Cyber Insurance: Which models for which policies?

Video in english 

Cyber Insurance: Which models for which policies?

At Les Assises de la Sécurité et des Systèmes d’Information, held last October in Monaco, a round table was held around a crucial issue for businesses: insurance for cyber risks. Insurance policies are taking over this specific sector, with contracts dedicated to the problems arising from new technologies. Stakeholders have identified the usefulness of these policies for companies and their CISOs.

Cyber insurance policy: A product as yet without standards

Insurance contracts covering computer or technology claims are still in their infancy. Sometimes, traditional insurance policies include cyber clauses: this is a marketing argument for companies that buy an additional service. However, while these clauses are certainly less expensive, they cover fewer situations than a cyber insurance contract.

These "hybrid" contracts are incomplete and compensation could be too low. Philippe Cotelle illustrated this phenomenon through an example: in a traditional claim like a fire, compensation covers a material event. However, in a technological claim, the company faces an intangible event and the damage cannot be materialised or quantified even if the event affects the company’s internal system or customers.

Another significant example: as regards defence, everything is covered and formalised by default. Investigations are recurrent and the risks are known.

In contrast, in the private sector, if the company is not qualified as being of vital importance, there is no financial coverage in case of a claim. By default, financial departments cover the cost of time devoted to restoration through a dedicated budget. However, over the long term, companies need to get organised to maintain their cyber protection.

A contract dedicated to IT risks is recommended in addition to the global insurance policy. This insurance should consider new scenarios, understanding that the scope is intangible and not a physical area.

The contract must include features specific to cyberspace. We can mention two consequences of this choice of risk coverage: first, compensation will be pertinent, and second, the insurer will be able to offer adequate service during crisis management and expertise at recovery.

While the argument may not concern CAC 40 companies, small companies may be interested in this type of technical support. Taking out cyber insurance eliminates the risk of being under-insured in the event of a disaster. This contract complements the company’s global insurance.

The growing role of CISOs and insurers

Since cyber insurance is still incomplete, CISOs may be able to express specific needs and calibrate their contracts. Upstream of this possibility, a company’s computer security stakeholders must understand this cyber insurance tool, from both an assistance and a budget viewpoint. More specifically, CISOs identify which technical dimensions can impact company operation or its customers.

Once the scenarios have been developed, the insurer and the CISO can establish amounts. The insurance policy’s options are established based on the nature of the risks listed. The speakers also emphasised the indirect benefit of these specific contracts: if CISOs identify major risks, they are better equipped to present a coherent budget to company executives. So, the insurance policy and its price make sense.

CISOs offer credible coverage of the computer system. Downstream of the contract, the reinsurer also seizes an opportunity: stakeholders defend a virtuous system if a technological insurance policy is signed by the company and its insurer.

A novel relationship between cyber-insurer and cyber-insured

In a traditional contract covering a house, car or health, the insurer decides. It calls on experts or practitioners and seeks possible contract breaches before compensation. In a cyber insurance contract, the insurer has no choice: it has to trust the company and its CISO. It cannot assess an intangible location like a cloud. The work done by the CISO upstream of a possible claim cannot be challenged.

This flexibility for cyber security players exists as long as this sector has not yet arrived at maturity, unlike the real estate or automobile insurance sector.

Speakers: Thierry Auger, CIO & CISO; Jean Bayon de la Tour, Cyber Development Leader, Marsh; Philippe Cotelle, Insurance Risk Management Manager, Airbus; Sébastien Héon, SCOR.
Moderator: Cécile Desjardins, Journalist