Cybersecurity for the financial sector: what you need to know about DORA

The insurance industry processes vast amounts of sensitive data daily, including personal, financial, and health information. Protecting this data is crucial for maintaining customer trust, complying with legal requirements, and ensuring business continuity. With the growing threat of cyberattacks, digital security is becoming even more important in the financial sector. To address this, the EU introduced the Digital Operational Resilience Act (DORA) to strengthen the digital resilience of the financial and insurance industries.

What is DORA?

DORA (Digital Operational Resilience Act) is an EU regulation that ensures financial and insurance companies remain operational during IT disruptions or cyberattacks while protecting data from unauthorised access. The regulation focuses on robust IT risk management, covering both internal and external risks, including those posed by third-party providers. DORA forms part of a comprehensive regulatory programme designed to secure the digital infrastructure of the financial sector.

Implementation timeline

DORA was adopted in December 2022 and, after a transition period, will come into full effect in January 2025. By this time, insurance companies must adapt their structures, processes, and technologies to meet the digital resilience requirements.

Who does DORA apply to?

DORA targets a wide range of participants in the financial sector, including:

• Insurance and reinsurance companies: These organisations process large amounts of sensitive data and are therefore a primary focus.

• Banks and credit institutions: Like insurance companies, they must build robust systems for IT risk management.

• Investment and fund managers: As custodians of significant assets, they are also prime targets for cyberattacks.

• Payment and crypto service providers: These entities must ensure secure operations and data integrity, even in crisis situations.

• Third-party IT service providers: Critical IT providers, such as cloud services, are also subject to stringent digital resilience requirements.

For insurance companies, DORA applies not only to their IT systems but also to the compliance of their IT service providers. Insurance brokers and agencies that work directly with sensitive data are also required to implement these regulations.

Requirements for insurance companies

DORA sets out comprehensive requirements for insurance companies, including:

• IT risk management: Developing and maintaining a system to monitor internal and external risks.

• IT security measures: Implementing threat detection, vulnerability management, and contingency plans.

• Third-party monitoring: Ensuring that IT service providers comply with DORA requirements.

• Reporting: Documenting cyber incidents and regularly reporting to supervisory authorities.

For communication and data exchange, this includes:

• Encryption: Protecting all data transmissions from unauthorised access.

• Authentication: Restricting access to authorised personnel only through multi-factor authentication (MFA).

• Traceability: Logging all data access and transfers for audit purposes.

• Secure transmission protocols: Using secure technologies for data exchange.

How can FTAPI help?

FTAPI offers specialised solutions for insurance companies to meet DORA requirements:

• Secure data transfer: End-to-end encryption and GDPR-compliant platforms for exchanging sensitive data.

• Authentication and access controls: Preventing data misuse through effective permissions management.

• Integration: Seamless integration into existing IT infrastructures, including third-party systems.

• Audit-ready logging: Detailed tracking of all data movements to support audits.

Conclusion

DORA provides the insurance industry with an opportunity to strengthen IT security and digital resilience sustainably. This is not just a regulatory obligation but also a strategic advantage. By implementing DORA, insurance companies can build trust with customers and partners while positioning themselves as responsible market participants. Working with specialised providers like FTAPI can help companies meet these requirements efficiently and maintain competitiveness.

Compliance with DORA regulations enhances the digital resilience of the insurance industry and lays the foundation for a secure and successful future.