New-style cyber insurance policy models on the rise

Regardless of geography or business sector, many groups and companies have taken out cybersecurity insurance policies in recent years. These policies cover companies against new threats to information systems, including ransomware and data theft incidents that have been making the headlines.

For a long time, the risks identified in these policies were on the borderline between IT incidents and cybersecurity. However, the new insurance models now focus more specifically on cyber threats, such as an intrusion that results in the encryption of all data by ransomware or large-scale data theft.

A growing risk that is increasingly well insured

A recent Risk Management Association (AMRAE) study found that the cost of cybersecurity claims in France alone tripled to €217m between 2019 and 2020, demonstrating a substantial increase in this risk. Indeed, in recent years, we have seen more companies take out cyber risk cover as a matter of routine due to the multiplicity of attacks.

These cyber insurance policies make it possible for companies who are victims of attacks to cover various issues, including immediate expert assistance with post-incident digital investigations to identify attack patterns and the impact on the information system. Also, help in appropriate communication with partners and customers once an attack has been detected.

There is also financial cover if equipment has to be acquired to replace storage or workstations compromised during the attack, as investigations can require these systems to be preserved in their existing state for a prolonged period. In addition, cover for all or part of the financial losses and notification, particularly in the case of personal data theft of people affected such as clients and regulators.

Risks accepted versus the realities of the business

Of course, taking out such insurance must be linked to the risks borne by the company and its capacity to handle this threat, whether through technical projects or the implementation of cybersecurity governance. As with any insurance policy, it is customary to identify threats to be covered by insurance and those to be covered internally through technical and organisational measures. Equally, identifying threats to be ignored, such as systems, applications and environments due for decommissioning within a few months, or for which the risks cannot be reduced because of the complexity of their maintenance, such as high technical debt or incompatibility.

Following this risk analysis, the company should identify the threats it wishes to have covered by a third party, ensuring that the premiums paid and the associated policy protect the potential loss.

The insurer may also require the company to implement a set of cyber practices based, for instance, on government IT hygiene recommendations to ensure that at least the basics of cyber security are put in place. Also, while some insurance companies previously covered ransom payments following an attack in their policies, such cover is becoming less available. Finally, while new insurance models now focus more specifically on cyber threats, it’s essential that companies carry out a thorough cyber risk analysis to identify the risks and challenges before concluding a policy. This will help ensure that insurance cover is specifically tailored to the company and its needs. Finally, careful evaluation of resources and cover available under the contract can help get the most favourable level of guarantee.