Not a day goes by without a company, large or small, falling victim to a cyber attack. For organisations, it’s no longer a matter of if but when they will fall victim. Faced with this situation, how do insurers cover the risk? Review of the current situation.
Cyber insurance is the ultimate solution once the company has implemented all the preventive measures to protect its digital data, secure its IT environment and comply with the regulations in force. “Without doing this work beforehand and making the necessary investments as a result, it will be difficult for a business to take out insurance”, explains Sophie Di Meglio, Director of Special Risks at Qualibroker-Swiss Risk & Care.
Cyber insurance will apply in the event of a security incident or attacks on a company’s IT system, or personal and confidential data. It mainly offers:
Some insurers offer a cyber extension to their Property insurance policy and/or to their Liability insurance policy, but the coverage is generally less, and the financial compensation is low. “Nevertheless, it is an interesting solution for SMEs,” says Sophie Di Meglio, “as the companies that pioneered Cyber insurance are now more demanding before insuring them, and some even no longer insure SMEs with turnover below a certain level.”
Among the main exclusions, we have personal injury, harm to property and financial loss other than harm to property, loss due to wear and tear, or ageing of data carriers, or the lack of compatibility between digital data and software, or between software programmes, the failure or breakdown of public utility infrastructures (network disruption), the infringement of commercial patents, etc. The obligations imposed on the policyholder differ from one insurer to another, and may deprive the policyholder of cover in the event of non-compliance. And Sophie Di Meglio reminds us: “It is important to read the contracts in full, which can be complex for a novice. A good solution is to seek advice from a broker, all the more so as insurers’ criteria and terms evolve over time, in particular owing to the exponential increase in the number of cyber attacks over the past 2 years.”
The following are also not covered: expenses for new elements introduced as a result of an incident (e.g. software or IT system upgrades), costs and losses related to a lack of capital caused by an insured loss, and items covered by a Directors’ Civil Liability policy.
Sophie Di Meglio adds: “Some professional sectors considered to be highly exposed to cyber risk are in fact excluded by insurers. This is the case for companies that generate the majority of their sales on the Internet, IT services providers, “critical” infrastructures such as telecom companies, medical institutions or water suppliers, etc.”
Generally, the company will be asked to fill out an underwriting questionnaire. Some insurance companies will not, however, require such questionnaire if it is a matter of extending an existing Objects or Civil Liability policy.
Before agreeing to insure a business, insurance companies pay particular attention to several points such as regular staff training on data protection and security, the type and amount of sensitive data processed, regular updates, malware protection, network security and multi-factor authentication, data backup and recovery, and its response plan and testing.
N.B.: just one previous incident may be sufficient for the company to be ineligible for cyber insurance!
Data protection should be a top priority for boards of directors and executive committees. They could be accused of lacking or having insufficient cyber risk management (with reference to Articles 717 and 754 of the Code of Obligations).
Cyber insurance is an effective tool for prevention. The underwriting conditions imposed by insurance companies are ultimately the measures that every company today should already have set up to combat cyber attacks effectively.
Most SMEs take measures to mitigate cyber risk. However, they are not immune to attack. For cybercriminals, it’s easier to hack into SMEs, which lack dedicated resources, and obtain the payment of a ransom. Moreover, they are the gateway for reaching their clients with whom they are connected.
Managers are responsible for the company’s sustainability. A cyber attack can have a serious financial and reputational impact. Since security vulnerability is of human origin in 95% of cases, it is essential for everyone to receive training. IT tools are necessary, but not sufficient: managers must identify the critical assets to be protected, organise matters, set up processes, rules and a system of regular review, and prepare themselves to manage a forthcoming crisis.
There will be an ever-growing number of attacks. Cybersecurity is based on risk management, crisis anticipation, the implementation of resources, especially human resources, and the development of a mindset in all organisations (the risk is systemic!). As with the automobile sector, safety will improve with reliable equipment, technical verifications, a driver’s license obtained on the basis of training, a highway code and supervision of the application of standard rules.
Ce dossier est paru dans Insurance Inside n°25 - mars 2022.
Marie de Fréminville, is an expert in governance and risk management. After a career in large international companies, she is now contributing her expe¬rience for the benefit of Swiss companies at her consulting firm Starboard Advisory. She is also the Vice President of the Swiss Circle of Women Directors.
As an insurance broker covering all sectors, we offer complete risk coverage to companies, no matter what their size, with the best coverage/risk ratio.
Coverage to limit financial losses in the event of a disaster and to allow you to rapidly resume your activities.
What if insuring your business became child’s play, and taking out an insurance policy was just a matter of a few clicks? Utopia? Not at all. The dream becomes reality with a framework agreement. Here’s how:
In Switzerland, 6% of the working population fall victim to a workplace accident every year. This is a heavy burden for businesses, both at a human and economic level. Prevention and management are at the heart of the fight against workplace accidents. As is having insurance with adequate cover.
It is crucial to protect your employees, assets and business. Companies are being forced to improve their coverage to meet the risks inherent in their business sector.
We focus on this solution that benefits companies constructing or renovating a building.
Wrongdoers can repeatedly elicit money from companies by impersonating their CEOs. The trend is a growing concern for Switzerland.
Digital technologies have led to the emergence of new dangers and specific insurance guarantees. A reflection on the possibility of a risk transfer with the insurers is on the agenda.