The insurance sector is facing an increasingly complex sanctions landscape, writes Stuart Favier, Client Manager at the IT consultancy Northdoor plc.
Banks are being asked to keep constantly up-to-speed with changing sanctions lists. It is also clear that the FCA is policing and enforcing the sanctions stringently. For example, Starling Bank has been fined ยฃ29m for failings in financial crime systems, which saw the bank open 54,000 accounts for 49,000 high-risk customers between September 2021 and November 2023. This shocking figure comes at a time when sanctions are at their most extensive and being policed more closely than ever.
This massive fine needs to act as a wake-up call for the insurance sector. Sanctions and watch lists are huge and ever-changing, so ensuring that you are adhering to them is a complicated and time-consuming task. Monitoring these lists manually is no longer a viable approach. Third-party IT consultants can help the sector to implement technology to automate this process, saving time and improving accuracy.
Cyber threats will be on the rise in 2025, and these threats are now fuelled by innovative tools, many utilising AI, meaning the tactics threat actors deploy have become increasingly sophisticated. This means organisations will be required to balance the need to protect themselves with investing in costly cyber protection. Organisations of different sizes will also have varying cybersecurity requirements. While still being a target, an SME or startup may not need the extensive security infrastructure a large, multi-layered enterprise would. This means there is no โone size fits allโ solution for any business.
Third-party IT consultants can help insurers to implement the correct level of protection for them. Solutions such as Managed Detection and Response (MDR), Managed Risk, Managed Cloud Monitoring, Managed Security Awareness and Security Operations as a Managed Service will be crucial to securing security posture in 2025. Third-party IT consultants can provide 24ร7 tactical coverage and ongoing strategic security recommendations, acting as an extension of an organisationโs internal team to improve its security needs.
Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) is due to come into force from January 2025. It applies to: banks, insurance companies, investment fund managers, e-money institutions, crypto-asset service providers, crowdfunding platforms and investment firms. Some of the provisions of DORA also apply directly to certain โcriticalโ third-party Information Communication Technology (ICT) service providers, while all ICT service providers that work with the financial sector are expected to adhere to compliance regulations. DORA focuses on boosting business resilience to technology-related risk, such as disruption to operations and data loss that can be caused by cybercriminals.
Third-party security risk management
With ever increasing regulatory requirements (such as DORA), third-party security risk management will be crucial for the insurance sector in 2025. Third-party security risk management is used to continuously monitor external data feeds or monitor third-parties for changes in risk or performance. It can be used to identify high-risk third-parties or suppliers that pose the greatest risk to an organisation. Third-party security risk management is vital to any insurance organisation to identify cybersecurity risk, such as a third-party data breach, phishing attack, or ransomware attack. It can also be used to identify operational risk, where a third-party could be disrupted by a natural disaster, political conflict, or cybersecurity attack. It can also identify financial risk, where a poorly managed third-party supply chain could lead to a financial threat for an organisation.
