Risk Partners Life Sciences Roundtable 2024 on 18.07.24. Thank you very much! Register now for 2025 now >

DORA regulation will apply from January 2025.
Significance for our private equity and venture capital clients

What comes across as a somewhat unwieldy Digital Operational Resilience Act has a very serious background and is fundamentally to be welcomed. After all, when we evaluate our claims in the context of cybercrime, PE and VC funds and their KVGs are those with the highest frequency of claims. It can be safely assumed that they have been identified as a "worthwhile target group" for cyber criminals based abroad and are now being systematically "processed". We are seeing an increase in redirected capital calls, payout distributions or redirected investments, some of which involve elaborate strategies on the part of the attackers. It is therefore one of our strategic focus topics for 2024/2025, particularly in terms of raising awareness. 

About the DORA Regulation: with this regulation, the European Commission aims to harmonize ICT (Information and Communications Directive) resilience measures across Europe and improve cybersecurity in the financial sector. A special cut-off date is January 17, 2025, when the regulation will come into force (two years after its entry into force). 

The regulation emphasizes that the company management - i.e. the management or the board of directors ("GPs") - is responsible for managing ICT risks. And that's not all: they must also define and approve the strategy for digital operational resilience and plan an appropriate budget for it. The necessary know-how must always be up to date. In addition, companies in the financial sector must set up an ICT risk control function. It contains elements of the information security officer already prescribed in the IT requirements, but is not congruent.

 

Who is affected by the DORA Regulation?

On the one hand, it affects us as risk partners, and on the other, it affects fund managers. Of the alternative investment fund managers, only KVGs with full authorization from BaFin are covered. Registered AIF KVGs are exempt from this. Despite the lack of a separate regulation, this should also apply to EuVECA managers, as they should typically be covered by this exemption as registered AIF KVGs.

DORA builds on the existing regulatory requirements. Many of the regulations are therefore already familiar to the companies concerned from the sectoral IT requirements. DORA harmonizes these regulations, but is more detailed overall and further restricts existing discretionary powers. The new regulatory requirements can be divided into five main areas (based on the colleagues from POELLATH):

ICT risk management and ICT governance:

Responsibility for risk management lies with the management. ICT risks must be integrated into this risk management. While this was already in line with previous regulatory requirements, it is now enshrined in law. As part of ICT governance, i.e. the legal and organizational framework for IT, ICT must be integrated into the corporate strategy. Mandatory updates and control mechanisms for ICT systems are also being introduced. Strategies for data backup and recovery must also be developed in order to minimize system failures.

Obligation to report ICT-related incidents:

In future, BaFin will assume the role of a national reporting hub for ICT incidents in the financial sector. An "ICT-related incident" is an unplanned event that affects the security of networks and information systems and has a negative impact on the availability, integrity, authenticity or confidentiality of data or services of a financial undertaking (Art. 3 para. 1 no. 8 DORA). Protection mechanisms and early warning systems must be implemented to detect cyber attacks at an early stage and prevent ICT incidents. All ICT-related incidents must be logged. In addition, a procedure for classifying incidents will be introduced and serious incidents must be reported.

Testing digital operational resilience:

DORA requires financial companies to regularly review their ICT security. The regulation provides for various suitable tests to check the software code, network security and the compatibility of hardware and software. The aim of these tests is to uncover and eliminate weaknesses in the company's own digital operational resilience.

ICT third party management/outsourcing:

As more and more ICT services are being outsourced to technology service providers, companies must also identify third-party risks as part of their risk management. BaFin receives notifications in connection with ICT third party management and examines them for potential risks to the financial sector. DORA specifies key contractual provisions as well as certain monitoring and termination rights for outsourcing agreements. The term ICT service is broadly defined and includes - with the exception of analog telephone services - all digital and data services provided to users via systems, including hardware-as-a-service and hardware services (Art. 3 para. 1 no. 21 DORA).

Monitoring of critical ICT third-party service providers:

DORA establishes a framework for the supervision of critical ICT technology providers that already existed in Germany in outline form. BaFin's powers have been significantly expanded and include, among other things, the requesting of documents, the imposition of fines and on-site inspections. BaFin is responsible for classifying an ICT service provider as critical and for the associated monitoring. Service providers classified as critical must bear the costs of this monitoring themselves.

Also read our other blog posts

Being Public

"I believe in a strong IPO comeback in 2024" - Interview Platform Life Sciences

Risk Partners in the trade press. Florian was approached by the journalists from Plattform Life Sciences for an interview on our view of 2024 and the development of Risk Partners over the past year. In addition to challenging claims, product innovations (e.g. all about POSI insurance) from Risk Partners, Florian also discusses our motives for the "team up" with the fantastic colleagues from Atrialis GmbH - experts in clinical trials. Click here for Florian's interview. Read the interview

Read more "
Being Public

Revolution in D&O insurance in Nevada (US insurance market) postponed

The revolution in D&O insurance in Nevada has been called off after all. In the US market, the state of Nevada passed an interesting law (Bill No. 398) in the summer with potentially significant implications for the D&O insurance market. The Governor of Nevada approved the bill on June 3, 2023, so the law came into force on October 1, 2023. We had classified this legislation (in the USA, insurance supervision is organized at state level) as too watchful for our clients, but this law

Read more "
Management

How managers protect themselves from personal liability in the event of cyber incidents - #29Minutes by Control Risk & Risk Partners

How directors and officers protect themselves from personal liability in the event of cyber incidents - #29Minutes by Control Risk & Risk Partners Looking at our claims experience in the area of directors' and officers' liability in recent years, internal claims alleging inadequate cyber risk management and emergency management in the event of a cyber attack are unfortunately on the rise. In addition to special risk transfer solutions (cyber and CDI insurance), there are also very practical tips on how to react correctly if the worst comes to the worst. Following an exchange at a risk management conference in Q1 of this year

Read more "
Being Public

Earnings Call: one 0 too many - the Lyft CEO mistake

"Look, it was a bad mistake, and that's on me," CEO of LYFT Inc. The incident and possible insurance coverage. You may have also heard about the recent incident with LYFT. In the quarterly earnings report, LYFT originally stated that profit margins were up 500 basis points before correcting this to 50 basis points during the conference call. This clerical error caused the stock price to rise more than 60% in after-hours trading. This situation is exactly what investor relations teams that

Read more "
Life Sciences

St. Gallen study: USD 6 billion per drug

HSG St. Gallen: Drug costs USD 6.16 billion on average. Are the days of new drugs costing less than USD 1 billion over? There were figures in the industry that spoke of USD 700-1,000 million as the cost of developing a new drug. A study by the University of St. Gallen covering the period 2001-2020 found that the cost of developing new drugs has risen dramatically. It was estimated that the cost of developing a new drug now stands at

Read more "
Risk Partners

13th Hamburg Financial Lines Forum

Risk Partners at the Financial Lines Forum 13th Hamburg Financial Lines Forum. On October 12 and 13, the 13th Hamburg Financial Lines Forum took place with the participation of Risk Partners, a traditional event which this year once again served as a forum for the exchange of current trends. The program began with an overview of current developments and the handling of claims in financial lines, presented by Gabriele Schreiber-Sahin and Michael Hendricks. Dr. Oliver Sieg then shed light on directors' and officers' liability and the European

Read more "