Cyber ​​insurance: what can it be used for?

While large companies are now asking themselves the question of taking out insurance for their cyber risks, ETIs do not have the same possibilities of finding alternative solutions. Especially since the professional liability of business leaders no longer covers cyber. If there is a claim, the company manager’s own assets may be involved. So what is the benefit for a mid-market company of taking out cyber insurance? This conference organized as part of Ready For IT brought together Philippe Loudenot, Cyber ​​Security Delegate, Pays de la Loire Regional Council and CESIN administrator, Marc-Henri Boydron, Founder of Cyber-Cover and Gabriel Leperlier, Partner – Director RCMP/IPC & International, Almond?

By way of introduction Philippe Loudenot explains that it is at the time of the disaster that one remembers what to do in the event of an attack and of course it is too late. He echoes the maxim of his father-in-law, a former employee of an insurance company: “insurers are very nice people who lend an umbrella when the weather is nice and take it back when the storm comes! “. Today all businesses are under cyber threat and the big question is how to protect against attacks. For Gabriel Leperlier, “actually the right question is to know how to protect yourself by taking measures that will ensure that in the event of an attack there is no spread. But also that we can quickly detect and counter attacks. »

Insurers assess the risks by taking stock of the IS

Marc-Henri Boydron considers that insurance companies try to analyze the maturity of companies in terms of cyber and to estimate the financial impact. The latter is most often estimated by considering the visible and invisible costs. As for the visible costs, these are: restoration, the legal part with the RGPD, remediation with a reinforcement of cyber…. as well as a problem of possible payment of ransom when the backups are so corrupt. For the part of the invisible risk, we find the loss of turnover, the operating costs in the event of the establishment of a temporary infrastructure, the loss of customers, the loss of image, the loss of intellectual property… but also legal costs in the event of damage to a third party.

Due to the increase and the resulting costs, insurance companies have removed cyber risk from their contracts. Which is not surprising, considers Philippe Loudenot, explaining that in the regions we have “the rule of two”: two hours to be hacked, two months to partially restore services and two years to return to the initial level.

Insurers no longer want to insure companies whose turnover exceeds €50 million

Marc-Henri Boydron recalls that the loss ratio went from €87m in 2019 to €217m in 2020. Thus, the loss/premium ratio increased by 167% in the same period. As a result, in the companies of which we speak today of insuring the residual risks rather than trying to insure everything. Today insurance companies are losing money by insuring cyber risk. Thus, they are increasingly refusing to insure companies. Thus, they insure organizations up to €50 million in turnover but much more rarely above. Currently insurers pay huge premiums to companies, so companies that have not deployed double authentication see their cyber insurance contract refused.

Gabriel Leperlier explains that he advises companies to set up EDR XDR type detection systems, backups and to recruit real CISOs. They must also do crisis exercises whose impacts remain very close to real crisis with even for example simulations of telephone calls from pseudo computer hackers… Indeed, he reports that sometimes the hackers even have their hands on the telephony and know exactly the exchanges between the teams and have information on the money available. Beyond €50 million in turnover, companies must put together a file with all the information available, especially since insurers use scoring tools to be able to assess whether or not they can insure a company. Among the prerequisites, it aims to have an awareness component with phishing simulations, to know the level of patching which must be less than 15 days according to ANSSI recommendations. They will also look at the obsolescence of the machines and in some cases if isolation measures have been taken. They also look at the deployment of EDR and XDR solutions, the management of the Activ Directory in particular at the level of their hardening… the last point analyzed is the disconnection backup policy.

Philippe Loudenot asks the question of the coverage that a company can expect from insurance? And if there are European directives on the subject?

In France, recalls Marc-Henri Boydron, there must be harmonization between insurers, if an insurer has decided to cover a company, it has accepted the risk.

In the case of banks, they are also starting to assess their client’s cyber risk and are turning to companies like Almond to check their client’s level of cybersecurity.

In the case of ETI SMEs, all insurance contracts cover assistance in the event of an attack. A prevention component is also needed because they monitor new solutions, concludes Marc-Henri Boydron.

Leave a Comment