Emmanuelle Mousel
Partner – Arendt & Medernach
Article written by Arendt & Medernach as part of the sponsorship of ACA Insurance Days 2024, whose content is the sole responsibility of its author.
In January 2025, the Luxembourg Government IT Centre (CTIE) confirmed that several Luxembourg government websites were targeted in a cyberattack and that a number of websites, including MyGuichet and LuxTrust, were inaccessible for a period of around two hours due to what is known as a distributed denial of service (DDoS) attack rendering the websites incapable of fulfilling legitimate requests from users.
This incident is far from being an isolated case. The number of cyberattacks against companies and government bodies in Luxembourg has doubled in the past year, with almost 1,200 attacks happening every week on average in the second quarter of 2024.[1]
Because Luxembourg has a world-class financial sector, and because of the valuable data it handles, the sector is often targeted by cyberattacks and also cyber-enabled crimes, such as financial fraud.
Phishing attacks preying on human error and document falsification remain among the most common cyberthreats. Malware, particularly ransomware, which encrypts a victim’s files or locks their system while demanding a ransom for access restoration, is also increasingly recognised as a significant threat.
Cybercriminals employ various tactics in order to exploit possible vulnerabilities in a company’s ICT infrastructure. Depending on their nature and severity, these threats can potentially lead to financial loss, data breaches, reputational damage, or regulatory sanctions.
The insurance sector in particular faces a high level of risk, largely because the large volume of sensitive data processed, the financial transactions involved and the potential for high payouts make insurers attractive targets for cybercriminals.
A multifaceted approach combining measures targeting the company’s staff, system, network and security infrastructure, as well as regulatory compliance, is key for optimal prevention of cyberattacks.
The development of the EU’s legal arsenal through the recent entry into application of the Digital Operational Resilience Act (DORA), in addition to the Network and Information Security 2 Directive (NIS2), highlights the need for enhanced cybersecurity. This need also exists in the insurance sector, which has so far been somewhat less regulated than other domains, e.g. the banking industry.
Since signs of an attack may not always be obvious, anticipating the current and future threats likely to be encountered is essential.
The most effective approach is employee training, such as awareness programmes and regular testing. This can significantly reduce the risk of human error, which is one of the main reasons cyberattacks are successful.
System security is equally critical. Regular updates help close gaps in security, while endpoint protection deploys advanced security measures to detect and prevent threats at user access points.
Additionally, robust security monitoring enables early detection of suspicious activities, allowing for a swift response in the event of unauthorised infiltrations. Developing containment strategies is also key, as they help protect critical assets by isolating them from potential attack vectors, minimising the impact of a security breach.
The government-driven initiative Computer Incident Response Center Luxembourg (CIRCL), operated by Luxembourg House of Cybersecurity (LHC), plays a proactive role in detecting potential threats by monitoring the dark web and notifying victims before attackers engage with them. By providing CIRCL with relevant data, including “honeytokens” (i.e. pieces of false data designed to attract and deceive cybercriminals), organisations can significantly enhance their ability to prevent future attacks.
Implementing solutions developed by external service providers is helpful to isolate critical data from vulnerable systems, providing immutable copies for recovery, and securely sanitising and restoring data in the event of an attack.
Another valuable, though often debated, option involves testing a company’s cyber resilience by engaging ethical, or white-hat, hackers to proactively identify vulnerable points before attackers can exploit them.
The entry into application of DORA on 17 January 2025 plays a fundamental role in enforcing cybersecurity and digital operational resilience standards across financial entities, including in the insurance sector. Ensuring compliance with DORA and adhering to its five pillars of resilience will significantly mitigate cyber threats.
In cases where the victim subscribed to a cyber insurance policy, the insurer shall be notified promptly about the incident and will be able to assist without undue delay. Cyber insurers often provide access to specialised response teams that assist with containment, investigation, and recovery. Engaging a team of specialists, including legal and IT security experts, as well as communication professionals, will help minimise risks and mitigate potential damage effectively.
The cyber insurance market is rapidly growing, and a well-chosen policy can provide financial protection, risk management support, and compliance opportunities.
Once an attack is identified, the (not so) obvious first step is to stay calm and focused in order to then activate the incident response plan, ensuring a coordinated and effective response and containing the breach.
Conducting a thorough fact-finding process and assessing affected assets will further help with understanding the extent of the breach and, if necessary, to proceed to an asset search.
One of the key challenges in cyber incident management is balancing the need to restore operations with the need to preserve forensic evidence. Companies must carefully navigate this trade-off to maintain business continuity while identifying the root cause of the attack.
In addition to lodging a criminal complaint with the competent authorities, organisations must also file a report on major ICT incidents with the Commissariat aux Assurances (CAA), as required under DORA.
Contractual arrangements should also be reviewed to assess where there have been any violations of confidentiality commitments, in the event that these exceed professional secrecy obligations provided by law.
If personal data has been compromised, the provisions of the General Data Protection Regulation (GDPR) come into play. Provided that the insurance company is the controller of the compromised data, the breach will have to be recorded internally in a data breach register. Furthermore, the National Commission for Data Protection (CNPD) must be informed without undue delay and no later than 72 hours after having become aware of the breach if it presents a risk to the rights and freedom of natural persons. If said risk is high, the affected data subjects must also receive notice of the incident without delay, such notices ideally having been prepared in collaboration with communication experts.
Every cyberattack presents an opportunity to strengthen defences. Conducting forensic investigations to understand the modus operandi of cybercriminals enables companies to enhance their security measures and reduce the risk of future incidents.
A well-defined response plan should strike a balance between internal management and third-party expertise, ensuring an effective and agile approach to cyber threats, which are increasingly frequent.
Finally, maintaining a clear understanding of the evolving regulatory requirements is essential for sustained compliance in an ever-changing legal landscape.
[1] “1,173 cyber attacks per week in Luxembourg”, News article, Delano.lu, 30 July 2024
Emmanuelle advises banks, investment firms and other financial sector professionals, as well as payment service providers, insurance and reinsurance undertakings, insurance intermediaries and insurance sector professionals on regulatory, civil, commercial and insolvency law matters. Her areas of special expertise include licensing requirements, mergers and acquisitions, drafting and review of contractual and business documentation, as well as issues pertaining to anti-money laundering and anti-terrorism financing measures. She also advises on questions relating to pension funds.
Emmanuelle further assists institutional clients with criminal and regulatory investigations and litigation cases. She has received high praise for her work as an attorney in finance litigation.
Emmanuelle has developed proficient knowledge and expertise in environmental, social and governance (ESG) matters and regularly advises clients on any requirements deriving therefrom, including disclosure, risk management, product governance as well as organisational and conduct of business rules.
Office Location
Company
Language
Phone +352 40 78 78 5643
Email emmanuelle.mousel@arendt.com
🔗https://www.arendt.com/about-us/our-people/emmanuelle-mousel/
Astrid Wagner is a Partner, heading the IP, Communication & Technology practice of Arendt & Medernach.
She is specialised in the areas of data protection and privacy, data compliance, cybersecurity and ICT resilience, TMT, artificial intelligence, commercial contracts, e-commerce, consumer protection, the full spectrum of IP rights (trademarks, patents, designs and copyright), advertising, unfair competition and product regulation.
In addition to her advisory and transactional expertise, Astrid Wagner represents her clients in litigation cases.
Astrid Wagner further handles corporate and commercial law matters, advising operational companies on their establishment in Luxembourg.
Office Location
Company
Language
Phone +352 40 78 78 698
Email astrid.wagner@arendt.com
Find out more
IP, Communication & Technology practice > https://www.arendt.com/our-expertise/legal-tax/ip-communication-technology/
Insurance & Reinsurance Law practice > https://www.arendt.com/our-expertise/legal-tax/insurance-reinsurance-law/
5 minutes
Digital, Events
2 minutes
Digital, Events
2 minutes
Digital, Events
