For several years now, companies have been offering “cybersecurity” insurance policies which are intended to cover certain risks defined as such. In view of the risks, the interest seems obvious. But, as always in a commercial relationship, between the seller’s message and the real (legal) text that will govern the contract, there are some differences.
By Alexandre Diehl, Lawyer, Lawint
On September 28, the National Gendarmerie, the French Insurance Federation (FFA) and the National Federation of General Insurance Agents’ Unions (AGEA) signed a partnership to train general agents and raise their awareness of cyber risk.
The idea of this partnership is to deal with cyber risk where it hurts, namely in the portfolio. Indeed, most managers and CIOs see this risk as serious and concrete, but believe they are covered by insurance. Conversely, insurers also see this risk as serious and concrete, but believe that companies must put in place minimum security measures, as a precondition for being compensated.
In French law, a risk must have certain characteristics: it must be random, future, legal and real. The insurance code and case law exclude certain risks from “insurability”, including in particular risks related to war, riots and popular upheavals (art L.121-8 of the insurance code) and claims resulting from a intentional or fraudulent fault (art L.113-1 of the same code). But there are above all the risks and claims contractually excluded.
In order to allow companies to make this list (and also those they would like to exclude or condition), the FFA has tried to draw up, from 2018, a non-exhaustive list of risks qualified as cyber: hacking, data theft , identity theft, hijacking of connected objects, ransomware… Three years later, the main threats are phishing and ransomware.
The report (from the Club des Juristes) presented by the FFA is clear: the company that wants to claim compensation, in the event of a cyber disaster, must demonstrate that it has put in place several preliminary measures.
Today, on the basis of this work, the main companies condition their possible compensation on the demonstration of four types of prior measures taken by the insured.
This first involves producing a risk and vulnerability map and an assessment of the issues (for example, the EBIOS methodology or, for smaller structures, the CNIL’s PIA, a free tool that is very designed).
The second part concerns the definition and implementation (or, at least, the beginning of implementation) of corrective security measures, including (written) procedures including in particular security measures, fault management, etc. ., and at least one security policy (PSSI).
The third component concerns training or at least awareness of cybersecurity and data processing.
Finally, the audit, maintenance and enrichment of these measures must be carried out periodically.
This list is not insignificant because it more or less repeats that extracted from article 32 of the GDPR (and its interpretation by the CNIL and the ANSSI) which legally imposes on companies the implementation of such measures. In other words, a company will only compensate if the victim company has validly implemented the legal and operational measures under the GDPR. Even if each policy is specific, we can still summarize summarily by saying that if we do nothing beforehand, we may pay our premium, we will not be covered by our insurance.