The visible and hidden financial costs of a cyber attack - A reminder
According to the Ponemon Institute[1], there are two types of costs.
Visible costs, the best-known
- Technical investigations / restoration costs
- Customer notification of intrusion (law 25)
- Regulatory compliance (law 25)
- Legal fees and court costs
- Post-incident securing of customer data
- Public relations
- Cybersecurity improvements
Hidden costs
- Increased cost of debt
- Impact of business disruption or interruption
- Sales erosion due to loss of customer contracts
- Impairment of brand value
- Loss of intellectual property
Loss of customer confidence
The importance of cyber insurance
In today's digital world, cyber-attacks represent a serious threat to businesses. These attacks can result in significant financial losses, damage to reputation, and the loss of sensitive data. Cyber insurance helps mitigate these risks by providing financial cover and support in the event of an IT security incident.
Nearly half of all SMEs have been the victim of a random cyber attack[2].
Types of cyber insurance
Cyber insurance has evolved rapidly from a niche strategy to cover a wide range of digital risks. Insurers are adjusting their approach in the face of increasing accumulated and systemic risks, modifying their risk tolerance and underwriting methodologies.
There are different types of cyber insurance to meet the varied needs of businesses. These policies can cover internal risks, such as employee errors or malice, and external risks, such as hacker attacks. Insurance policies can also cover production losses and data loss. It is crucial for a company to understand its own risks and choose the right insurance policy.
Choosing the right insurance
Underwriting processes have become more rigorous, with detailed questionnaires and in-depth analyses. Companies demonstrating good cyber hygiene (up-to-date systems, trained staff, etc.) are better positioned to maintain their insurance cover.
Choosing the right cyber insurance requires a thorough understanding of the specific risks a company faces. Insurance brokers specializing in cybersecurity can offer valuable advice in this area. They can help identify risks and select a policy that offers adequate coverage.
Internal and external risks
Insurers are concerned about the accumulation of correlated risks (risks that are related or interdependent, so that the occurrence of one event can influence the likelihood or impact of another) and technological dependencies, leading to a reassessment of retention limits and scope of cover.
Cybersecurity problems can originate from within the company, such as employee errors or malicious actions, or from outside, such as hacker attacks. Companies need to be aware of both types of risk, and implement appropriate prevention and protection measures: team training and awareness, data governance, access management, incident response planning, etc.
Denial of payment by insurers
Insurance contracts are coming under increasing scrutiny, particularly when it comes to protection against ransomware and natural hazard exclusions, but not only that. In some cases, insurers may refuse to pay for damage caused by cyber attacks. For example, if an attack is considered an act of war, the insurer may invoke this clause to deny coverage. It is therefore important to understand the terms and conditions of the insurance policy.
However, there is a growing need to harmonize terms, definitions and conventions to reduce ambiguity and inconsistencies in cyber insurance contracts.
Incident investigation
In the event of a cyber security incident, insurers can fund investigations to determine the cause and nature of the incident. These investigations can help to understand how the attack occurred and take steps to prevent similar incidents in the future.
Protection and prevention
In response to frequent cyber attacks, regulations are evolving. Thanks to Law 25.
Companies must implement protection and prevention measures to reduce their vulnerability to cyberattacks. These measures can include antivirus software, firewalls, and computer security protocols. Employee training in IT security best practices is also essential.
Conclusion
Cyber insurance is an essential part of a company's risk management strategy. With cyber security threats constantly evolving, it's crucial for businesses to stay informed and adapt accordingly. By choosing the right cyber insurance and implementing effective protection and prevention measures, businesses can protect themselves against the potentially devastating consequences of cyber attacks.
Companies are encouraged to adopt a cyber resilience strategy, including appropriate governance and cyber risk awareness. This is becoming a competitive advantage, especially at a time when insurers are reducing the capital allocated to cyber insurance.
To find out more : Cybersecurity : Certified information systems security professionnal (CISSP)
