SMEs and ETIs have an interest in equipping themselves with belts and suspenders to obtain insurance protecting them in the event of cyberattacks. HAS At a time when hacker attacks against companies are on the increase, insurers are being vigilant before granting these covers.
“Only companies that have invested in IT security on protection tools will be able to insure themselves”, warns the general manager of AIG in France, Christophe Zaniewski. However, “basic security procedures are still very little implemented by SMEs”, deplores this historical player in the market.
Compensation for losses
SMEs and ETIs are indeed still very poorly covered to deal with hacker attacks. Statistics are missing, but barely 8 % of ETIs and less than 1% of SMEs had cyber insurance in 2020, according to estimates by the Association for the Management of Risks and Insurance of the Company (AMRAE), taken up at the end of last year by an official from Bercy
Worried about the vulnerability of companies, the State promised in 2021 an action plan to encourage the development of this insurance. But “we cannot today insure people who do not do the minimum to protect themselves”, warns Nicolas Kaddeche, at the insurer Hiscox France.
Struggling to understand the cyber risk, which is still new and very evolving, insurers fear having to pay dearly in the event of cyberattacks. The bill can climb quickly because the covers do not only open the right to technical assistance to help companies get their computer systems back on track. They can compensate for the financial losses caused by the paralysis of a society for days or even weeks.
Cooled by the bill of major attacks, insurers are increasing rates and limiting their risk taking. This is the case of Hiscox France: “We have decided to be more selective and to strongly restrict the subscription of companies with more than 100 million in turnover”, explains Nicolas Kaddeche. “For ETIs, it becomes very complicated to obtain cyber insurance”, notes broker Antoine Giacomotto at Ageo Assurances.
In any case, those who manage to sign a contract have had to show their credentials. By answering a series of questions about their security in advance. And by demonstrating that they have taken protective measures, with backups, double identity verification systems to access the computer system, etc.
“We have a lot of requests from brokers asking us to do an upstream audit to help their clients obtain cyber insurance. Including for SMEs and ETIs,” confirms Thibault Carré, at cybersecurity expert Inquest (Stelliant Group).
The requirements of insurers sometimes make people cringe. “The requirements of large companies are unsuited to the context of the greatest number of ETIs and SMEs, with disproportionate requests for compliance”, estimates Alain Conrard, president of the digital commission of the Movement of size companies intermediate (Meti). “It is not within the reach of all companies”, he notes, pleading for insurers to “adapt the specifications” and saying he is convinced that their positions will evolve.
“The problem is that traditional insurers do not offer technical support,” argues Jules Veyrat, founder of the specialist broker Stoïk, an insurtech which raised 3.8 million euros at the start of the year. Partner of the very young insurer Acheel, the start-up offers VSEs and SMEs to cover them after having “scanned” their computer security remotely using software.
Other actors relativize the height of the step to be taken to be sure. Especially for ETIs. “For the moment, there is nothing insurmountable”, assures Jean-Philippe Pagès, director at the insurance broker Bessé. “In a few months, an ETI can establish the diagnosis of its vulnerabilities and its maturity in cyber security and then implement very concrete governance and risk prevention actions that will allow it to ensure”, he indicates .
However, the upgrade required depends a lot on the size of the companies. “For companies with up to 10 million turnover business, there are insurance solutions with a minimum of IT hygiene, and the underwriting procedures are relatively simplified. Beyond that, insurers become more demanding, ”notes Didier Seigneur, vice-president of the broker CRF Assurances.
A cost to put into perspective
Small businesses may be reluctant to spend money on cyber security upgrades and cyber insurance. “If you have all the necessary protective measures in place – antispam, antivirus, offline backup, etc. – and if you make sure, all of this amounts for a TPE to two days of annual turnover the first year and one day of turnover thereafter, ”says Marc Bothorel, cybersecurity referent of the National Confederation of Small and medium enterprises.
Himself at the head of a small IT company in Essonne, Starware Micro Services (700,000 euros in turnover), his cyber policy costs him 600 euros per year, against 1,400 euros for his professional civil liability – ” it’s nothing, not even the cost of a day’s work for one of my engineers,” he says. “I have only one piece of advice: take your protective measures today in the tense international context, because tomorrow will be too late,” he insists.
Cyber threat perceived as high with the war in Ukraine
The war in Ukraine and the current situation of geopolitical uncertainty are rekindling business concerns about an aggravation of the cyber threat. According to a survey published at the end of May by the Club of experts in information and digital security (Cesin) and carried out by OpinionWay among 300 SMEs and ETIs with more than 15 million euros in turnover, 59% of between them “fear an upsurge in cyberattacks”. This is more particularly the case for ETIs and SMEs with more than 100 million euros in turnover. Among the companies surveyed, 45% have strengthened their cybersecurity system since the start of the conflict, or are in the process of doing so.