- fr
- en
Cyber insurance: pay attention to the drafting of the contract
Insurance law
Nearly 70% of French SME are targeted by cyber attacks. The Covid crisis has only made matters worse: cyber attacks have increased by 400%. Given this growing risk, businesses are being forced to take out special insurance policies, especially as insurers are increasingly excluding them from their other policies. Parliament recently voted to create article L12-10-1 of the Insurance Code, which came into force on 24 April 2023, making compensation by the insurer conditional on the insured lodging a complaint within 72 hours. The aim of this measure is to “objectify” cyber attacks and give them a date with respect to insurance companies (as is the case for theft). The cyber-security insurance policy is designed to cover losses arising from the financial consequences of a cyber-attack, particularly in the event of a breach of the victim’s personal data or computer system. Any entity that collects, stores or processes data, and for which a breach of the computer system would have a major impact on its productivity, is concerned by the cybersecurity risk. This type of cover can either be included in a property insurance policy or be the subject of an ad hoc policy.
A few points to check beforehand
As with any insurance contract, there are a number of points to check beforehand:
- On the one hand, the elements covered in traditional insurance policies, such as damage to computer systems and companies’ personal data.
- In the other hand, the existence of a specific cyber insurance policy or the extension of a pre-existing policy, the definition of the “IT perimeter”, the definition of the term “third party” (which determines whether liability insurance is triggered), the exact and up-to-date definition of the activity of the insured company, subcontractors and employees, the expenses covered (costs) and the estimate of the appropriate cover limit.
Specific cover relating to cyber security
As a first step, a “ransomware” clause should be included to guarantee the cyber-extortion and exchange of the victim company’s personal data (to avoid the alteration, destruction or communication of this data). In addition, the involvement of the insurer and the use of IT specialists must be planned for. The scope of the definition of “non-material damage” should be clarified, to include the various losses caused by the cyber-attack (in particular damage to the computer system), the personal data of the company and/or third parties (theft, misappropriation, reproduction, transfer, alteration, distribution, destruction), .
blocking of servers and paralysis of the production unit.
Economic damage must be included in the policy for loss of business as a result of business interruption or loss of customers, interference with the operation of the business and fraud through usurpation/theft of data. A cyber attack can also infringe rights such as the right to privacy, image rights and intellectual property rights (trademarks, patents, copyright) through the theft of ideas/concepts, plagiarism or misappropriation. To obtain better cover, it is therefore advisable to base it on the insured event (and not on the date on which the claim is reported). The policy should cover “material damage” in the event of a breakdown, machine breakdown or fire caused by a malfunctioning computer system fan.
The company’s civil liability
This must be covered in the event of disclosure of third-party data, human error or the effects of power. Provision must be made to cover the costs incurred in the event of legal action, a claim for damages by the third party or the company’s liability under the RGPD. Lastly, it is essential to broaden the clauses of the contract by including cover for risk mitigation costs (cover for reasonable and necessary costs to prevent the occurrence of a breach).
The policy should also provide for the introduction of a sufficiently broad clause to cover the costs associated with the threat of extortion or extortion through compensation linked to cyber extortion, the use of a consultant, translator, interpreter, or the costs and fees incurred with a “cyber extortion consultant”, defence costs (lawyer), forensic investigation/analysis costs, costs of restoring the computer system and data media, etc., crisis management costs (vulnerability audit), notification costs, funds, costs and interest on loans taken out by the insured to pay for the cyber-extortion, and costs of investigations and sanctions by an administrative authority (in the event of non-compliance with the RGPD, for example). Finally, beware of the exclusion clauses specific to cyber policies, such as those relating to the jurisdiction of French or foreign courts (impact on the choice of claimant), server breakdown or cyber fraud.
Enthemis copyright, all rights reserved – 2023