Bénédicte d’Allard
Senior Manager – Arendt Regulatory & ConsultingArticle written by Arendt & Medernach as part of the sponsorship of ACA Insurance Days 2023, whose content is the sole responsibility of its author.
The financial sector has recently faced turbulent times in the form of pandemics and geopolitical conflicts, which has led to an acceleration in digitalisation and consequently, a growth in cyber risks, particularly for the (re)insurance industry.
In October 2021, as part of European Cybersecurity Month, the European Insurance and Occupational Pensions Authority (EIOPA) stressed that insurers are a natural target for cyberattacks due to the fact that they hold substantial amounts of protected and sensitive personal information(1). More recently, following the Russian invasion of Ukraine, the Commissariat aux Assurances (CAA) published an information note for the attention of all entities under its supervision in which it emphasised the need to reinforce “cautionary measures related to IT security (against cyber attacks)” (2).
As digitalisation is inevitable and unavoidable, and as cyber threats are likely to increase and become more sophisticated over time, the insurance industry, alongside the rest of the financial industry, must ensure that it is protected by strong digital operational resilience. The publication of the Digital Operational Resilience Act (DORA) by the European Commission is thus a direct response to this need, which will apply to the vast majority of the (re)insurance stakeholders.
DORA entered into force on 16 January 2023 and will apply from 17 January 2025. Its objective is to create an EU-level framework on digital operational resilience, whereby all EU financial entities are required to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. This includes cyberattacks and all other forms of ICT-related incidents.
The five pillars of resilience
Financial entities will have to comply with the five pillars of resilience enshrined in DORA:
Additional policy products (DORA level 2)
The three relevant European Supervisory Authorities (EBA, EIOPA and ESMA – ESAs) have been mandated to jointly develop several policy instruments in 2 successive batches: 8 Regulatory Technical Standards (RTS), 2 Implementing Technical Standards (ITS) and 2 guidelines are planned to be released. Those technical standards aim to establish a sufficiently detailed and harmonised legal framework that complements the 5 DORA pillars.
On 17 January 2024, the ESAs published the first set of final rules for ICT and third-party risk management and incident reporting frameworks, following a public consultation that ran until 11 September 2023 and yielded 420 responses from market participants. The second batch is currently the subject of a public consultation that will continue until 4 March 2024, with the final publication on 17 July 2024.
Fines for non-compliance
DORA itself does not provide for fines in the event of failure to comply with the regulation, instead leaving EU Member States the freedom to determine “effective, proportionate and dissuasive” administrative penalties and remedial measures. However, Luxembourg bill of law 8291 implementing DORA, published in August 2023, states that (i) the CAA is the competent authority in Luxembourg with supervisory power to monitor the application of DORA by concerned entities, and that (ii) administrative fines for non-compliance with DORA may reach up to EUR 5,000,000 with regard to natural persons and up to EUR 5,000,000 or up to 10% of total annual turnover with regard to legal entities(3).
On the one hand, (re)insurers are obviously not starting with a blank slate when creating their ICT risk management framework. (Re)insurers should already have a framework in place that has established risk-based ICT risk management measures partially in line with DORA, the Solvency II Directive, EIOPA Guidelines on information and communication technology security and governance(4), and other national initiatives(5)). Nevertheless, the clock is ticking, and DORA implementation is an essential item on the agenda for (re)insurance companies when considering their main operational transformation projects in 2024. Given its numerous and burdensome requirements, deciphering and implementing DORA will give rise to a significant workload for (re)insurers.
Firstly, carrying out a gap analysis appears to be a vital step to lay solid foundations for the DORA compliance project. Secondly, as part of their plan, (re)insurers will need to (i) conduct an in-depth review of their ICT policies, procedures and tools so as to adequately cover the 20 mandatory topics(6) and to prepare for the new reporting requirements (e.g. major ICT-related incidents) and to (ii) map all their ICT assets and ICT third-party service providers, so as to classify them depending on their criticality and to align the corresponding agreements, risk assessments, due diligence and monitoring with the list of requirements under DORA.
Footnotes:
Authors:
Bénédicte d’Allard is a Senior Manager at Arendt Regulatory & Consulting SA.
Bénédicte began her career in 2004 as a financial analyst in the equity research department of a major investment bank in Paris. She then worked for different consultancy firms, acquiring extensive experience in the fields of regulatory compliance, organisation and process optimisation within financial services.
Since her arrival at ARC in 2014, Bénédicte has been particularly involved in the set-up and reorganisation of regulated entities in Luxembourg (in particular investment fund managers, investment firms and specialised professionals of the financial sector). She helps these clients improving their internal governance and complying with applicable laws and regulations (e.g. MiFID II).
Specialising in data protection matters in the broadest sense, Bénédicte has assisted numerous clients from financial and non-financial sectors with data protection concerns (e.g. personal data protection and operational resilience). She also serves as an external Data Protection Officer for several companies.
Bénédicte is speaker in various training programmes offered by Arendt Institute (GDPR, DORA, MiFID II), and is a member of ALFI’s data protection working group.
Bénédicte is a graduate of the ESCP-EAP business school in Paris, and is CIPM certified (Certified Information Privacy Manager) by the IAPP.
Languages: English, French.
Pierre-Michaël de Waersegger is a Partner in the Insurance & Reinsurance Law practice and the Banking & Financial Services practice.
Pierre-Michaël assists insurance and reinsurance companies, as well as banks and professionals of the financial sector regarding all Luxembourg legal and regulatory aspects of their activities. It includes licencing requirements, capitalising opportunities, merger and acquisition operations, and new products and services development.
His expertise includes advising on the implementation of AML/CTF, MIFID, PSD, CRD, Solvency II and IDD regulations, the drafting and review of contractual documentation as well as contacts with the regulators.
Pierre-Michaël’s expertise also encompasses legal advice on insurance products for financial institutions, investments companies and any other type of company having a need for insurance products.
He has been a member of the Luxembourg Bar since 2009 and was also a member of the Brussels Bar (Belgium) until 2013.
Pierre-Michaël sits at the board of various Luxembourg insurance and reinsurance companies, as well as the board of the Association Luxembourgeoise des Fonds de Pension (ALFP). He is also the legal representative in Luxembourg of Lloyd’s Insurance Company.
Pierre-Michaël de Waersegger holds a Master’s degree in law from the Université Catholique de Louvain (Belgium) as well as a Master of Laws degree (LL.M.) in European law from the Institut des Etudes Européennes (Belgium).
Hot Topic
Languages: English, French.
Emmanuelle Mousel is a Partner in the Insurance & Reinsurance and Banking & Financial Services practices of Arendt & Medernach.
Emmanuelle advises banks, investment firms and other financial sector professionals, as well as payment service providers, insurance and reinsurance undertakings, insurance intermediaries and insurance sector professionals on regulatory, civil, commercial and insolvency law matters. Her areas of special expertise include licensing requirements, mergers and acquisitions, drafting and review of contractual and business documentation, as well as issues pertaining to anti-money laundering and anti-terrorism financing measures. She also advises on questions relating to pension funds.
In addition, Emmanuelle assists institutional clients with criminal and regulatory investigations and litigation cases. She has received high praise for her work as an attorney in finance litigation.
Emmanuelle has further developed proficient knowledge and expertise in environmental, social and governance (ESG) matters and regularly advises clients on any requirements deriving therefrom, including disclosure, risk management, product governance as well as organizational and conduct of business rules.
Emmanuelle has been a member of the Luxembourg Bar since 2012 and joined Arendt & Medernach in the same year.
She holds a Master’s degree in Law from the Université Libre de Bruxelles (Belgium) as well as a Master of Laws (LL.M.) in Corporate and Securities Law from the London School of Economics (United Kingdom).
Emmanuelle is a member of the board of directors of the Institut Luxembourgeois des Administrateurs (ILA). She is also a member of the Association Luxembourgeoise des Juristes de Droit Bancaire (ALJB) and participates in various working groups within the Association des Banques et Banquiers, Luxembourg (ABBL) and the Association des Compagnies d’Assurances et de Réassurances du Grand-Duché de Luxembourg (ACA).
Emmanuelle further facilitates professional training programs within Arendt Institute.
Languages: English, French, German, Luxembourgish, reading knowledge of Dutch.
Astrid Wagner is a Partner in the IP, Communication & Technology practice area of Arendt & Medernach.
She is in charge of specialised areas of the law such as data protection and privacy questions, e-commerce and distance contracts, consumer protection, IT and outsourcing issues, the full spectrum of IP rights (trademarks, patents, designs and copyright), media and telecommunications, advertising, unfair competition and product regulation.
Astrid also handles corporate law matters, advising operational companies on their establishment in Luxembourg (including required licences) and multinational companies on the structuring and financing of domestic and cross-border transactions and corporate reorganisations.
Astrid has been a member of the Luxembourg Bar since 2005.
She is a member of the International Trademark Association (INTA), of the German Association for the Protection of Intellectual Property (GRUR) and of the International Association for the Protection of Intellectual Property (AIPPI).
Before joining Arendt & Medernach in 2007, she worked for two years as a lawyer in Luxembourg where her practice focused on commercial and corporate litigation.
She holds a Master’s degree in law as well as a DESS degree in comparative law from the Université de Droit, d’Economie et des Sciences d’Aix-Marseille III (France).
Hot Topic
Languages: English, French, German, Luxembourgish.
Find out more:
Cybersecurity & Information Protection > https://www.arendt.com/jcms/p_62117
Insurance & Reinsurance Law practice > https://bit.ly/ArendtInsurLaw