DORA in the Insurance Sector

Information and communication technology (ICT) ensures that the financial sector remains operational. The increasing level of digitalisation and interconnectedness however also increases ICT risk, making the financial system more vulnerable in terms of cyber threats or ICT disruptions. The Digital Operational Resilience Act (DORA) has created a harmonised legal framework for all financial undertakings. By doing so, ICT capacities and digital operational resilience of financial undertakings are intended to be developed further to ensure that they are able to withstand operational outages.

The main reporting and disclosure requirements for insurance undertakings are summarized in the following document:

DORA: Anzeigen/Meldungen (Format: pdf, Size: 407,6 KB, Language: German)

ICT interconnectedness: DORA Register of Information

As part of their ICT risk management framework, insurances undertakings shall maintain and update at entity level, and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers.

Regarding the submission of the information register to the Austrian Financial Market Authority (FMA): DORA – ICT Risk Management

IT Interdependencies

Based on the visualisation of interconnectedness in the IT service provider landscape in the insurance sector, potential concentration risks are presented and further deductions reached for supervisory strategy and practice. See also the Bericht der FMA 2022 zur Lage der österreichischen Versicherungswirtschaft, (Report on the State of the Austrian Insurance Industry), Chapter 2.10 (Verflechtungen: IT-Provider).

ICT-related incidents

• An ‘ICT-related incident’ is a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity;
• An ICT-related incident is classed as a ‘major ICT-related incident’ where it has a high adverse impact on the network and information systems that support critical or important functions of the financial entity;
• A cyber threat is classed as a ‘significant cyber threat’ where its technical characteristics indicate that it could have the potential to result in a major ICT-related incident or a major operational or security payment-related incident;
• A malicious ICT-related incident is classed as a ‘cyber-attack’ where caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal or gain unauthorised access to, or make unauthorised use of, an asset;

See also the Bericht der FMA 2021 zur Lage der österreichischen Versicherungswirtschaft, (Report on the State of the Austrian Insurance Industry), Chapter 2.13.2 (IKT-bezogene Vorfälle – Cybervorfälle).

Operational resilience testing

• Cyber Exercise: The measures taken by an individual undertaking for ensuring its cyberresilience are tested by conducting a reality-based simulation of a cyber attack and by evaluating potential improvements.
• FMA Assessment on Mitigation Measures: The assessment’s objective is to evaluate the security measures that insurance undertakings have taken to manage a chosen cyber incident scenario.
• FMA Cyber Maturity Level Assessment: The FMA has being using a tool developed in-house for measuring and evaluating the cyber resilience of Austrian insurance undertakings since 2019. See for example, FMA, FMA Facts & Figures 2021, on “Cyber Maturity Level Assessment” or FMA, Digitalisation in the Austrian Financial Market 2021, Chapter 10 (FMA-Cyber Maturity Level Assessment).
• FMA Cloud Maturity Level Assessment: The FMA developed this tool in 2019 for evaluating the precautions taken by insurance undertakings and pension companies (Pensionskassen) when using cloud services. See also FMA, Digitalisation in the Austrian Financial Market 2021, Chapter 11 (FMA-Cloud Maturity Level Assessment).

Threat-Led Penetration Testing

ICT systems and staff members with ICT-related responsibilities that are regularly tested to assess the effectiveness of their capabilities for prevention, detection, response and recovery to identify and address potential ICT vulnerabilities are a requirement for ensuring a high level of digital operational resilience. Such tests are required to cover a broad range of tools and measures, ranging from the assessment of basic requirements (e.g. vulnerability assessments and reviews, analyses of open source software, network security assessments, gap analyses, physical security analyses, questionnaires and scanning software solutions, source code reviews, where feasible, scenario-based testing, compatibility testing, performance testing, or end-to-end testing) through to extended testing in the form of Threat-Led Penetration Testing (TLPT). Such extended tests should only be prescribed for financial undertakings that are mature enough from an ICT perspective to be able to conduct them in a appropriate manner. The specific methodology to be applied for such tests under DORA is based on the Threat Intelligence-Based Ethical Red Teaming-EU (TIBER-EU) framework. The FMA is the competent authority in the insurance sector for conducting such extended texts (TLPT).