Should we be wary of Cyber Insurance
Today we are entering a context where the computer threat becomes an evil of our daily lives.
Especially ransomware. As a result, cybersecurity is a necessity. Next to it are cyber insurance that is in full development. Yet there are several questions. Are these cyber insurances worth it?
This article will also interest you: Promutuel and Cybersecurity: An Insurance Issue
It is not uncommon for authorities in some states to often push organizations to insure against computer attacks, however in 2017, a situation will call into question the credibility of this cyber insurance. The year in question, a company specializing in agribusiness known to the sector victim of a ransomware computer attack, precisely the famous NotPetya. More than 22,000 company workstations and 1,700 servers were permanently affected. The company then turned to its insurance company, the Zurich American Insurance Company, for compensation that could have reached $100 million.
Based on a statement from the U.S. government, the insurance company found an excuse not to compensate him. The reason given by the insurance at the time would have been the fact that the U.S. government had declared the NotPetya cyberattack to be a declaration of war, whereas this circumstance did not fall into the cases covered by the police according to the company. The agri-food company had no choice but to take legal action against its insurer.The case is still ongoing, but the situation is likely to raise questions about the true functioning of cyber insurance. Especially at a time when we find that companies are still plagued by Ransomware.
Unfortunately, this type of case is not isolated. In Britain for example, DLA Piper, the largest law firm is in dispute with his insurance company for asking a compensation issue.
Faced with this situation, several lessons can be learned. The first and most important is to give great consideration and attention to the contract at the conclusion. The second point will be the interpretation of situations of cyberattacks.
In principle, cyber insurance is taken "in addition to liability insurance, but it is difficult to see where liability insurance ends and cyber insurance begins. Contracts remain full of sock-traps, it is essential to read your contract well and always place yourself in the condition of the worst: the RSSI and the legal department must analyze the contract together in detail. says Aurélia Delfosse, a consultant at Advens, a company that provides IT security services.
However, in France, it is clear that the dispute between insurance companies and their customers is quite rare. This is what Matthieu Bennasar, Director of Operations at Harmonie Technology, describes: "Based on the figures of one of the three largest players in the French market, I estimate that we are currently at less than a hundred claims reported per year. It's very weak and I haven't had to my knowledge of any disputes between policyholders and insurers over a cyber attack."
"Cyber insurance is part of a broader it security approach and intervenes to cover residual risk. This means, in particular, that certain prerequisites are required and requested to cover a company against cyber threats. While the first insurance company questionnaires were extremely detailed and complex, they were simplified. Among the prerequisites for signing a cyber contract are the existence of weekly externalized backups of company data, an assessment of the number and nature of the sensitive data collected and held by the company – personal, medical, banking data… The limitation of admin privileges and finally the use and updating on all computer devices, servers and networks of the company of anti-virus, anti-malware software… In other words, it is now quite simple for a company to meet these requirements. Marie Waltisperger, the founder of cyberpro'assur
Matthieu Bennasar, Chief Operating Officer at Harmonie Technology, said: "Insurance is a good way to transfer risk to an insurer, especially for a small business, but this insurance should not anesthetize the company with regard to cybersecurity. After the flash diagnostic phase and the signing of the contract, the insurer must accompany the company in improving its level of safety, in a logic of prevention. In addition to its insurance policy, the insurer will provide services to increase the level of maturity of its client and thus decrease the level of risk. Together with some of our insurance partners, we provide access to the Risk-Me platform on which employees will be made aware of cybersecurity issues, test their maturity with respect to the RGPD and cybersecurity, etc."
Now access an unlimited number of passwords:
