Solving DORA Operational Resilience challenges for the Insurance Sector.
Cristie Data work with many financial sector organizations to deliver data and cyber security solutions which address the operational resilience challenges of the Digital Operational Resilience Act (DORA). Although major financial institutions have received the most rigorous attention, other financial entities such as insurance companies fall within the scope of DORA directives. Efficient system recovery and cyber resilience are fundamental to achieving operational resilience for critical insurance services. In the following sections we will cover some key challenges that our professional services teams have solved for financial institutions and how they transpose to companies operating in the insurance sector.
What are the impacts of DORA on the Insurance Sector?
In addition to major financial institutions, DORA also covers insurers, intermediaries, and critical data service providers, recognizing their important roles in protecting the financial interests of consumers and businesses. Under DORA, insurers and intermediaries must assess their potential risk exposures and understand how disruptive incidents could impact their operational capabilities. DORA will have several impacts on the insurance sector. Firstly, it will require insurance companies to assess and manage risks in their digital infrastructure systematically and comprehensively. This means gaining a full understanding of ICT risks and how they relate to system architecture. By doing so, entities can develop tailored risk management and system recovery strategies based on their specific service risk profiles. Additionally, DORA will necessitate clear plans to manage disruptions and outages in digital infrastructure. This includes establishing incident management protocols and guidelines with strategies to restore systems within acceptable timeframes after any disruption. Effective communication plans, both internally and externally, for informing customers and stakeholders, are also crucial to service recovery planning.
Digitalization and operational resilience in the insurance sector, two potentially opposing forces.
The insurance industry is currently going through a significant transformation as it embraces digitalization. This shift aims to take advantage of the benefits of optimization, speed, and improved service quality. At the same time, insurance companies are digitizing their customer interfaces to meet customer expectations and demands. This transformation is also accompanied by the entry of InsurTech companies, which challenge traditional business models with their advanced technology. While digitalization brings clear advantages, it also exposes insurance firms to potential cyber-attacks. To prevent service disruptions and maintain customer trust, it is crucial for insurance companies to establish strong operational and cyber resilience. Additionally, these companies need to develop a stringent security and system recovery testing framework to protect information security. This framework should assess the security implications of new and existing products and services.
What are some of the common system recovery challenges for insurance firms?
Insurance systems involve complex interdependent server and storage configurations that are built with redundancy to provide the utmost resilience. Typically, a service infrastructure will consist of a combination of physical and virtual machines. The deployment, maintenance, and protection of these systems presents specific challenges due to scale. For instance, a single service may be supported by hundreds or perhaps thousands of server instances across multiple geographies for many insurance firms. The recovery of physical machines often presents additional challenges over virtual counterparts due to the need for manual intervention in the recovery process. There are also many interdependencies between systems which require a tiered recovery process to ensure that systems are restored in the correct sequence. For instance, active directory (AD) is typically the primary service required as it contains critical information regarding the environment, including users, servers, and associated permissions and privileges.
How can Cristie Data help insurance companies with system recovery and cyber resilience?
Scenario planning, regular stress testing, and system recovery exercises are mandated under DORA. These simulations help insurers and intermediaries gauge their resilience to various operational disruptions and therefore fine-tune their response strategies accordingly. Cristie Data can provide system recovery solutions designed for automated large scale system recovery orchestration for both physical and virtual machines with the ability to undertake detailed system recovery simulations to assist with DORA compliance. Our partnerships with leading cyber and data security technology vendors enables us to help insurance companies mitigate cyber risks before, during and after incidents. Cristie’s system recovery software can create fully functional copies of production systems within an isolated sandbox environment in minutes without the need for additional infrastructure. These sandboxes are easily accessible for multi-disciplinary teams to optimize workflows, validate change management procedures, and collect evidence of cybersecurity capabilities or weaknesses.
What are the goals of DORA for the insurance sector and where can you find the most recent information?
The European Commission has proposed the Digital Operational Resilience Act (DORA) to enhance the operational resilience of the financial sector in the European Union. DORA aims to establish standardized regulations for managing Information and Communication Technology (ICT) within the industry. This includes governance, risk management, incident reporting, security testing, and oversight of third-party risk management. The main goal of DORA is to ensure operational resilience by effectively addressing cyber-attacks and managing risks associated with third-party entities. DORA was adopted in December 2022 and is scheduled to enter into force on January 17, 2025. The three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published the first set of final draft technical standards under DORA on 17 January 2024.
Insurance companies need to be READY soon.
By January 2025, DORA requires firms within its scope to fully adhere to the new regulations. Consequently, the initial step is to obtain a comprehensive understanding of the provisions outlined in DORA and how they are applicable to your organization. Insurers and intermediaries need to conduct a thorough assessment of their impact tolerance to assess the potential consequences of operational disruptions. This process involves analyzing critical services, recovery capabilities, and the resources needed to minimize any adverse impacts. Organizations should then develop robust plans for incident response and crisis management, incorporating insights gained from scenario planning exercises. Regular testing and updates of these plans will ensure that procedures remain effective and up to date.
Summary
System recovery at scale presents several challenges for insurance firms with physical systems often lacking the automation features that are taken for granted within virtual environments. Cristie recovery solutions can help overcome these limitations while providing complete flexibility to restore to and from any platform environment. Contact our team to learn more about simplifying key aspects of infrastructure recovery and cyber resilience to meet the requirements of DORA operational resilience legislation.