Adapting to the DORA regulation by harnessing the flexibility of Guidewire Cloud

Adapting to the DORA regulation by harnessing the flexibility of Guidewire Cloud

Blogpost Image

The ability to adapt and respond quickly to ever-changing market conditions has always been a cornerstone of the reasoning that supports cloud deployments. Around the time when Guidewire decided to spearhead the insurance industry’s shift to more versatile, cloud-based and SaaS models for their core systems, GDPR was one of the main challenges facing the industry and virtually the entire business world. It’s safe to say that GDPR is still remembered by many business leaders (and not-so-leaders) as a disruptive force that has led to many complex implementations and headaches.

Despite the ample time in advance before the regulation came into effect, the reality was that unyielding legacy systems were not very friendly to change. The need for flexible, agile, and secure systems was again highlighted by the Covid-19 pandemic and all the disruptions that it has brought to the world.

There is no doubt that complete adaptation to new market conditions is made of many moving parts. Processes, people, and technology need to come together to succeed in the changed environment. However, when the software used by an organization is flexible, regularly updated, and secure, things get much easier. In the case of Software-as-a-Service, vendors will often have multiple clients and, in the case of Guidewire, our customers comprise a wide range of insurance companies, most of which are facing the same regulatory demands that we must respond to in adapting to their respective needs.

It has now been several years since GDPR came into play. While progress has been made, insurance companies with legacy on-premises systems remain, and they might be less well-equipped to adapt should a new potentially disruptive legislation or regulation appear. And we now have the perfect candidate affecting the finance and insurance industries in 2022: the Digital Operations Resilience Act, also known as DORA. So, what is DORA and how is Guidewire planning to comply with it? Let’s explore this in detail.

What is DORA?

The Digital Operations Resilience Act (DORA) is the European Union’s attempt to improve IT security and operational resilience in companies within the European Union Financial Sector. This also concerns companies providing software and associated services in this sector. In the coming months, the European Council and the European Parliament will negotiate the final version of the draft DORA regulation. While DORA has not been enacted yet, Guidewire is following its development closely and together with our hosting provider, AWS, we welcome this initiative and expect to be able to meet the requirements of DORA as they are currently presented.

The goal of DORA is to provide a unified Information and Communication Technology (ICT) risk management standard in Europe. DORA is set to replace multiple ICT risk management frameworks with a single unified approach for addressing ICT-related incidents in Europe's financial and insurance industry, an approach that Guidewire supports. DORA also addresses operational resilience within the financial industry so that business continuity can be guaranteed, even while an organization is subject to a disrupting event such as during a cyberattack. DORA also requires Critical ICT Third-Party providers (CTPPs) in outsourcing arrangements to conform to regulatory standards, a requirement that will be defined and supervised by European Supervisory Authorities (ESAs), such as the EIOPA (for the insurance industry).

How will Guidewire comply with DORA?

At Guidewire, we believe we are already meeting several of the requirements as they are currently described in DORA:

  • Incident response: Security is the highest priority at Guidewire, and we already have several governance frameworks in place, including SOC 2 and ISO 27001, which address the security fundamentals as well our response to security incidents within our cloud environment; we will agree to these requirements contractually.

  • Governance and monitoring: Compliance is currently set to be determined through a combination of inspections and the availability of specific information including service details, incident reporting logs, and greater detail of implemented cyber risk defenses to the outsourced third party; we will be able to meet these requirements.

  • Operational resilience: Guidewire understands how important resilience and business continuity of service is to our customers. Together with our hosting service provider, AWS, we recognize that financial institutions need to comply with specific regulatory requirements regarding operational resilience. We believe we have built a robust operating model that will meet the requirements of DORA and is built for resiliency in the cloud; we will be able to make contractual commitments to the same.

In conclusion, the flexibility of Guidewire Cloud allows us to be well prepared. Change is a certainty. However, with the right systems in place, pain doesn’t have to be.