A cyberattack on an insurance company is far worse than just a technical problem: in addition to the breakdown of central IT systems, there is also the threat of sensitive customer data being exposed. This not only results in significant business losses, but can also cause lasting damage to customer trust and the company's reputation. To specifically prevent such scenarios, the Digital Operational Resilience Act (DORA) sets new standards: The EU regulation creates a precise, binding framework to sustainably strengthen the digital resilience of financial companies in Europe.
Delvag Versicherungs-AG (Delvag for short), the Lufthansa Group's captive insurer, must also fully implement this new legal framework. The insurer has specialized in aviation and transport insurance for decades. Resilience to cyberattacks plays an important role, especially in this highly networked and digitized sector. As Delvag is the only company in the Lufthansa Group that has to comply with DORA directly, the question arose: How can such a comprehensive project be implemented efficiently and practically within the group? The insurer found the right partner for this question in usd AG. Together, the two partners initiated a clearly structured program at an early stage that addresses all DORA requirements on time and in a tailored manner, thereby strengthening Delvag's cyber resilience in the long term.
DORA compliance as pioneering work within the Lufthansa Group
In preparation for the implementation project, the project team faced two fundamental challenges: The initial gap analysis provided a solid basis for planning the implementation measures. However, due to its scope, it did not cover all relevant DORA requirements, as the technical regulatory standards (Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)) were not yet in their final version at the time of the gap analysis. As a result, Delvag's existing information security measures could not be compared with the specified standards. Supplementing the gap analysis with the finalised RTS and ITS, which are mandatory, was therefore added to the project agenda for the second project phase.
Due to its special role as the only DORA-regulated company within the Lufthansa Group, Delvag faced an additional challenge on top of the stricter requirements regarding information security and ICT risk management: In particular, a higher degree of harmonization with the holding company's requirements will be necessary at the internal interfaces within the group in the future. It was therefore all the more important to raise awareness of the new regulatory requirements as part of the project. In close coordination with the project team, Delvag communicated the requirements of the EU regulation to various responsible parties within the Group in order to ensure awareness of the associated challenges.
The solution: Structured DORA compliance
The implementation project kicked off with the completion of the initial gap analysis and its evaluation based on the finalized RTS and ITS in order to identify the status quo of the DORA requirements. The consultants at usd then translated the results into a tailor-made catalog of measures that served as a solid foundation for operational implementation. In order to address the complex EU regulation in a structured manner, the project team divided the key DORA topics into individual sub-projects.
One challenge in implementation, for example in third-party risk management, is to make complex interrelationships so comprehensible that they can not only be understood but also meaningfully integrated into existing structures.
Alexandra Hahn, Senior Security Consultant, usd AG
Continuously maintained, comprehensive documentation accompanied all work steps and made progress traceable at all times. The measures introduced specifically included:
- Conception of a structure to complement existing internal information security requirements within the Lufthansa Group, such as strategies, guidelines, policies, processes, and forms
- Establishment of an administrative structure for the management of ICT service provider contracts
- Establishment of a standardized ICT risk methodology and a DORA-compliant ICT incident management process
- Concept for a DOR-Test program
- Preparing the information register and finalizing the submission
- Development and implementation of comprehensive DORA training courses for employees and the management body
DORA is an exceedingly comprehensive set of regulations that presents companies with a multitude of new challenges. The requirements are wide-ranging and demand not only in-depth technical adjustments but also organizational changes. As if this were not demanding enough, Delvag also faced the particular task of being the only DORA-regulated company within the group to ensure precise harmonization with the existing requirements of the holding company.
In this demanding environment, partnership and trust-based cooperation were of crucial importance. Openness to our suggestions and mutual exchange on an equal footing contributed significantly to the development of pragmatic and sustainable solutions. This enabled us to efficiently implement the DORA requirements and successfully master them together.Dr. Nicole Trebel, Senior Security Consultant, usd AG
Together to the Finish Line
The partnership with usd AG was the key to our success: Together, we not only completed DORA on schedule, but also laid a solid foundation for our digital resilience. Delvag Versicherungs-AG is now optimally equipped to confidently meet regulatory requirements on a long-term basis.
Georg Hahn, Delvag Versicherungs-AG
About Delvag Versicherungs-AG
As the captive insurer or self-insurer of the Lufthansa Group, Delvag has been the internationally oriented specialist insurer for aviation and transport insurance for 100 years. Thanks to its proximity to the industry, Delvag Versicherungs-AG understands the current and future needs of its customers' day-to-day business and designs fast, customized solutions that meet the increasing demands of aviation. Delvag provides support as an experienced risk manager and insurance partner for primary insurance and reinsurance.
Source: Delvag Versicherungs-AG
