By Simon Thompson, VP Sales Northern Europe at JAGGAER
Although this is an EU regulation, in the international insurance and reinsurance market, it is clear that UK businesses will not be able to ignore the regulation which will apply to any UK financial firm that works with EU customers or does business with EU financial firms. But are actuaries in Britain prepared to meet these new requirements and, therefore, effectively manage the hidden risks in their own IT supply chains?
Cyberthreats proliferate
Many actuaries are well aware of cybersecurity threats and are actively building models to effectively measure liability and price insurance for various types of businesses, but they themselves may just as likely be targets as the Horizon Actuarial data breach in 2022 aptly revealed. In the UK, the recent Synnovis and Ministry of Defence attacks have recently brough cybersecurity preparedness under new scrutiny, while recent Verizon data shows that 15% of breaches involved a third party or supplier, such as software supply chains hosting partner infrastructures or data custodians, confirming the importance of regulating these partnerships.
Add to this that the European Union Agency for Cybersecurity (ENISA) warned that the number of attacks against infrastructure has doubled from the fourth quarter of 2023 to the first quarter of 2024, likely due to geopolitical reasons. Among many other undesirable effects, the leakage of millions of customers' data enables cybercriminals to carry out other types of attacks, such as phishing attacks and scams where personal data is used to deceive users creating a damaging ripple effect.
The Digital Operational Resilience Act
With cybercrime topping the list of threats to global insurance, in 2023 a new law entered into force establishing the legal requirements for financial sector entities: the Digital Operational Resilience Act (DORA). This law will become mandatory in 2025 and sets the standards that financial entities and their third-party technology service providers must implement in their systems to prevent cybercrime. On 17th January 2025, DORA will become a binding and comprehensive framework for managing information and communication technology (ICT) risks in the EU financial sector. It also applies to essential third-party service providers, such as cloud platforms or data analysis services that supply the sector.
The ESAs (European Supervisory Authorities) has developed technical standards to protect businesses and their customers from cybercrime. These involve vetting and control of “critical” IT services providers. If found lacking, entities found to be in violation of the Act's requirements may face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000. The fine will depend on the severity of the violation and the financial entity's cooperation with authorities. For Third-party providers the fines could reach EUR 5,000,000 or, in the case of an individual, a maximum fine of EUR 500,000 for non-compliance with the Act's requirements.
To avoid the disastrous impact of cybercrime and potential fines, actuaries should begin a thorough review of contracts that were not previously analysed under the European Banking Authority's guidelines, assessing clauses and potentially renegotiating to incorporate new clauses.
For most businesses, DORA will not have a major impact since they already use security protocols to improve risk management. However, they will need to conduct new resilience tests, increase the number of evaluations they perform, refine methodologies, and incorporate best practices for system control and monitoring. All of this raises a question: are companies and their teams truly prepared to audit and certify their suppliers?
Digitalisation and transparency
Multiple parties are usually involved in the procurement operations of financial and insurance sector players such as actuaries. This makes auditing and control a complex task that requires continuous risk assessment across multiple operations, an impossible feat if carried out manually.
Faced with these inefficient and time-consuming tasks, businesses are seeing the potential of automation to manage large volumes of data quickly and efficiently, leaving only outliers to be managed through human intervention. Even actuaries are therefore engaging with external partners specialized in supply chain management and certification through advanced platforms that measure and rate suppliers globally with a comprehensive and constantly updated risk map. Ensuing that suppliers are keeping up to date with their certifications and standards is an ongoing process that can be simplified vastly through automation that verifies the status of each supplier and sends reminders when new information is required. Additionally, AI and automation can help analyse, improve and request changes to contracts that are no longer deemed to be compliant with new regulations.
Procurement directors are increasingly turning to digital technologies for support in managing the supply chain and although managing risk is the bread-and-butter of actuaries, vetting and controlling the IT supply chain can prove a struggle.
As the deadline draws closer, actuaries that digitalize to face DORA, will not only be compliant and reduce risk derived from inaccurate or inconsistent vetting of cyber security suppliers, but will gain significant operational advantages in terms of time saved on complex manual tasks.
|