New Dawn Risk
Select your language
New Dawn Risk
Back to news
From compliance to defense, DORA’s blueprint for cyber resilience will reinforce financial institutions from the inside out
New Dawn Risk Group
26 February 2025
Article

By Elizabeth Grima, Senior Executive Manager at New Dawn Risk Europe

The Digital Operational Resilience Act (DORA) marks a significant evolution in how financial institutions and their service providers must manage cybersecurity and operational resilience. As the financial sector becomes increasingly dependent on digital systems, regulators have introduced a structured framework to effectively address ICT risks and enhance a business’s overall health.

DORA mandates that financial institutions adopt robust digital resilience measures, structured around five core pillars:

  1. ICT risk management: Firms must implement a comprehensive ICT risk framework to prevent, detect, and recover from cyber incidents, ensuring seamless business continuity.
  2. Incident reporting: Institutions are required to report major ICT-related disruptions to regulators in a structured and timely manner.
  3. Operational resilience testing: Entities must conduct periodic stress testing and scenario analyses to identify vulnerabilities and enhance response capabilities.
  4. Third-party risk management: Firms must closely monitor and regulate their ICT service providers to ensure compliance with resilience standards.
  5. Information sharing: Encouraging cross-sector collaboration and intelligence sharing to strengthen cyber resilience industry-wide.

A mindset shift: from compliance to proactive defence

DORA’s framework signifies a paradigm shift from treating cybersecurity as a mere compliance obligation to embedding it as a core business strategy. Financial institutions must transition from reactive measures to proactive resilience, integrating cybersecurity into their operational DNA. This involves not only implementing required safeguards but also fostering a culture of continuous risk assessment and improvement.

Cyber insurance: not just a safety net for residual risks

By positioning DORA as a first line of defence, organizations can mitigate the known risks associated with cyber threats, minimizing financial and reputational damage. However, despite the most stringent controls, some risks remain outside an institution’s direct control—this is where cyber insurance plays a critical role.

While DORA strengthens financial institutions’ ability to withstand cyber incidents, cyber insurance serves as a complementary safeguard for risks that persist beyond internal controls. Cyber insurance products have evolved to align with regulatory requirements, offering coverage for:

  • Incident response & crisis management: Covering costs related to forensic investigations, legal expenses, and regulatory reporting, ensuring compliance with DORA’s incident notification obligations.
  • Business interruption: Addressing financial losses stemming from system outages caused by cyberattacks or ICT failures.
  • Third-party liabilities: Protecting against legal claims arising from data breaches affecting customers or business partners.
  • Regulatory fines & penalties: In some cases, policies may provide coverage for penalties imposed due to non-compliance with operational resilience mandates.

Additionally, some insurance carriers offer an exclusive suite of ongoing risk-mitigation services some of which are complementary while others are at a discounted rate. Some of which include:

  • Cybersecurity training and simulation
  • IP and Domain Protection
  • Vulnerability Testing and Rating
  • Sharing of reports and changes to the risk exposure by industry
  • BCP Planning
  • Information Portal including incident reporting orientation
  • 24/7 Helpline  

Directors’ and officers’ insurance: addressing personal liability

Another vital aspect of corporate risk management (often overlooked) is the personal liability faced by those in management positions. Directors’ and officers’ (D&O) insurance provides protection for company executives who may be held personally liable for decisions made in their official capacities. As regulatory scrutiny increases, D&O provides the necessary protection to key decision-makers against legal actions arising from regulatory investigations, shareholder or stakeholder lawsuits, as well as cybersecurity / data breaches.

For financial institutions navigating the evolving regulatory landscape under DORA, ensuring that leadership is protected against personal liability risks is as critical as securing organizational resilience.

Securing the future (how DORA, Cyber and D&O work together)

DORA sets a new benchmark for cybersecurity and operational resilience, requiring financial institutions to adopt a comprehensive, risk-based approach. However, even with stringent internal controls, certain risks remain inevitable. Cyber insurance complements DORA’s requirements by providing a financial safety net when cyber threats materialize. Additionally, Directors’ and Officers’ (D&O) cover ensures that leaders are protected, allowing them to focus on strengthening operational resilience without the fear of personal exposure.

By embracing both regulatory compliance and insurance protection, financial institutions can develop a holistic resilience strategy, ensuring they are well-prepared to withstand and recover from an increasingly complex cyber threat landscape.

More like this
Network scans – a ticking time bomb
Reverse flow business: the London market advantage for handling international exposures
Payment processors: cyber risks will spike as transactions go digital…
Navigating the risks and opportunities of the Middle East