The changing face of digital operational resilience

In the world of cybersecurity, it's not just hackers keeping businesses on their toes — it’s regulations too. And there’s a new one coming to town for financial services firms, including fintechs: the Digital Operational Resilience Act (DORA).

With this new set of rules coming into force on 17 January 2025, it’s time to ask yourself: are you ready for the ultimate cyber hygiene checkup? Spoiler alert: if you haven’t spoken to a specialist cyber insurance broker like Superscript, you might not be 100% ready.

And while we’re at it, let’s not forget about the boardroom. DORA also brings new directors’ and officers’ (D&O) risks into play. Because when it comes to cybersecurity failures, the buck doesn’t just stop at the IT department — it can land squarely in the laps of your C-suite and board members. But we’ll get to that in a moment.

What is DORA, and why should you care?

Not to be confused with the intrepid explorer from children’s TV, the DORA regulation isn’t here to take you on a treasure hunt — it’s here to make sure you don’t lose your data to cybercriminals.

The Digital Operational Resilience Act is an EU regulation aimed at strengthening the cybersecurity and rock-solid operational resilience of financial services companies.

It's part of a broader effort by the EU to ensure that companies in the financial sector can withstand and quickly recover from cyberattacks, system failures or any other disruptions to their digital services.

Here’s the short and sweet of what DORA brings:

• Risk management: You'll need robust plans in place to protect your networks and databases from cyberattacks and — if the worst happens — detect and quickly respond to cybersecurity incidents
• Incident reporting: If you suffer a significant breach you’ll need to inform the regulators promptly — usually within a matter of hours or days
• Third-party risks: It’s not just about how good your systems are, you’re also responsible for the security standards of your third-party providers — like cloud storage — especially if they outsource any services
• Resilience testing: Get ready for some digital bootcamp, because DORA says regular stress tests of your systems are a must

Why your cyber hygiene needs a polish

While you may think that your cyber processes and procedures are up to scratch, DORA brings with it stricter standards than we’ve seen before.

For example, DORA will require firms to have:

• A detailed framework for managing cyber risks
• Constant monitoring and detection systems in place
• Tighter incident reporting and response protocols
• More rigorous and frequent testing of systems
• Data encryption and the implementation of secure backups
• Training for your team, as DORA places a strong focus on the human element of cybersecurity
• Governance and personal accountability at senior levels

Here’s what could go wrong if your cyber hygiene isn’t squeaky clean:

• Data breaches: Financial institutions — from startup fintechs, scaling insurtechs and multi-national banks and more — hold sensitive client data which can be a prime target for hackers, and it doesn’t matter how small your business is
• Ransomware attacks: Organised Grime Gangs have added a level of professionalism to ransomware attacks and there is a proliferation of software available for them to hold your data hostage in return for a ransom
• Regulatory fines: Similar to GDPR fines, if firms aren’t compliant with DORA regulations and suffer a breach, fines will likely run into millions of euros or a percentage of your company’s annual revenue

In short, failure to comply with DORA or suffering a cyber breach due to poor cyber hygiene can result in significant financial penalties, operational restrictions and personal liabilities for those responsible — underscoring the importance of implementing robust, DORA-compliant cybersecurity measures.

The hidden D&O risks of DORA

While DORA’s primary focus is on an organisation's operational resilience, it brings potential risks for senior executives and board members too. This is where directors’ and officers’ liability comes into play.

Here’s why:
1. Personal liability for cyber failures: If your company fails to meet DORA’s stringent requirements and then suffers a cyber incident, it’s not just the business that could face fines — your directors and officers could also be personally liable. If regulators or shareholders believe the leadership team failed to implement adequate cyber risk management, lawsuits and claims could follow.

2. Regulatory scrutiny: Under DORA, there’ll be more eyes on how financial institutions handle their digital infrastructure. If a cyber incident occurs and it’s found that directors didn’t take necessary steps to ensure compliance, they could be in for some uncomfortable conversations with regulators — or perhaps, civil or criminal penalties.

3. Shareholder lawsuits: A major cyberattack or operational failure under DORA could potentially damage a company’s stock value, opening the door for shareholder lawsuits. Shareholders may argue that company leaders neglected their fiduciary duties by failing to safeguard against foreseeable risks.

4. Reputational risk: Even without a direct lawsuit, the reputational damage for leadership can be massive. Directors and officers may find their careers on the line if they’re deemed responsible for allowing a cyber event to unfold, especially in a regulatory environment where operational resilience is now a top priority.

So, while it might seem like DORA is your tech team’s problem, the truth is, that leadership needs to be just as invested in ensuring the company’s digital resilience is airtight.

That’s where a tailored directors' and officers' insurance policy comes in. Speaking to a specialist insurance broker can help ensure your D&O policy covers these cyber-related risks.

Why you need a specialist cyber insurance broker

Specialist cyber insurance brokers — like Superscript — are like your very own cybersecurity nerds with capes, ready to save you from regulatory headaches and hacker nightmares.

Here’s how:
1. Tailored risk assessments: DORA’s demands aren’t one-size-fits-all, and neither are the insurance policies you’ll need. A specialist broker will assess your exact cyber risks, providing bespoke cover.

2. Regulatory insight: Trying to navigate DORA without expert help is like assembling IKEA furniture without instructions. Superscript’s got the manual (and the Allen key) to make sure your insurance aligns perfectly with the new rules.

3. All the cover you didn’t know you needed: Business interruption, third-party liability, regulatory fines… regular insurance policies can often leave gaping holes. Superscript can plug those gaps with a comprehensive cyber policy that makes sure nothing (and no one) slips through the cracks — including coverage for the D&O risks.

4. Incident response support: When the worst happens, having a specialist broker means access to rapid incident response teams who can help you deal with a breach faster than you can say “data encryption”.

5. Proactive risk management: Not just a safety net, we can help you avoid falling off the high wire in the first place — with services like security audits and cyber threat intel to keep your cyber hygiene pristine.

DORA’s knocking, are you ready?

With DORA arriving in fewer than 99 days, it’s really time to get prepared. The financial sector is under more scrutiny than ever before, and if your cyber hygiene isn’t spotless, you may get stung.

Consulting with a specialist broker like Superscript will help you sail through this regulatory change, giving you peace of mind that your business is protected, compliant and ready to take on the digital world — even when it throws its worst at you.

Because when DORA comes knocking, you don’t want to be the business standing in the rain without an umbrella. You want to be the one ready with a bespoke cyber insurance policy, confident that you’ve got your company — and its board — covered.