Compensa Life Vienna Insurance Group SE Head of Legal Baltics Gabija Kuncyte discusses the evolving landscape of cybersecurity and its increasing significance within the legal and financial sectors.
CEELM: How has the increasing focus on cybersecurity regulations impacted your company so far?
Kuncyte: Currently, many group projects at the Vienna Insurance Group level are centered around cybersecurity. One notable project involves establishing cyber defense centers across Europe, with Poland designated for our region, while other countries will have other centers hosted in other EU countries.
The growing pressure on companies comes from multiple sources. Regulators are becoming more aware of cybersecurity needs, and regulators from progressive countries like Austria are responding by hiring IT and IT security specialists. While GDPR was once the primary focus, the attention has now shifted toward scrutinizing IT systems and vendor management. Personal data protection is no longer the sole concern.
With more companies investing heavily in IT, it’s essential to ensure that systems are secure. Even a single weak vendor among many can create a backdoor for hackers and potentially threaten business continuity. This is why large groups like ours are prioritizing the establishment of centralized cybersecurity centers. Centralizing IT management simplifies oversight, especially when companies have diverse IT support structures.
The second major source for increased focus on cybersecurity is the DORA regulation that will come into force in January 2025, placing significant pressure on financial sector organizations. This will require extensive testing and the establishment of numerous internal processes.
CEELM: Can you walk us through the preparations that you are putting in place for implementing various regulations?
Kuncyte: The DORA will be the primary regulation implemented. The DORA itself is highly detailed when it comes to IT security. Many aspects will need to be implemented at the local level, impacting every process within the organization. Unlike the GDPR, which was more general, the DORA is much more specific and goes even further – it outlines in detail who is responsible for what and when providing clarity but also imposes specific rules on companies.
These detailed requirements mean that companies will either need to reform their current systems or adapt to the new regulations, which can disrupt existing processes or create a need to reinvent them. Given how precise and constructed the DORA’s requirements are, it’s clear that what has been done before won’t easily fit into this new framework. And this would be costly.
CEELM: What are the main hurdles you encounter during the process?
Kuncyte: Local regulations are supposed to be consistent, but the real issue is that we only have approximately six months left until the deadline, and there’s still no clear plan for implementation at a local level. We do not know where and how to start – that’s why we have not yet started preparing. Latvia has drafted some requirements, but Lithuania and Estonia have not yet done that and any relevant events would start only in autumn. The first one in our region is set for mid-September, focusing on how to report to the local regulator. Personally, it’s frustrating because we already need to start preparing for reporting and designing all our systems as well as internal processes but, since we don’t know what precisely will be required, we have to play a guessing game.
I sometimes wonder if rushing these regulations is the right move. From a business lawyer’s perspective, it feels like the real goal gets lost in the paperwork and reporting requirements. While the DORA might improve IT security, the heavy bureaucracy could overshadow the actual benefits. Normally, a project like this would need two years of planning, but now we’re expected to manage it all in just six months.
CEELM: Are you looking to develop some skills within the in-house function to address cybersecurity?
Kuncyte: We aim to but what’s missing in the market is the necessary information and training specifically for financial institutions, particularly when it comes to equipping lawyers with a solid cybersecurity background. The only training I’ve seen so far is from the Academy of European Law, but there’s nothing else available. This gap in the market suggests that at some point we’ll likely see IT security training courses designed for lawyers.
Since the DORA is also focused on risk management, lawyers will also need to develop a basic understanding of risk management to interpret the regulations and reports effectively. For example, when dealing with third-party vendors, both lawyers and cybersecurity professionals must gather and analyze crucial information about them. Lawyers, therefore, need to grasp risk management concepts to be effective in their roles. This situation reminds me of the sustainability regulations, where teams had to include a dedicated specialist who kept up with all the trends and regulations. I believe that the same will be true for the DORA.
CEELM: How do you find a balance between cybersecurity priorities and a company’s business goals?
Kuncyte: When comparing the DORA with the GDPR and sustainability-related regulations, one key difference with the former is the significant responsibilities placed on the management board. If the boards fail to adhere to certain decisions, there could even be criminal consequences. This is very different from previous EU regulations and creates an enormous top-to-down pressure. In my personal opinion, it is done on purpose. For the DORA, management boards will be driving the urgency to get it right due to the strong element of personal responsibility involved.
Another concern is that the DORA will likely lead to rising costs. Just as companies factored in the GDPR and other requirements into their pricing, cybersecurity compliance is expensive. If you present a vendor with a lengthy list of requirements, those who understand the risks are likely to agree but at a much higher price. This will create a really difficult situation for smaller regional companies, who do not have the support of international groups and, thus, may lead to even more concentration in the financial services market as a result.
CEELM: What significant trends or changes are you anticipating in the next five years in terms of regulatory framework?
Kuncyte: I’m generally optimistic about life and work, but I’m a bit wary of regulations, which often tend to be bureaucratic and often have significant gaps. I believe that within the next five years, we will see the introduction of the first AI regulations in the EU along with many new likely regulations. However, putting these regulations into practical use will still be challenging. As more regulations come into play, both vendors and clients will face a lot of complexity, when acting within the financial services market. Additionally, even though regulations will evolve quickly over the next five years, they probably won’t keep up with the rapid pace of technology. The gap between regulation and technology will probably get even bigger. And we’ll have to find a way to deal with that.
