How a global insurer strengthened their operational resilience for the DORA deadline – and beyond
- Compliance, Risk & Resilience
Meeting the complex demands of the DORA Regulation
Given the ever-increasing risk of cyber-attacks, the EU has been strengthening the IT security of financial entities such as banks, insurance companies and investment firms through the introduction of the Digital Operational Resilience Act (DORA).
The regulation aims to increase the resilience of financial services organizations to ensure they can withstand, respond and recover from any ICT disruptions. In preparation for the January 2025 DORA compliance deadline, our client, the P&C and specialty risk division of a global insurance company, faced a multitude of challenges.
The Cyber Security and Legal & Regulatory team leading the Remediation Program needed to navigate the complex and rapidly evolving DORA regulatory landscape, drive substantial remediation activities and facilitate cross-functional collaboration across multiple domains.
Further challenges were the complexities of managing third-party risks, monitoring contractual remediation activities, developing effective incident response plans, ensuring data privacy and security, testing digital operational resilience and establishing robust business continuity plans.
Recognizing the increasing complexity of DORA compliance, and the potential risks associated with non-compliance, our client realized they did not have the expertise to manage this large-scale program, or sufficient knowledge on the regulatory landscape to support the BAU teams in becoming DORA compliant.
Despite this being a new regulation, deep knowledge within operational resilience and regulatory compliance would be required to ensure that a risk-based approach was taken to ensure alignment with the regulatory requirements whilst considering existing resource and budgetary constraints.
A cross-functional, integrated approach to compliance
The DORA regulation introduces stringent requirements for identifying, assessing, managing and mitigating operational risks.
To cover these areas, the client, with support from Wavestone planned a 24-month Remediation program, which kicked off with understanding their current level of maturity (through an initial gap assessment), followed by the development of a remediation roadmap to uplift their operations in line with requirements.
The key stages were:
Analyzing compliance with DORA regulatory requirements compared to the current operational resilience state; identifying the gaps and objectives to be achieved.
Define and manage complex, multi–business unit DORA programs comprising 25+ projects, including the enhancement of first and second lines of defense through operational controls and uplift of the security assurance framework.
Targeting support to meet key technical requirements, particularly regarding Threat-led Penetration Testing, Third Party Risk Management and IT Asset Management.
Implementing new processes and embedding process enhancements into BAU, with robust executive monitoring and cross-functional reporting interfaces.
Critical to the success of the program was leveraging SME knowledge and integrating expertise from a combined team of Cybersecurity and Technology Advisory domains. This ensured the gaps towards DORA readiness were effectively addressed.
Cross-functional collaboration was also key; this was delivered by facilitating dedicated working group meetings and risk enhancement meetings to resolve bottlenecks encountered during the remediation phase.
Lastly, strong relationships with the Legal and Compliance teams enabled seamless collaboration in reviewing and addressing compliance gaps.
Key challenges during the project
As DORA is a new regulation, a key element of the program was the initial interpretation of the regulatory text. This required discussions with internal stakeholders to align on the organization’s position and to document key assumptions regarding the interpretation of the text.
Due to the nature of the regulation, this program involved managing numerous dependencies – both internal, cross-functional teams and the overarching Governing Entity – since operational resilience and compliance impacted all business functions (IT, Security, Operational Resilience, Legal and Procurement to all business units). The third party focus also created increasing dependencies on the external sub-contractor chain and highlighted the need for more stringent contractual clauses.
Understanding how alignment with the DORA regulation impacted operational processes – focusing not only on documentation and theoretical aspects, but also on practical operational implications – was essential. Additionally, the Management Committee/Executive Governance structure was expanded to provide ongoing Business-as-Usual (BAU) oversight across the in-scope legal entities.
A key principle of the program was to ensure a pragmatic, risk-based approach to demonstrate a defensible Day 1 position to regulators, while also establishing an actionable Day 2 plan for sustainability and maturity enhancement. The challenge was to strike the right balance between regulatory alignment and internal objectives, ensuring that outcomes remained both aligned and achievable.
Delivering a resilience framework for the future
The client saw the strengthening of their resilience posture as a key priority, investing a significant amount over 2 years to ensure readiness for DORA. The program achieved the desired results; all the gaps identified to meet the regulatory requirements were successfully addressed, with tactical solutions in place for any remaining gaps.
Furthermore, the DORA Remediation program contributed to cross-functional collaboration, leading to increased organizational resilience across the business.
Additionally, as a result of the program, proactive measures were implemented to ensure continuous monitoring of BAU activities and timely resolution of emerging risks related to DORA compliance (e.g. DORA Executive Dashboard).
Finally, the program established a robust framework for future scalability, enabling the organization to adapt seamlessly to evolving regulatory and operational challenges.
Preparing for future compliance issues
As acknowledged by CBI recently, DORA remediation activities are not expected to achieve perfection in all aspects by January 2025, recognizing that this work could span to multiple years and the enhancements can certainly be achieved in the years to come.
With this in mind, the client will aim to continue optimizing cross-functional operations to implement the planned remediation activities for 2025-26, thereby enhancing overall organizational maturity. This will not only address the DORA regulatory requirements but also prepare this organization for any future compliance requirements that may arise.