- fr
- en
Cyber insurance: insurance and criminal law practice
By Jérôme Goy and Armand Feste-Guidon
Cyber risk insurance has become the fifth insurance policy that insurers market to businesses, alongside public liability, directors’ and officers’ liability, property damage and vehicle fleet policies. Indeed, cyber risks have multiplied in the everyday life of companies; cyber-attacks have been ranked as the fifth most important risk in 2020, according to a World Economic Forum report, and cybercrime has increased by 600% since the COVID-19 pandemic. Faced with this situation, Anglo-Saxon and then continental insurance companies decided to isolate coverage for this risk in specific insurance contracts. Until recently, the consequences of cyber risks were covered under civil liability insurance contracts on the one hand, and property damage insurance contracts on the other hand. The risk is of a mixed nature, since it affects companies’ property and creates a cause for them to incur liability towards third parties.
The particularity of these contracts was reinforced by the Ministry of the Interior’s orientation and programming law of 2023, which makes indemnification by the insurer conditional on the insured lodging a complaint within 72 hours of learning of the cyber-attack. The creation of this obligation gave rise to lively debate between cybersecurity experts and members of parliament. The risk is that insurance companies will pressure policyholders to pay ransom rather than remediation costs, making French companies attractive payers for cybercriminals. Companies themselves often prefer to pay a ransom rather than see their reputation tarnished. This new requirement firstly gives insurance companies a date for the cyber-attack, and secondly encourages victims to lodge a complaint quickly.
I. Risks covered by cyber insurance
Cyber insurance generally comprises three types of cover:
- Cover for damage suffered as a direct result of a cyber incident, known as cyber damage. (For example business interruption) ;
- Cover for damage to information systems and personal data ;
- Cover for crisis management assistance to ensure business continuity and recovery.
More specific coverage may also be added, such as ransom negotiation or even ransom payment.
Nevertheless, cyber insurance cover comes with obligations in terms of securing your information system.
For example, a cyber insurance policy may require you to implement cybersecurity measures within your company, in the absence of coverage.
Similarly, the insurance company may make your subscription to the cyber insurance policy conditional on a cybersecurity audit.
II. Auditing your cyber insurance policy : how do you know if you’re properly covered?
It’s essential to carry out an audit of all the insurance policies taken out for your company, so that you know exactly how well protected you are in the event of a cyber incident.
Existing policies can insure you against cyber risks such as personal data breaches, or breach of contract linked to the unavailability of data or information systems.
Once this audit has be done, it’s essential to supplement your insurance protection with a specific, tailored cyber insurance policy.
As part of this process, it should be noted that cyber insurance contracts may stipulate specific exclusions concerning several critical points, such as social engineering, hacking from another country or cyber incidents intentionally caused within the company.
You need to determine whether the cyber risks covered by the insurance contract meet your company’s specific needs, and if so, you need to be fully aware of any exclusions.
Finally, if it turns out that your current business coverage is partial or inadequate, you should consider renegotiating the terms of existing contracts to include more extensive protection against cyber risks.
III. Filing a complaint within 72 hours to benefit from insurance protection
A complaint must be lodged with the appropriate authorities, such as the police or gendarmerie, or directly with the public prosecutor, within 72 hours of the victim becoming aware of the attack on his or her information system.
The 72-hour time limit poses two problems.
Firstly, it is very short, as cybersecurity incidents are often complex and require in-depth investigations to determine their nature, extent and consequences.
Lastly, the starting point for filing a complaint is open to interpretation. If the policyholder has information that does not allow him to confirm with certainty that his system has been hacked into or data extracted, but has a reasonable suspicion of a breach, should he file a complaint as a preventive measure to avoid his insurer refusing to pay compensation, even if it means filing a complaint for minor incidents and drowning the authorities in countless complaints?
As the 72-hour time limit for lodging a complaint is a ground for exclusion from coverage, it is bound to become the subject of legal debate.
IV. Filing a complaint within 72 hours: what to do in practice?
When a cyber incident is discovered, it is advisable to file a brief complaint with the relevant authorities, in order to comply with the 72-hour deadline imposed by the French Insurance Code.
Secondly, once the scope of the cyber incident is known, a detailed complaint can be filed directly with the public prosecutor.
In the case of an attack on your information system, the complaint can be lodged directly with the J3 public prosecutor’s office, which specializes in cybercrime.
The content of the complaint must be perfectly in line with the provisions of your cyber insurance cover, which presupposes full knowledge of the latter.
So, since a cyber incident can have major consequences for your company, it is advisable to work with a tandem of insurance and criminal lawyers to control your cyber risk.
V. Conclusion
Beforehand
A company wishing to protect itself against cyber-attacks must first check whether a specific cyber insurance policy exists, or whether it is an extension of a pre-existing policy. If such a policy exists, it is necessary to check the definition of the “IT perimeter”, the term “third party” and the exact definition of the insured company’s activity, subcontractors and employees, expenses and estimated coverage limits.
For effective coverage
Secondly, it is necessary to pay attention to certain specific guarantees.
It is preferable to include a “ransomware” clause to cover cyber extortion and the exchange of the victim’s personal data (alteration, destruction or communication).
Non-material damage cover must include damage to the computer system, to the company’s personal data and to third parties, economic loss (loss of business), infringement of rights (privacy, intellectual property rights).
Companies need to clearly understand the scope of material damage cover, so they know what is covered (breakdown, machine breakdown, fire, etc.).
“Computer fraud” covers financial losses corresponding to the value of funds, securities or financial assets following unauthorized access to or use of the insured company’s computer systems.
“Telephone Fraud” covers the cost of excess telephone consumption resulting from unauthorized access to and/or use of the insured company’s telephone systems.
In the case of business interruption cover, cover should be provided from the date of interruption of the insured company’s activities, rather than from the date of notification of the loss.
It is also crucial to take into account the possibility of an investigation or sanction by an administrative authority in the risks covered by the contract.
Not forgetting third-party liability coverage
Finally, a company must ensure that its insurance policy also covers its civil liability in the event of a cyber-attack. An effective cyber insurance policy should include cover for the costs of legal action taken or suffered by the policyholder, as well as civil liability coverage in the event of disclosure of third-party data or human error.
Adding other useful cover
The company can also negotiate its insurance contract to include coverage for risk mitigation costs, such as the reasonable and necessary costs of making a claim against the insured, as well as costs related to the threat of extortion, including defense costs, the cost of calling in a specialist, investigation and forensic analysis costs, and bank loan costs.
Jérôme Goy / Armand Feste-Guidon