The shift to digital is set to give insurance services a significant boost, providing customers with more personalised insurance choices and lowering the risk of fraud in the process. While the pace of digital adoption among insurers has lagged other industries due to typically fragmented legacy systems, it has the potential to accelerate from here on, driven by opportunities from new technologies and the ensuing regulatory response.
In this article, we will look at some of the key trends in digitalisation that are influencing the insurance industry, the impact of the Digital Operational Resilience Act (DORA) regulation and how companies can capitalise on this opportunity to create value.
Riding the Digital Wave in Insurance...
Technologies like artificial intelligence (AI) are streamlining operations, improving risk assessments and enabling responsive product development. The integration of AI, including generative AI, is transforming risk modelling, claims handling, and customer service, presenting both opportunities and challenges in terms of data governance and ethical use. Along with AI, advancements in data analytics are enabling insurers to offer more personalised insurance products, driving customer-centric decisions and adding value to the sector.
Across Europe, digitalisation is presenting opportunities for insurers to tap into new revenue streams and offer their customers more tailored experiences and access to information. Open banking, by which customers can gain access to a range of banking data securely from regulated third-party providers, and open finance, which extends this principle more broadly into financial data beyond banking – are transforming the financial ecosystem. Looking specifically at insurance, here are some examples of the benefits of open banking and open finance:
- Some insurers in Switzerland, Italy and Germany have worked with open banking platforms in a number of ways, allowing them to access customer financial data (with consent) for better risk assessments, speed up and streamline claims processes and empower customers to manage their finance and insurance needs seamlessly.
- An insurer in Luxembourg is offering open finance solutions that facilitate data exchanges between life insurance companies and custodian banks, helping integrate integration of investment and insurance data flows.
- Additionally, the open insurance model empowers customers to make informed decisions by enabling access to their insurance data. Insurance tech providers in France and Sweden are offering suites of APIs that have capabilities such as connected insurance solutions and easy data sharing between insurers, customers and third parties.
The rise of digital identity solutions is also redefining how insurers engage with their clientele. Digital identities facilitate safe, smooth authentication procedures, curbing fraudulent activities and bolstering customer confidence. As regulations progress to bolster digital identity structures, insurers can simplify customer onboarding and claims procedures, delivering a more seamless customer journey. The assimilation of digital identity within insurance operations not only heightens security but also presents prospects for bespoke services and streamlined data handling. This shift is pivotal as insurers adapt to more interconnected environments.
... While Regulation Catches Up
At the same time, regulatory scrutiny is intensifying. The DORA regulation, which came into force last year, is set to significantly impact the financial industry – including insurance companies – by enforcing stringent digital risk management and resilience measures across the European Union. DORA will also impact Swiss financial entities affiliated with or providing ICT services to EU financial institutions, including Swiss insurers that operate or offer services within the EU. Additionally, the European parliament has adopted the Artificial Intelligence Act this year, calling for rules on data quality, oversight, accountability and transparency to address trust issues and potential biases in AI usage. Insurance companies therefore must pay careful consideration to evolving regulation in order to reduce friction and minimise consumer risks.
In the case of DORA, the looming compliance deadline of 17 January 2025 offers a short, but important window for insurance companies to get up to speed with resilience measures. The regulation establishes standards that must be implemented by financial entities as well as their key third-party technology service providers, focusing on six key aspects of cyber resilience:
- ICT risk management: Businesses must have robust policies and processes in place to manage risk arising from information and communication technologies.
- ICT third-party risk management: Companies must conduct appropriate due diligence on third-party providers to monitor risks and establish clear contractual provisions.
- Digital operational resilience testing: DORA mandates regular testing and assessments that take into account the evolving landscape of ICT risk, so companies can proactively identify vulnerabilities.
- ICT-related incidents: Regulation aims to ensure major ICT-related incidents, such as cyber attacks and disruptions, are reported promptly to competent authorities.
- Information sharing: DORA aims to enhance exchange of information and intelligence on cyber threats within the financial sector.
- Oversight of critical third-party providers: DORA specifies an oversight framework for critical ICT third-party providers to ensure firms maintain control over outsourced functions.
Maximising the Benefits of DORA
DORA is an opportunity for insurers to evaluate digital resilience measures and tackle cyber risks in a holistic manner, incorporating strategies at the governance level rather than as a separate initiative overseen by the IT department alone. As insurers increasingly rely on digital systems, DORA's requirements for robust ICT governance, incident reporting and resilience testing are crucial for maintaining operational stability.
We recommend the following main steps for insurers to be best prepared to meet DORA regulation by early 2025, while maximising the potential of digital initiatives for cyber protection and business value:
- Establish a digital framework at the governance level: While digital initiatives picked up somewhat in the aftermath of the pandemic restrictions, decisions around such initiatives – including deployment of third-party providers – is often the domain of the IT department. By treating DORA as an opportunity to align digital transformation initiatives at the governance level, insurers can accelerate digital adoption across operations, address cyber risks more strategically and offer a wider range of real-time, personalised services to customers.
- Evaluate overall risk profile: DORA will require insurers and third parties to implement the six aspects mentioned above in accordance with the principle of proportionality, taking into account their size and overall risk profile. A careful and accurate evaluation - involving not only assessing traditional financial risks but also incorporating ICT risks into their overall risk management frameworks – is essential to the process. Insurers can indeed become more resilient by identifying all sources of ICT risk, implementing mechanisms for detecting abnormal activities and deploying strategies to ensure continuous monitoring and prevention of ICT-related risks.
- Use current services as building blocks: Adopting digital strategies across the value chain is crucial for insurers to remain competitive and deliver positive customer experiences. Use existing services as foundation for capturing digital opportunities ahead of the DORA deadline. By integrating AI technologies, insurers can automate routine tasks, improve fraud detection and personalise customer interactions. This strategic use of digital tools not only helps in meeting DORA's compliance requirements but also puts insurers in a competitive position in a rapidly evolving market.
- Foster collaborative partnerships with DORA-critical suppliers: As insurers work to comply with DORA, it is crucial to establish strong partnerships with key third-party suppliers essential to their digital operations. These suppliers must also adhere to DORA's stringent standards. Insurers can take a proactive approach by collaborating with these suppliers to ensure they understand and implement the necessary contractual provisions of DORA. This collaboration can involve sharing best practices, providing compliance training and conducting joint risk assessments to identify and mitigate potential ICT vulnerabilities. By fostering these relationships, insurers not only help their suppliers achieve compliance but also enhance their own operational resilience, aligning all parties with DORA's objectives and reducing the risk of disruptions caused by non-compliance. Furthermore, insurers should negotiate contracts that clearly outline responsibilities and expectations regarding DORA compliance, ensuring suppliers are accountable for maintaining the required standards.
In conclusion, the implementation of regulatory frameworks like DORA underscores the importance of enhancing digital resilience strategies to protect against cyber threats. By taking a holistic approach to the issue at the governance level, insurers can capitalise on digital value opportunities while meeting the necessary regulatory requirements to ensure the integrity of financial operations across the EU.
Originally published 24 October 2024
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.