[AVIS D’EXPERT] Cyber security and cyber insurance are the two pillars of an effective defense of companies against cyber risks. Decryption with our expert François-Pierre Lani, attorney at Derriennic Associés.
Between the Rouen University Hospital Center in November 2019, the Dax Hospital Center in February 2021, or more recently, the South Ile-de-France Hospital Center in Corbeil-Essonnes in August 2022, the French hospital sector, often poorly protected, has suffered from many cyber attacks. These computer attacks, mostly accompanied by ransom demands, block access to computer systems and completely paralyze the attacked devices.
No company is immune to cyber risks, which is why it is essential to defend against cyber threats, both preventively and curatively.
Strengthen companies’ cyber security
Every company must strengthen the security of its computer system by following a few main rules:
1. Carry out – on an ongoing basis – an audit of its IT system by analyzing the contracts, the security measures that the various stakeholders have implemented and by carrying out analyzes of the impact of a cyber attack on society.
2. Establish a business continuity strategy and create a security policy by reinforcing, if necessary, the problematic elements identified during the audit. Staff training is also essential to make the security policy effective: computer security actually always depends on the weakest link in the chain, here the user.
3. Establish monitoring and warning systems (system for monitoring and sending warnings)
4. Create a crisis unit and determine the processes to be used in the event of a cyber attack. To do this, it is useful to identify the main interlocutors internally and externally, to create processes to be applied in the event of an incident, and finally to carry out simulations to improve the system. Various guidance and plans, such as the Business Continuity Plan (BCP) can be adopted to respond more effectively.
Sign up for cyber insurance
According to a report on the cyber insurance market, the Ministry of Economy announced its intention to include within the framework of a bill the possibility that companies can be compensated by their insurance company in computer attacks with ransomware. The only obligation imposed on companies would be to lodge a prior complaint within 48 hours of the incident causing the injury.
This ransom payment measure, which is still under investigation, seems shocking at first glance, but would allow companies to limit the downtime and losses in the event of a ransomware cyber attack. After all, a robbed business is insured, why shouldn’t it be for ransom?
Regardless of the legislature’s decision, taking out cyber insurance is an increasingly important step for businesses to consider. Because in addition to the specific case of ransom, insurance solutions can cover many costs.
That is the case:
- (i) financial losses (data reconstruction costs, remediation costs, additional operating costs, contractual fines or administrative fines for breach of law, etc.)
- (ii) the costs of crisis management (security consultant fees, technical and legal advice, etc.)
- or even (iii) damage caused by third parties (transmission of the virus to a third party, leakage of confidential information by third parties, etc.).
But paradoxically, while 84% of large companies had taken out cyber insurance by 2021, only 0.2% of VSEs, SMEs and ETIs had done the same, according to the Lucy 2022 report from Amrae (the Association of Management Companies risk and insurance).
Be careful though, the cyber insurance market in France is still new: insurance policies and premiums are therefore very heterogeneous. Similarly, certain insurance policies, such as professional liability, already cover some of the costs mentioned above. In any case, awareness of the need to defend against cyber risks should not arise after a major disaster.