Cyber risk analysis and insurance

From the “loan to the big adventure” through major innovations, insurance has made it possible to deal with hazards that have a financial and human cost.

The development of new technologies, just like all innovations produced by technical progress, are sources of risks whose occurrence is uncertain. Thus, insurance has a role to play in this area. With the transformation implied by the digital evolution, a growing part of the information capital of companies relies on computer systems that are facing more and more sophisticated cyber attacks.

However, cyber insurance is not yet unanimously accepted. Reticence stems from the fact that it can present catastrophic financial losses for the insurer, who may find himself having to compensate a large number of policyholders who are victims of the same event. As an example, the WannaCry cyberattack had affected more than 300,000 computers in over 150 countries. Moreover, it is difficult to identify the author and the origin of the incident (terrorist, accident…).

On the policyholder side, the sources and causes of attacks are not yet well known, so people don’t necessarily think about taking out cyber insurance.

What does cyber risk include?

It is the cyber-malicious attack on the availability, integrity or traceability of a computer system. The cyber risk evolves with the rhythm of computer and electronic technologies. This can result in an attack on the image, sabotage, theft of confidential data (espionage)…

Safety measures can be put in place to prevent risks from occurring. But if this prevention is not enough to prevent them from happening, insurance can guarantee the coverage of certain costs to resume activities as soon as possible.

The health crisis has been a boon for cyberattackers due to the increase in working from home in particular. Phishing remains the biggest source of attack (73% according to the CESIN 2022 barometer).

In 2020, the FBI has identified $4.2 billion (compared to $3.5 billion in 2019) in losses due to computer attacks. It is a real financial issue for all structures. But if the implementation of security measures is already expensive, a cyber attack can cause considerable losses for the victims. To limit the financial damage, the subscription to a cyber insurance can be a solution. The insurance is there to cover the hazard that prevention could not avoid.

What are the financial impacts of a cyber attack?

Direct and indirect costs impact companies following a cyber attack :

• Technical investigations
• Intrusion notification
• Regulatory compliance
• Legal fees and court costs
• Post-incident customer data security
• Public relations
• Cybersecurity enhancements

Indirect costs:

• Increased insurance premiums
• Increased cost of debt
• Impacts related to business disruption or interruption
• Revenue erosion due to loss of customer contracts
• Impairment of brand value
• Loss of intellectual property
• Loss of customer confidence

First of all, you need to know what to cover. Companies must carry out a risk mapping. This method allows them to analyze the vulnerabilities resulting from their own actions and their environment (subcontractors, customers, etc.).

What are the guarantees provided by insurance today?

• Property damage contracts.

The realization of an attack can have damaging consequences on the computer equipment. The insurance can cover the replacement of the affected hardware and software. It can also cover data loss: reconstitution of lost data on the basis of the last backup. However, policies may exclude such a restoration if no backup measures has been taken to recover the data.

There are also ancillary costs generated by the loss that are specific to cyber attacks and are covered by these insurance policies:

• The cost of identifying the malicious damage
• Decontamination costs
• Costs of services provided by crisis management service companies
• Liability contracts

They guarantee the pecuniary consequences related to the defence costs of the person responsible towards his or her company or towards third parties due to non-compliance with obligations or to any management fault.

What can be covered:

• Accidental transmission of a virus to a third party
• Violation of personal and confidential data
• Contractual responsibilities
• Defense costs

Then, additional coverage related to cyber incidents :

• Public communication costs
• The costs of notifying the victims of incidents
• Costs of administrative investigations by the CNIL or ANSSI

Fraud contracts

They concern fraudulent acts such as embezzlement, swindling, forgery or use of forgeries, counterfeiting and theft. For example, false transfer orders (president fraud) that are facilitated by malicious software in the computer system are still covered by this type of contract.

Therefore, traditional policies can always be used in addition to specific insurance.

Cyber insurance contracts

The traditional policies seen above can be called “silent cyber” or “silent cover” insofar as the policies cover computer-related losses even though they were not initially covered. This is because of their broad definition or the fact that there is no exclusion clause.

European regulations (RGPD), European directives (NIS), or national laws (IT and liberties law, military programming law), introduce cybersecurity obligations for organizations and sanction of non-execution or non-compliance. Thus, full-fledged cyber insurance contracts guarantee new services:

• Crisis or incident management guarantees
• Liability coverage (defense, damage caused to third parties, etc.)
• Guarantees of the costs generated by the attack (repair of the infected system)
• Guarantees of operating losses
• Guarantees of personal data violation costs
• Guarantees of administrative investigations
• Guarantees of notification costs
• Guarantees for defense costs
• Forensic cost coverage (forensic analysis)

On the other hand, does the insurance cover a voluntary failure of the insured to prevent computer risks? Or does it cover the administrative fines generated by the failure to comply with an obligation (RGPD)?

The exclusions of guarantees

Insurance will cover a failure to activate a burglar/fire alarm system. But it does not work if the person responsible has not installed any device. These are security obligations that are incumbent upon them. The same logic applies to cyber security measures.

The issue for insurers is to adapt the exclusions clauses, the United States has made a decision in favor of the pharmaceutical Laboratory MSP (Merck Sharp & Dohm). The laboratory had been hit by the NotPetya ransomware in 2017, the group had then been the victim of an incident estimated at more than 1.4 billion dollars. The insurer, Ace American was asserting an exclusion clause, this was deemed inapplicable in this case, by the ordinary meaning of “exclusion language”. This decision will undoubtedly lead French insurers to show adaptability and motivate victims to sue insurers.

Two issues remain for administrative sanctions and ransom coverage.

• Administrative penalties

A criminal sanction must remain a deterrent and must not be covered by insurers. This is contrary to public order and the principle of individuality of penalties.

However, if insurance should not run counter to criminal sanctions, the question arises as to the quasi-criminal legal nature of administrative sanctions. The latter can be insured, even if legally this remains debatable. Indeed, criminal fines are pronounced by the criminal courts and are not insurable. On the other hand, administrative fines pronounced by administrative authorities are covered by certain insurance companies. The punitive role of the sanction is therefore called into question. However, the intentional or fraudulent fault of the insured constitutes a legal cause of exclusion of insurance liability (art. L 113-1 of the insurance code), since the hazard disappears.

• Ransomwares

Malicious actors in the cyber world break into computer systems to encrypt data and release it in exchange for a ransom. Basically, outside the IT field, authorities refuse to pay any ransom because it would incite kidnapping and encourage kidnappers to abduct people. The same is true for ransomware: paying contributes to the development of the practice or making it worse. However, there are insurance policies on the market that cover the ransom money.

Subscribing cyber insurance can be expensive. But let’s remember that the occurrence of a cyber risk can cause a business disruption or worse, a total shutdown. The costs of recovery may not be high, and the loss of data and damage to reputation are major impediments to normal business recovery.

However, there is a real awareness: in 2020, 70 % of companies have subscribed to a cyber insurance.

Cyber attacks are more recurrent and do not spare any sector of activity. The risks remain unknown and are constantly changing. This is why insurance is an instrument for cyber resilience that should not be overlooked.

You need to make sure you complete your cybersecurity arsenal: thinking about insurance is not a bad idea. Also think about compliance so you can have your warranties working!