DORA and the Financial Ecosystem

Banks, insurers, and fintech/insurtech companies must collaborate to ensure security and compliance.

New models like Open Banking and Open Insurance offer ample opportunities for innovation, efficiency enhancement, and improved customer service. However, this openness comes with a price: how to maximize benefits without compromising security? How should banks and insurers partner with fintech and insurtech to ensure compliance? And what role does a cloud service provider like Solvinity play?

Secure Collaboration in the Ecosystem

In 2023, we counted 861 registered fintech companies in the Netherlands. Banks and insurers will increasingly rely on these companies. Similar to major car manufacturers, they will procure “components” from suppliers and assemble them into complete services. With “embedded finance,” even broader digital ecosystems emerge as financial institutions collaborate with companies in other sectors like retail, technology, and e-commerce.

Think of integrating payment services into mobile apps for ordering and paying for meals like Thuisbezorgd.nl. Or filling out and submitting an insurance claim form. Isn’t it convenient to handle all steps from ordering to payment or filling out and submitting within the same app interface?

Data Exchange and Resilience

While this openness benefits consumers, it increases the need for security. To protect consumers, banks and insurers must enhance their IT resilience. Legislation such as the announced DORA (Digital Operational Resilience Act) focuses on strengthening the digital resilience of financial institutions and service providers through risk management, incident reporting, and operational measures.

This regulation came into effect on January 17, 2023, and institutions have until January 17, 2025, to become compliant. But partners in the chain, such as fintech/insurtech companies and cloud service providers like Solvinity, also have responsibilities. Organizations can gain insight into their security status through gap analyses.

"A crucial aspect of the IT Risk Management Framework for financial institutions is having a robust testing strategy."

DORA and Collaboration with Third Parties

If data sharing is a prerequisite for innovation, clear agreements must be made in the sector. Banks and insurers must establish clear guidelines for fintech, insurtech, and other suppliers and implement strong authentication and authorization mechanisms to prevent unauthorized access.

A crucial aspect of the IT Risk Management Framework for financial institutions is having a robust testing strategy. This strategy, based on thorough risk analysis, focuses on protecting the ‘crown jewels’ of the organization and identifying potential attackers and their methods. The testing strategy encompasses various pillars, including code testing (agile methodologies), application and infrastructure testing (penetration tests), and organizational tests (Thread Led Penetration Test). This is essential to ensure the security of the IT landscape and strengthen resilience against attacks.

With the expanding application landscape of banks and insurers, vulnerability increases, highlighting the need for security audits. However, snapshots are no longer sufficient. Fintech and insurtech companies are releasing new applications more frequently. Also, because existing applications are often updated with new features, penetration testing needs to be performed more regularly than before. Incidentally, conducting penetration tests becomes mandatory under DORA, not only for banks and insurers but also for fintech companies developing payment solutions.

In their role as partners in this ecosystem, fintech/insurtech companies can integrate security into their DevSecOps approach in all phases of software development. This helps to detect and address vulnerabilities early. From automated security tests in the CI/CD pipeline process to continuous code review and designing APIs with strong authentication and authorization mechanisms. All these measures in the development process contribute significantly to better security.

"The more complex and diverse the IT landscape, the more critical service integration and coordination become. This requires adherence to processes and procedures in practice."

The Role of the Cloud Service Provider

As a cloud service provider, Solvinity plays a crucial role in ensuring the security and compliance of IT infrastructure and systems. The public, private, or hybrid cloud platform connects all partners in the ecosystem and must comply with stringent security standards and legal requirements in the financial sector.

However, “standard” security and compliance are not enough. When all parties in the ecosystem exchange data over a central infrastructure, operational agreements on application management, planning updates, and upgrades also become important. The more complex and diverse the IT landscape, the more critical service integration and coordination become. This requires adherence to processes and procedures in practice.

Both in private cloud environments and in Azure environments managed by Solvinity, our SOC 1 and SOC 2 assurances demonstrate that adequate controls and security measures have been implemented. With advanced security measures in the infrastructure and additional security services, Solvinity provides a well-protected and resilient cloud platform for banks, insurers, and software developers.