is optimistic, but knows that the implementation is comprehensive and not always easy. In January 2023, the DORA Level 1 text was published. This was followed by the underlying RTSs and requirements. That means institutions haven't had the full two years for implementation. "In practice, I see that companies constantly have to make the trade-off: get started right away, with the risk that you will have to make adjustments later? Or wait for the publication of the requirement or the RTS?"
She continues: "In addition, the principle-based requirements are a challenge. Unlike rule-based requirements, these leave more room for your own interpretation and interpretation. For example, the DORA Incident Management pillar contains many prescriptive requirements, such as the classification of incidents on the basis of which something is or is not labelled critical. Or the 9 Business Continuity Management scenarios that you should test periodically. But the Governance pillar is more principle-based. It states, among other things, that you must have a risk tolerance, but not what that tolerance should be exactly."
Grey area: third-party risk management
Furthermore, the Third Party Risk Management pillar contains rule-based and principle-based requirements. For example, the Register of Information is rule-based, because it is a fixed template. In addition, 19 ICT suppliers are described. According to Djwalapersad, that is clear. But in practice, it turns out that there are ICT service providers who, depending on how you interpret the requirement, may or may not fall under the definition. For example, suppliers who supply ICT personnel. "That's a grey area. How do you deal with that? Especially now that the ecosystem is getting bigger and bigger due to fintech and insurtech companies that financial institutions work with. This makes the ICT infrastructure more complex and vulnerable to vulnerabilities."
Evolution of the third party process
You also have to make choices to properly design your third-party process. Even though the cycle of an ICT supplier, from onboarding to the end of the contract, does not change. Now, and in the future, you need different departments: from purchasing to contract and supplier management. But under DORA, managing the chain does demand more from companies. For example, do you need to merge the departments to facilitate the process end-to-end? Where is the mandate to be more in control when it comes to cybersecurity? It requires a different way of monitoring your suppliers. I see it as a kind of evolution of the process. So not analysing once a year, issuing a SOC statement or requesting an ISO certificate, but real-time monitoring."
Implement risk-based and proportionate
With several DORA requirements, Djwalapersad sees that institutions struggle with the risk-based and proportionate implementation of the law, which means that they have to make their own choices. Think of defining critical functions and identifying third parties. "I understand that, because history shows that other laws, such as Solvency II, are more rule-based . Institutions are hesitant now that it is good enough for the regulator. I remind them that it is not for nothing that DORA starts with an article on risk-based and proportional implementation. So if they use a definition for the grey area, or give their own interpretation to something, it is important to argue that choice well. And don't forget the board's signature. This approach shows that you have made well-considered choices."
Considerations for implementation
Finally, and in summary, Djwalapersad would like to give insurers a few tips for the implementation phase:
1 Non-gaps: Not all DORA requirements are new. See the glass half full instead of half empty. She comes across many companies that only focus on the gaps. But the gap analysis also shows where you already meet. Make this clear in your DORA file as well.
2 Gaps: The implementation of DORA may take longer than the deadline of January 17, 2025. She thinks that makes sense. Make sure you have a plan that shows what you still need to change in policies and processes to close the gaps. Make risk-based and proportionate choices based on the information currently provided by the law.
3 Must haves: Focus on the must-haves for your company, such as the Register of Information. You really have to have one, because that will be one of the first things the regulator will request. Also, have a clear incident management process and update your policies to meet DORA requirements.
4 Decision-making processes: Pillar 1 gives management and the board a more active role and more direct responsibilities. Involve them in the DORA project, for example by playing a role in the steering committee. Also, make sure they attend awareness sessions and trainings. For example, on 10 October and 14 November, Nyenrode is organising a DORA webinar on important supervisory aspects, the latest state of affairs regarding the regulatory standards and the revised corporate governance code. Intended for directors, members of the Executive Board, senior managers, supervisors and supervisory directors.
Would you like to know more about the implementation of DORA and do you have specific questions for Rudrani? On October 17, she will give the Masterclass Well prepared for DORA at the Verbond in The Hague. Go to the programme page for the programme and registration. There are still a few spots available.
(Text: Ellen Jonges. Image: Ivar Pel)
Was this article useful?