EU captives may have to comply with highest cybersecurity standards

European-based captives will face an addition regulatory burden when the EU’s new financial services cybersecurity rules kicks in next January and may be held to the same standards as big insurers, rather than benefit from proportionality, experts say.

Although captives have much more modest operations than insurers or reinsurers, they will have to comply with the Digital Operational Resilience Act (DORA) and, potentially, the highest possible standards, the experts explained.

DORA, which will also help regulate firms that supply information and communication technologies (ICT) to the financial services industry, includes a proportionality principle. This principal aims to impose less severe cybersecurity compliance requirements on smaller underwriters, in an effort to reduce the costs of compliance for new insurers and regional players.

But Finn-Erik Langeggen, director of ESG and operational risk management at Stockholm-based consultancy advisense, warns that captive companies may not benefit from the proportionality principle because cyber exposures at their parent companies will be taken into account.

“Captives face a tricky position as very often they do not have IT departments of their own,” said Langeggen. “Maybe the multinational company that owns a captive does not have to comply with DORA, but with NIS2 within the EU instead. However, the captive will have to [comply]. It may be the case that instead of following the proportionality principle within DORA, they [captives] will have to implement the highest regulatory compliance considering the risks of the whole company, and that will trickle down to the captive.”

The would mean significant compliance costs. DORA establishes that financial institutions will have to meet specific requirements when managing ICT risks. They will need to assess and evaluate strategies, procedures and practices currently in place. Law office Milliman recently said that risk functions will have to be involved, even though most of the work will fall on IT departments.

DORA also imposes regular testing and reporting rules to make sure that regulators are kept in the loop about cybersecurity at supervised entities. Non-compliance with the new rules will hit hard. Fines of up 2% of the company’s worldwide turnover, or €1m in the case of individuals, can be imposed by regulators. But these fines vary across the EU and are much higher in some jurisdiction. In Luxembourg, a major captive jurisdiction, financial authorities can apply fines of up to 10% of annual turnover or €5m on individuals.

The trickiest and potentially more disrupting aspect of DORA, however, is the rule that requires supervised entities to manage third-party ICT risks. Experts say this may require rediscussing contracts with providers of ICT services, such as cloud computing, and getting them involved in testing and reporting tasks performed by supervised entities, including captives.

The big challenge will be engaging large ICT services providers. Many companies contract services in bundles from a few so-called cloud hyperscalers, which include the likes of Google, Amazon, Microsoft and Meta. Experts warn that even large insurers won’t have the clout to force these companies to come to the table. The challenge will clearly be even tougher for captive companies.

Companies that have not made significant progress to adapt their IT processes to the new rules will face the biggest problems. Market sources say that the largest underwriters have been working on this for a few years already, but some of the smallest players may struggle to catch up when the new directive kicks in on 25 January 2025.

“I do not think that small captives and pension funds are very happy with DORA because they may have to deal with it as a third-party risk from their mother companies. However, medium-sized and large companies understand its relevance,” Langeggen said.

Back to top button