companies must protect themselves to be insured, Digital-Cybersecurity

SMEs and ETIs are interested in equipping themselves with belts and braces to obtain insurance that protects them in the event of cyber-attacks. HAS At a time when hacker attacks against companies increase, insurers are attentive before granting these coverages.

“Only companies that have invested in IT security in protection tools will be able to guarantee themselves”, warns the general manager of AIG in France, Christophe Zaniewski. However, “the basic security procedures are still very little implemented by SMEs”, regrets this historic player in the market.

compensation for losses

SMEs and ETIs are still very poorly covered to deal with hacker attacks. Missing stats, but only 8 % of ETIs and less than 1% of SMEs had cyber insurance in 2020, according to estimates by the Association for the Management of Risk and Insurance Enterprise (AMRAE), taken over late last year by an employee of Bercy

Concerned about the vulnerability of companies, the State promised in 2021 an action plan to encourage the development of this insurance. But “today we cannot insure people who do not do the least to protect themselves”, warns Nicolas Kaddeche, of the insurance company Hiscox France.

Struggling to understand cyber risk, which is still new and very evolving, insurers fear having to pay dearly in the event of cyberattacks. The bill can skyrocket because covers don’t just open up the right to technical assistance to help companies get their computer systems back on track. They can make up for the financial losses caused by paralyzing a society for days or even weeks.

inappropriate requests

Cooled by the list of major attacks, insurers are raising rates and limiting their risk-taking. This is the case of Hiscox France: “We decided to be more selective and strongly restrict the subscription of companies with more than 100 million in revenue”, explains Nicolas Kaddeche. “For ETIs, it becomes very difficult to obtain cyber insurance”, observes broker Antoine Giacomotto of Ageo Assurances.

In any case, those who managed to sign a contract had to show their credentials. By answering a series of questions about your security in advance. And when demonstrating that they have taken protective measures, with backups, double identity verification systems for access to the computer system, etc.

“We have a lot of requests from brokers asking us to do an upstream audit to help their clients get cyber insurance. Even for SMEs and ETIs”, confirms Thibault Carré, from cybersecurity specialist Inquest (Stelliant Group).

Insurers’ demands sometimes make people cringe. “The requirements of large companies are inappropriate in the context of the greater number of ETIs and SMEs, with disproportionate requests for compliance”, says Alain Conrard, president of the digital commission of the Movement of large companies intermediary (Meti). “It’s not within the reach of all companies,” he notes, urging insurers to “adapt to the spec” and saying he’s convinced their positions will evolve.

remote scan

“The problem is that traditional insurers don’t offer technical support,” argues Jules Veyrat, founder of specialist brokerage Stoïk, an insurtech that raised 3.8 million euros earlier this year. A partner of the very young insurance company Acheel, the start-up offers VSEs and SMEs to cover them after having “scanned” the security of their computers remotely using software.

Other actors relativize the height of the step to be taken to be sure. Especially for FTEs. “For now, there is nothing insurmountable,” says Jean-Philippe Pagès, director of insurance brokerage Bessé. “In a few months, an ETI can establish the diagnosis of its vulnerabilities and its maturity in cybersecurity and then implement very concrete governance and risk prevention actions that will allow it to guarantee”, he says.

However, the required upgrade depends a lot on the size of the companies. “For companies with revenues of up to 10 million business, there are insurance solutions with a minimum of IT hygiene and underwriting procedures are relatively simplified. In addition, insurers are becoming more demanding”, observes Didier Seigneur, vice president of brokerage CRF Assurances.

A cost to put in perspective

Small businesses may be reluctant to spend money on cybersecurity upgrades and cyber insurance. “If you have all the necessary protection measures – antispam, antivirus, offline backup, etc. — and if you’re sure, that all amounts to a TPE of two days of annual billing in the first year and one day of billing afterward,” says Marc Bothorel, cybersecurity referent at the National Confederation of Small and Medium Enterprises.

He himself heads a small IT company in Essonne, Starware Micro Services (700,000 euros in turnover), his cyberpolitics costs him 600 euros a year, against 1,400 euros for his professional civil liability – “it’s nothing , not even the cost of a day’s work for one of my engineers,” he says. “I have only one piece of advice: take your protective measures today in the tense international context, because tomorrow will be too late,” he insists.

Cyber ​​threat perceived as high with the war in Ukraine

The war in Ukraine and the current situation of geopolitical uncertainty are reigniting business concerns about the worsening cyber threat. According to a survey published at the end of May by the Club of Specialists in Information and Digital Security (Cesin) and carried out by OpinionWay among 300 SMEs and ETIs with more than 15 million euros in revenue, 59% of them “fear an increase in cyber attacks”. This is particularly the case for FTEs and SMEs with a turnover of more than 100 million euros. Among the companies surveyed, 45% have strengthened their cybersecurity system since the start of the conflict or are in the process of doing so.

Leave a Comment