CYBER ​​INSURANCE ON THE VSE / SME MARKET

Even if it is still not very mature compared to its Anglo-Saxon counterparts, the cyber insurance market is expected to experience a growth peak thanks to changes in the regulatory framework applied to companies.

If today most large companies such as CAC 40 and ETI, aware of their great exposure to digital risks and the approach of the date of entry into force of the GDPR, are insured for their cyber risks, the maturity of the markets of VSEs / SMEs has not yet been observed.

The evolution of cyber attacks

According to the cybersecurity barometer produced and published by CESIN in January 2018, the number of companies affected by cyber-attacks in the last 12 months has reached almost 80%. This means that in France, over the period from 2015 to 2017, the number of cyber-attacks recorded has tripled. These cyber-attacks can be separated into 3 distinct groups:

- Sabotage: dissemination of viruses

Ex: In 2017, the Clermont Pièces SME was placed in compulsory liquidation following the encryption of all of its customer and supplier files and its inability to pay the required ransom.

- Espionage: competitive cyber-espionage, cyber-espionage between States

Ex: In 2016, the German industrialist ThyssenKrupp was the victim of a cyberattack aimed at stealing industrial secrets.

- Crime/piracy: data theft, identity theft, system takeover

Ex: In 2017, Uber admitted to having been the subject of a large-scale cyberattack that resulted in the theft of the personal data of 57 million of its users.

The growth of cybercrime can be explained by several reasons:

- The importance of earnings for hackers

- The low risks incurred, in particular, linked to the international nature of cyber attacks

- Easy access (on the Darknet) to the necessary expertise

- The increase in the number of potential targets linked to digital development

The immaturity of the VSE / SME markets: reasons and consequences

Two main reasons justify the immaturity of the VSE / SME markets in the face of cybercrime. It is, first of all, a weak feeling of exposure on the part of these structures given the challenges and industrial competition but also a budget allocated to cybersecurity that is severely restricted. Indeed, the average annual amount granted by more than 50% of French SMEs for their IT security is less than € 50 per employee.

However, the penalties incurred in the event of non-compliance with the obligations established by the GDPR, namely:

- Notification of personal data breaches;

- Consent to data processing must be free, specific, informed, and unambiguous;

- A detailed register of the processing of personal data must be kept by both the data controllers and the subcontractors and must be able to be made available to the supervisory authorities.

are major since the fine could vary between 20M € and 4% of the worldwide turnover of the company.

Cyber ​​insurance offers available

Insurance companies have great difficulty pricing the risks related to cyberattacks targeting VSEs / SMEs. Indeed, they lack historical information and cannot predict human and individual failures. Also, some losses are considered irreparable and it is difficult to cover immaterial damage. However, each is trying to develop new offers around 3 components:

- Insurance: reimbursement of claims

Ex: attack management costs, coverage of losses related to turnover, company reputation, equipment, data (...) and recovery costs, civil liability (damage to third parties), notification fees (customers and regulator) ...

- Prevention: reduction of claims

Ex: Employee awareness, security audit, notification in the event of imminent threats, etc.

- Support: services offered to help manage an attack

Ex: expert intervention in the event of a crisis to contain the attack and repair the damage, Darknet monitoring, reputation monitoring, etc.

We can cite the example of the offer proposed in April 2017 by the Generali Group in association with Engie Ineo and Europ Assistance. Dedicated to VSEs / SMEs, this offer called "  Digital Protection  " is made up of 3 parts: Generali covers the compensation part (operating losses, material damage, etc.) and civil liability vis-à-vis third parties, Europ Assistance takes care of. handles the management of the file by positioning itself as the insured's main contact and Engie Ineo is responsible for repairing and securing the affected system.

Towards a new insurance model?

In response to the growing number of cyber-attacks identified and the relative effectiveness of the offers offered by certain insurance companies, a new insurance model should be considered.

In line with other areas of insurance, cyber insurance must go beyond reimbursement of claims to offer services to companies ranging from prevention, to limit the risks and impact of attacks, to support for help businesses deal with attacks that manage to infiltrate.