What is cyber insurance and should I underwrite an insurance policy?

What is cyber insurance and should I underwrite an insurance policy?

What is cyber insurance and should I underwrite an <strong>insurance policy?</strong>

Not a day goes by without a company, large or small, falling victim to a cyber attack. For organisations, it’s no longer a matter of if but when they will fall victim. Faced with this situation, how do insurers cover the risk? Review of the current situation.

Cyber insurance is the ultimate solution once the company has implemented all the preventive measures to protect its digital data, secure its IT environment and comply with the regulations in force. “Without doing this work beforehand and making the necessary investments as a result, it will be difficult for a business to take out insurance”, explains Sophie Di Meglio, Director of Special Risks at Qualibroker-Swiss Risk & Care.

What cyber insurance covers

Cyber insurance will apply in the event of a security incident or attacks on a company’s IT system, or personal and confidential data. It mainly offers:

  • Assistance and crisis management: the insurer provides the company with a 24/7 hotline to connect it with IT specialists, crisis management experts and legal advisors. This service can be mobilized during the first hours of an attack and is crucial in managing the crisis in order to mitigate its impact, especially on the company’s reputation.
  • The first party cover: covers, in particular, the costs incurred to restore data, remove malware, and notify the authorities and third parties, monitoring and surveillance costs as well as loss of income following the disruption of business (with a deferred period of between 6 and 48 hours depending on the insurer). Costs related to cyber extortion, such as the cost of consultants mobilised to prevent the threat of blocking or data theft from being carried out are also covered. Some insurers even agree to pay the ransom if there is no other alternative, but this is becoming increasingly rare.In the event of an incident, this guarantee should extend to the policyholder’s service providers who manage its IT system or host its data.
  • Civil liability cover: covers the costs of defence and damages, if any, in relation to third-party claims related to data protection, or in the event of infringement in relation to electronic content distribution.

Some insurers offer a cyber extension to their Property insurance policy and/or to their Liability insurance policy, but the coverage is generally less, and the financial compensation is low. “Nevertheless, it is an interesting solution for SMEs,” says Sophie Di Meglio, “as the companies that pioneered Cyber insurance are now more demanding before insuring them, and some even no longer insure SMEs with turnover below a certain level.”

And what cyber insurance does not cover

Among the main exclusions, we have personal injury, harm to property and financial loss other than harm to property, loss due to wear and tear, or ageing of data carriers, or the lack of compatibility between digital data and software, or between software programmes, the failure or breakdown of public utility infrastructures (network disruption), the infringement of commercial patents, etc. The obligations imposed on the policyholder differ from one insurer to another, and may deprive the policyholder of cover in the event of non-compliance. And Sophie Di Meglio reminds us: “It is important to read the contracts in full, which can be complex for a novice. A good solution is to seek advice from a broker, all the more so as insurers’ criteria and terms evolve over time, in particular owing to the exponential increase in the number of cyber attacks over the past 2 years.”

The following are also not covered: expenses for new elements introduced as a result of an incident (e.g. software or IT system upgrades), costs and losses related to a lack of capital caused by an insured loss, and items covered by a Directors’ Civil Liability policy.

Sophie Di Meglio adds: “Some professional sectors considered to be highly exposed to cyber risk are in fact excluded by insurers. This is the case for companies that generate the majority of their sales on the Internet, IT services providers, “critical” infrastructures such as telecom companies, medical institutions or water suppliers, etc.”

What an insurer will ask you

Generally, the company will be asked to fill out an underwriting questionnaire. Some insurance companies will not, however, require such questionnaire if it is a matter of extending an existing Objects or Civil Liability policy.

Before agreeing to insure a business, insurance companies pay particular attention to several points such as regular staff training on data protection and security, the type and amount of sensitive data processed, regular updates, malware protection, network security and multi-factor authentication, data backup and recovery, and its response plan and testing.

N.B.: just one previous incident may be sufficient for the company to be ineligible for cyber insurance!

Cyber insurance to help prevention

Data protection should be a top priority for boards of directors and executive committees. They could be accused of lacking or having insufficient cyber risk management (with reference to Articles 717 and 754 of the Code of Obligations).

Cyber insurance is an effective tool for prevention. The underwriting conditions imposed by insurance companies are ultimately the measures that every company today should already have set up to combat cyber attacks effectively.

key-figures

Cyber risk - a matter that concerns everyone  in a company

Is cyber risk properly taken into account by companies? 

Most SMEs take measures to mitigate cyber risk. However, they are not immune to attack. For cybercriminals, it’s easier to hack into SMEs, which lack dedicated resources, and obtain the payment of a ransom. Moreover, they are the gateway for reaching their clients with whom they are connected.

Cyber risk is not just an IT issue. It is also part managers’ responsibility. How can their awareness be raised?

Managers are responsible for the company’s sustainability. A cyber attack can have a serious financial and reputational impact. Since security vulnerability is of human origin in 95% of cases, it is essential for everyone to receive training. IT tools are necessary, but not sufficient: managers must identify the critical assets to be protected, organise matters, set up processes, rules and a system of regular review, and prepare themselves to manage a forthcoming crisis.

What are the future challenges of cyber security? 

There will be an ever-growing number of attacks. Cybersecurity is based on risk management, crisis anticipation, the implementation of resources, especially human resources, and the development of a mindset in all organisations (the risk is systemic!). As with the automobile sector, safety will improve with reliable equipment, technical verifications, a driver’s license obtained on the basis of training, a highway code and supervision of the application of standard rules.

Ce dossier est paru dans Insurance Inside n°25 - mars 2022. 

Marie de Fréminville, est experte en gouvernance et en gestion du risque. Après un parcours au sein de grandes entreprises internationales, elle met son expérience au service des entreprises suisses au sein de son cabinet de conseil Starboard Advisory. Par ailleurs, elle est Vice-Présidente du Cercle suisse des administratrices.

Marie de Fréminville, is an expert in governance and risk management. After a career in large international companies, she is now contributing her expe¬rience for the benefit of Swiss companies at her consulting firm Starboard Advisory. She is also the Vice President of the Swiss Circle of Women Directors.

Our associated services

Insure my company

As an insurance broker covering all sectors, we offer complete risk coverage to companies, no matter what their size, with the best coverage/risk ratio.

Insurance of objects and assets

Coverage to limit financial losses in the event of a disaster and to allow you to rapidly resume your activities.

Our news

26 Jun 2024

The Framework Agreement: “smart” insurance

What if insuring your business became child’s play, and taking out an insurance policy was just a matter of a few clicks? Utopia? Not at all. The dream becomes reality with a framework agreement. Here’s how:

22 Nov 2022

Accident prevention and insurance

In Switzerland, 6% of the working population fall victim to a workplace accident every year. This is a heavy burden for businesses, both at a human and economic level. Prevention and management are at the heart of the fight against workplace accidents. As is having insurance with adequate cover.

15 Sep 2021

The insurance portfolio a true performance lever

It is crucial to protect your employees, assets and business. Companies are being forced to improve their coverage to meet the risks inherent in their business sector.

08 Mar 2021

Construction Insurance: the advantages of “Globale chantier”

We focus on this solution that benefits companies constructing or renovating a building.

01 Mar 2016

The scourge of impersonation fraud

Wrongdoers can repeatedly elicit money from companies by impersonating their CEOs. The trend is a growing concern for Switzerland.

01 Sep 2015

Cyber-attacks

Digital technologies have led to the emergence of new dangers and specific insurance guarantees. A reflection on the possibility of a risk transfer with the insurers is on the agenda.

Talk to an expert
Phone
E-mail
Our branches