Strengthening Cyber Resilience: ICT Third-Party Risk for Insurers under DORA
February 29, 2024
In the digital age, insurance companies are not only guardians of financial protection but also stewards of sensitive customer data. With the advent of the Digital Operational Resilience Act (DORA), the insurance sector faces heightened scrutiny concerning its cybersecurity posture and operational resilience. Central to DORA's objectives is the imperative for insurance companies to address and mitigate the risks associated with their Information and Communication Technology (ICT) third-party dependencies through robust contractual arrangements.Insurance companies, like many other businesses, increasingly rely on third-party ICT service providers for critical functions such as data management, claims processing, complaints handling and customer service. While outsourcing these services can enhance efficiency and innovation, it also introduces a complex web of risks, including data breaches, service disruptions, and regulatory non-compliance.Under DORA, insurance companies are mandated to adopt a proactive approach to managing third-party risks, with particular emphasis on contractual arrangements. These arrangements serve as the foundation for delineating responsibilities, setting expectations, and mitigating potential risks associated with ICT service providers.Key components of contractual arrangements for insurance companies under DORA include:
- Risk Assessment and Due Diligence: Insurance companies must conduct comprehensive risk assessments and due diligence exercises to evaluate the cybersecurity posture and operational resilience of their ICT service providers. This involves scrutinizing vendors' security protocols, compliance frameworks, and incident response capabilities to ensure alignment with regulatory requirements and industry best practices.
- Clear and Defined Responsibilities: Contracts should clearly delineate the responsibilities and obligations of both parties, including data protection measures, incident reporting procedures, and compliance requirements. Insurance companies must articulate their expectations regarding the security and confidentiality of customer data and ensure that ICT service providers adhere to agreed-upon standards.
- Service Level Agreements (SLAs): SLAs establish the performance expectations, service levels, and response times for ICT services. Insurance companies should negotiate SLAs that align with their operational needs and regulatory obligations, ensuring that service providers deliver consistent and reliable services while adhering to predefined standards.
- Cybersecurity Protocols and Standards: Contracts should incorporate robust cybersecurity protocols and standards to safeguard sensitive information and mitigate cyber threats. Insurance companies must stipulate requirements for encryption, access controls, vulnerability management, and regular security assessments to ensure the integrity and confidentiality of data handled by ICT service providers.
- Business Continuity and Disaster Recovery: Given the critical nature of ICT services, contracts should include provisions for business continuity planning and disaster recovery measures. Insurance companies must ascertain that their service providers have robust contingency plans in place to minimize disruptions and ensure the continuity of business operations in the event of a cyber incident or system outage.
- Regulatory Compliance: Contracts must address regulatory compliance obligations, including data protection laws, cybersecurity regulations, and reporting requirements. Insurance companies bear the ultimate responsibility for regulatory adherence but must ensure that their ICT service providers comply with relevant legal and regulatory frameworks to mitigate compliance risks.
In conclusion, the Digital Operational Resilience Act underscores the importance of robust contractual arrangements in managing third-party risks and enhancing cyber resilience within the insurance sector. By establishing clear expectations, responsibilities, and safeguards, insurance companies can mitigate the risks associated with ICT dependencies, safeguard customer data, and ensure the continuity of business operations in an increasingly digitized environment.Author: Beppe Sammut (Senior Associate, Ganado Advocates)