12 October 2023
Expert Insights

Cyber Insurance: the comprehensive guide to protecting your organization

Florent Skrabacz President ERIUM
Publié par Florent Skrabacz

What is cyber insurance ?

Almost all relational and transactional activities of organizations are conducted on the Internet, and this presence entails a risk. This risk is considered the primary threat in the age of the digital revolution: cyberattacks. Indeed, for nearly a decade, the number of cyberattacks has been on the rise. Cyber attackers continually devise new methods to profit from their attacks. This threat continues to grow, with no fewer than 385,000 successful cyberattacks reported against organizations, both public and private, in France in 2022.

Businesses and organizations are constantly facing the challenge of protecting their data from cyber threats such as data breaches and ransomware attacks. Any such incident can cause significant harm to them. In such cases, organizations have to deal with dual risks – legal consequences due to sensitive data breaches and financial losses resulting from business disruptions. To mitigate such risks, businesses can opt for cyber insurance. This type of insurance provides coverage for both the financial and legal repercussions of cyberattacks. For companies, obtaining cyber insurance to receive compensation for losses resulting from cybercrime has become a necessary and prudent measure to ensure their online presence securely.

Why choose cybersecurity insurance ?

Benefits and cost associated with cyber incidents

Many businesses obtain cyber insurance to cover the expenses resulting from cyber-attacks. Astères estimates that the total cost of successful cyber-attacks in France in 2022 was 2 billion euros. The costs related to data breaches fall under direct costs such as lost productivity, ransom payments, and lost work hours. According to a study by the Ponemon Institute, businesses in France are estimated to face a cost of 4.34 million dollars for a data breach in 2022. The study also reveals that 83% of the 550 companies surveyed reported experiencing data theft. Organizations must consider subscribing to cyber insurance to ensure their sustainability in the event of a cyberattack. Cyber insurance can help reduce the financial losses and liability caused by a data breach. However, due to the increasing number of cyberattacks, the amount of compensation paid out has tripled within a year. As a result, insurance premiums are higher, and obtaining cyber insurance requires fulfilling certain prerequisites

The prerequisites for subscribing to cyber insurance

With the increasing insurance premiums, the prerequisites for subscribing to cyber insurance are becoming more numerous and evolving over time. Insurers now require organizations to have effective cybersecurity policies with defined risk management procedures and optimized protection systems.

A clear cybersecurity policy

So, it is essential to have all these prerequisites and stay informed about their evolution through insurance brokers. Before subscribing to a cyber insurance policy, it is important to have a solid cybersecurity policy in place. This policy must be effectively communicated to all stakeholders, including suppliers, partners, and IT service providers. Additionally, employee awareness and training programs should be implemented to ensure that everyone in the organization is aware of the policy and best practices for maintaining cybersecurity.

Protection tools

Next, it is mandatory to have, at a minimum, deployed endpoint protection tools such as EDR, antivirus, antimalware, and a firewall to detect and prevent potential threats.

An email filtering solution must also be in place to reduce the risk of phishing and email-based attacks. Two-factor authentication must be enabled, especially for admin accounts and remote access, adding an additional layer of protection for sensitive accounts. GDPR compliance is necessary to protect the sensitive data of your partners and clients, which should be stored securely.

For larger accounts, cyber insurers will require a managed EDR or XDR within a SOC (Security Operations Center), essential for quickly detecting, analyzing, and responding to security incidents when applying for cyber insurance.

Regular assessments

Regular evaluation audits to measure cybersecurity maturity and identify vulnerabilities to be addressed will also be among the prerequisites needed to subscribe to cyber insurance.

It is also crucial to be prepared for a cyber crisis by having emergency response and incident response plans in place, which can be done through crisis management exercises.

It is important to optimize security protocols related to IoT to prevent potential compromises.

Finally, by using a cyber rating solution, the company can obtain a diagnosis of its cybersecurity status and identify areas for improvement before subscribing to cyber insurance. This approach is primarily declarative and can be enhanced by attack simulation scenarios that demonstrate the actual effectiveness of the measures in place. By strengthening the cyber scoring, these approaches provide evidence of cybersecurity effectiveness to the insurer, paving the way for negotiations.

Implementing these prerequisites enhances the company’s cybersecurity posture, reduces the risk of costly incidents, and protects against successful cyber-attacks with insurance.

What attacks and compensations does cyber insurance cover ?

Understand your insurance policy and negotiate to match your cybersecurity needs. Cyber insurance can cover expenses like:

  • Data breach: Cyber insurance can cover the costs associated with the recovery, restoration, or replacement of stolen data. If sensitive data has been compromised, the insurance may cover the expenses related to potential lawsuits and regulatory obligations.
  • Business interruption: Cyber insurance compensates for financial losses due to business interruptions caused by cyberattacks.Recovery and restoration expenses: Cyber insurance covers costs related to restoring information systems.
  • Fund losses: Whether it’s losses of funds transferred due to events like fraud, social engineering, or extortion, cyber insurance may cover a portion of these losses and provide compensation to victimized organizations.

Of course, this list is not exhaustive, and it is essential to check with your insurer for any coverage exclusions.

What are the prices of cyber insurance ?

There are no general rules regarding the price of a cyber insurance policy, as it depends on several factors such as the type of business, size, cybersecurity history, industry sector, annual revenue, and geographical location.

An insurance premium can start at a few thousand euros per year for a small business with low cyber risks and can increase significantly for an organization with strong cybersecurity needs.

For example, sectors like healthcare or finance are more susceptible to cyberattacks, which can significantly impact the cost coverage provided by cyber insurance.

To obtain an accurate estimate of the price of cyber insurance tailored to your organization, it is necessary to contact an insurance company to obtain a personalized quote.

The uncovered elements by cyber insurance ?

While each insurance policy is unique, and clauses vary from one organization to another, there are certain elements that are generally not covered by cyber insurance. Among these, we find:

  • Malicious acts committed by internal parties, such as employees or subcontractors.
  • Security failures (flaws or vulnerabilities) known to the company but not addressed, thereby resulting in the exclusion of coverage for resulting incidents.
  • Non-compliance with established security policies.
  • Expenses resulting from acts of war, terrorism, or conflicts of a geopolitical nature are sometimes excluded from insurance policy indemnification clauses.
  • Attacks attributed to or supported by governments or intelligence services.
  • Loss of intellectual property, which is often excluded based on the circumstances.
  • Physical damages (fire, flood, etc.) are excluded from cyber insurance and covered by other types of insurance.
  • Failure to meet the notification deadlines to the cyber insurance company.

When subscribing to a cyber insurance policy, it is essential to be aware of the terms, conditions, and potential exclusions in the policy to ensure that the coverage aligns with the organization’s needs and to avoid unpleasant surprises in the event of a successful attack.

How to choose the cyber insurance ?

To choose the best cyber insurance, which is most suitable for the organization’s cybersecurity needs, several factors need to be considered.

Understanding your context

A thorough assessment of your context (industry, size, revenue) and the cyber risks to which the organization is most exposed is essential. This will help evaluate the company’s maturity level and determine the threats it is most likely to face to ensure their coverage by cyber insurance.

Real-conditions Cyber Assessment, implemented by Erium, evaluates a company’s cyber effectiveness with a score ranging from 0 to 100. It considers the cyber maturity of the organization’s employees (assessed using the Cyber Investigation cyber awareness platform), defense and response capabilities against cyberattacks (evaluated with the Breach and Attack Simulation tool BlackNoise), and crisis management and cyber resilience capabilities (evaluated with Cyber XP, real-world crisis exercises).

Real-conditions measurement tools provide a genuine overview of the organization’s cyber risk coverage. This allows for the establishment of appropriate cybersecurity policies and the negotiation and selection of the most suitable cyber insurance.

The extent of coverage

It is essential to choose a cyber insurance provider with experience and a strong reputation in the field of cybersecurity, capable of understanding the cybersecurity challenges and threats that organizations face. While price is an important factor, it should not be prioritized at the expense of the quality or extent of insurance coverage.

The extent of coverage provided by cyber insurance, as well as any exclusions, is the primary criterion to consider when subscribing to an insurance policy. It is crucial to ensure that all the risks the company is exposed to are covered by the insurance. The terms and conditions, which must be understood before committing to an insurance contract, are also important in order to comprehend the mutual commitments of both parties.

By taking these various factors into account, it will be easier to choose a cyber insurance policy that will protect the company in the event of a successful cyber-attack.

How to subscribe to cyber insurance policy ?

Once the assessment of cyber risks and the company’s cyber coverage needs have been established, the process of obtaining cyber insurance involves several steps.

First, it is necessary to conduct an insurance assessment that clarifies the coverage needs and cyber vulnerabilities to be addressed.

In addition, you will need to choose a competent insurance broker with expertise in cyber risks, who will assist the organization throughout the process. The broker guides the company in identifying the cyber insurance that best suits its needs, taking into account its size, sector, and various activities.

Working in conjunction with the broker, the scope of coverage and the coverage limit are defined and communicated to the chosen insurer. The insurer then conducts a risk analysis that assesses the cyber maturity of its client. Based on this analysis, the cyber insurance provider offers a premium amount that reflects the company’s level of readiness to face cyber threats.

Finally, the negotiation phase begins with the aim of reaching an agreement on the extent of coverage, the coverage limit, and the insurance premium amount. Once all parties are satisfied, the cyber insurance policy contract can be signed, providing the organization with strong and targeted protection against the cyber risks it faces.

Best practices to enhance cyber insurance

Cybersecurity awareness for employees

To enhance cyber insurance coverage, strong cybersecurity best practices should be adopted. Awareness, or rather acculturation, to cybersecurity for the organization’s employees forms the foundation of this approach. This awareness is achieved through a clearly communicated internal cyber policy that establishes rules and responsibilities for everyone.

Regular cybersecurity training for all employees against cyber risks and threats ensures that each person understands the cybersecurity issues and knows how to identify and respond to potential cyber threats. It is also crucial to assess the cyber maturity of these employees in order to take appropriate protection measures based on the results.

A platform like Cyber Investigation is ideal for training employees interactively and in an engaging manner. This immersive tool allows individuals to put themselves in the shoes of a hacker, promoting an understanding of the mechanisms of a cyber-attack. Enriched with supplementary content (quick reference guides, quizzes, videos), it educates employees about proper cyber practices. The platform also provides CISOs with the ability to measure their employees’ performance, allowing them to subsequently implement measures based on the specific risks to which they are exposed.

Software and system updates

In addition, keeping software and systems up to date is an essential practice to strengthen defense capabilities against a cyber-attack. Whether it’s software, websites, antivirus, or firewalls, updates help to fix vulnerabilities and security flaws.

Any sign of suspicious activity should be reported, allowing for a quick and effective response in the event of a potential incident. When a security flaw is detected, necessary measures must be applied to correct and minimize risks.

As an example, a Breach and Attack Simulator (BAS) like BlackNoise allows for real-time attack simulations to assess the company’s ability to detect and respond to cyberattacks. This innovative and proactive approach helps identify vulnerabilities and correct them, thereby facilitating continuous improvement in security measures.

In conclusion, adopting a cyber acculturation policy, keeping systems up to date, and being prepared to respond in times of crisis are the key elements to optimally complement your cyber insurance coverage.

Cyber insurance in the Age of AI

Erium couldn’t conclude this article without addressing the role of AI, which now holds a central position in the technology sector.

The emergence of artificial intelligence in recent years has brought about a significant and global transformation in various industries, including that of cyber insurance. This innovative and revolutionary technology can automate tasks, analyze massive volumes of data, and make decisions based on these analyses.

Benefits of Artificial Intelligence

In the field of cyber insurance, AI is transforming the underwriting process by automating its operations. With its data analysis capabilities, AI can provide insurance companies with information about the cyber risks to which businesses and institutions are most exposed. As a result, the automated process becomes more efficient and effective. Furthermore, AI enhances the claims processing and settlement by automating the collection of claims-related data, promoting efficiency and accuracy in claims settlements.

For insurers, AI also offers the advantage of being able to detect fraud and fraud attempts, thereby strengthening the security and integrity of the cyber insurance sector.

Limitations and challenges

However, despite its advantages, AI has limitations and poses challenges for the cyber insurance sector. Cyber risks are complex and constantly evolving, so AI may struggle to assess the risks associated with cyber insurance coverage accurately. Similarly, AI may have difficulty predicting the impact of new technologies and regulatory developments related to cyber threats, leading to inaccuracies in its assessments.

Furthermore, AI can perpetuate biases based on the data it was trained on, which can result in unequal or unfair treatment among clients.

Lastly, the role of AI may diminish that of human underwriters and claims adjusters, leading to a loss of expertise, personalized experience, and reduced levels of service.

AI has a significant impact on the cyber insurance sector. It offers the potential for improving underwriting and claims settlement processes, as well as a new way to protect against fraud for cyber insurance companies.

However, it faces limitations with the perpetuation of biases since it relies on the operational knowledge of its user and the data provided at a specific point in time, and with the diminishing role of humans. It is essential to keep in mind that AI is a tool and not a substitute for human underwriters and claims adjusters.

More than ever, it is important to adopt a critical approach to the information provided by artificial intelligence and to use it responsibly, in conjunction with human skills and judgment.

To conclude

The cyber insurance market is rapidly evolving. To make the most of it, it is essential to :

  • Work with an efficient and specialized broker.
  • Implement a cybersecurity policy to reduce cyber insurance premiums.
  • Avoid any disputes in the event of a cyber claim by establishing control over the effectiveness of this cybersecurity policy.
  • Demonstrate the policy’s effectiveness in real-world conditions to support any legal claims if disputes arise.