Several large companies have decided to create their own insurance to cover cyber risks. At the same time, the members of Cesin expressed their opposition to the government’s plan to compensate victims of ransoms from insurance companies on the condition that they file a complaint.
The world of cyber insurance in France is changing a lot and continues to question companies and CISOs. For the former, they face a shortage of offers because many insurers have decided to no longer offer cyber risk cover. Hence the initiative by several large companies, Airbus, Michelin, Veolia, Adeo, Sonepar but also the German BASF and the Belgian Solvay, to create their own insurance. Named Miris Assurance, it is based in Belgium with a desire to obtain regulatory approval by 2023.
The participants in the Miris project refuse to compete with the insurance companies, but plead the lack of offers or the excessive prices. Last year at the Assises de la Sécurité several customers complained about the significant increase in insurance. One of the participants had informed us of “a multiplication with only two of the contracts”, while the company had just completed an audit to be certified ISO 27001. We can also cite the British Lloyd’s decision to exclude the attacks carried out by the states in insurance coverage. A choice that will have legal consequences for the possibility of attributing cyber attacks. Returning to Miris Assurance, each participant brings 5 million euros in capital and can generate up to 25 million euros in individual coverage.
Cesin positions itself against the payment of ransoms
Still in cyber insurance, the government’s decision to compensate victims for ransom from insurers in the event of filing a complaint is not going through. We remember the suggestive image of Guillaume Poupard, director general of Anssi with a cat banging its head against a beam. It is Cesin’s turn to show his opposition to this project, which is to be included in the Ministry of the Interior’s orientation law.
The Association of CISOs surveyed its members on the subject, and the result is clear. 82% of respondents are against this decision. The club raises several questions about this choice, such as the risk of encouraging cybercrime, the pressure that insurance companies can put on their customers to pay the ransom if it turns out to be lower than the cost of remediation. There is also an increased risk of repetition for the company when it has been labeled as a “good payer” by the cybercriminal community, proliferation of unscrupulous intermediaries to negotiate with criminals, etc. So we can see that this cyber insurance industry is not done getting people talking about it…