In a hyper-connected, increasingly digital world, the question for a company, an SME, a liberal professional or any individual, is no longer whether or not it will be exposed to cyber risk, but when and how costly it will be. Numerous recent examples illustrate this threat. Philippe Bonte, CFO, Foyer Group, the leading insurer in Luxembourg and Frédéric Helias, Product Owner, Cyber Project, Foyer, break down the main cybersecurity issues.
(Featured Image: Frédéric Helias and Philippe Bonte are coordinating the cybersecurity activities of insurance company, Foyer / Image Credit © Silicon Luxembourg / Anna Katina)
How would you define the role of the insurer when it comes to cybersecurity?
GDPR, in effect since May 2018, introduces, on one hand, new obligations for companies, and on the other, heavy penalties (up to €20 million, 4 percent of the worldwide total) in the case of non-compliance.
In light of the risks and regulatory constraints, insurers are required to assume an important role in supporting companies, particularly in the case of:
Theft of sensitive data or digital assets with a market value that may result in the liability of the company and/or consequential costs and losses
Attempted cyber extortion by encrypting data or paralyzing computer systems to disrupt business activity
However, we insist that insurance is not the following:
An alternative to prevention; it is a complement that makes it possible to finance the risk that prevention was unable to avoid
Encouraging cyberattacks, as we will not pay ransom demanded by cybercriminals
You emphasize the important role of the insurer. How do you explain why so few companies in Luxembourg & Europe are insured against cyber risk?
This is mainly explained by three phenomena:
Media coverage of this threat and the regulations I just mentioned are very new
The majority of companies, let alone SMEs, mistakenly consider this a purely technological risk and believe that their IT service providers’ prevention tools are sufficient. In other words, companies are unaware of the responsibilities, obligations, penalties and risk of business interruption they face due to cyberattacks
In Luxembourg, there is still no standardized insurance solution being offered by the main insurers
“The key point of cyber insurance: to quickly provide an accompanying solution in emergencies caused by a cyberattack.”
As Luxembourg’s leading insurer, is Foyer planning to offer cyber insurance?
Yes – in the spring of 2019, Foyer Group will launch a new, fully standardized cyber insurance offer for small- and medium-sized businesses, as well as liberal professionals.
What expertise do you bring when accompanying clients?
Here, you highlight the key point of cyber insurance: to quickly provide an accompanying solution in emergencies caused by a cyberattack. We have, therefore, surrounded ourselves with local and European legal and tech experts. They form a multiskilled crisis-management unit that can respond 24/7 to any suspicion of cyberattack.
Can you briefly describe the concrete details of your future cyber-insurance offer?
Our offer includes, of course, an insurance component aimed at covering the financial consequences that prevention couldn’t avoid. As previously mentioned, we will also offer a support component through a crisis-management unit. The purpose of this unit is to identify or confirm the origin and nature of the problem, and then to implement the necessary actions, in agreement with the client.
“Due to current technological and behavioral changes, (digitization, robotics, hyper-connectivity of people and materials, etc.) the traditional insurance we know well will give way to a cyber insurance boom.”
Here are some examples of emergency situations in which this unit is involved:
Example 1: A merchant has just received a complaint about his credit card payment terminal, which presumably was hacked by malware. The cybercriminal has managed to divert several thousand customer bank details.
Example 2: A liberal professional (doctor, lawyer, insurance agent, etc.) had his or her mobile device robbed (computer, tablet or smartphone). It contained confidential customer data. Should he or she contact the CNPD or the customers directly?
Example 3: The data of a service company (quotes, invoices, orders, etc.) was encrypted by an external email sent by a cybercriminal. This criminal demands the payment of $3,000 in Bitcoins in return for the decryption key. In the meantime, the company’s activity is slowed down or stopped.
Example 4: A merchant achieves a significant part of their turnover through the sale of products online. Their web server is saturated and inaccessible for 24 hours following a “denial of service” attack from a cybercriminal. As in the previous example, the criminal demands $3,000 in Bitcoins to release the server. This merchant’s activity is completely halted and the loss of turnover is critical.
Example 5: A company received an abnormal telephone bill of €3,000. Its telephone company has just informed it of several thousand calls made to premium-rate numbers over the weekend. This is likely due to hacking.
It is important to specify that the compensation of the insurer covers not only the civil liability of the company, but also the profit losses resulting from a total or partial interruption of its activity due to a cyberattack (see examples 3 & 4)
What is your long-term ambition in this new cyber-insurance market?
Due to the complexity and diversity of the underlying risks, cyber insurance is an insurance that sells, in contrast to a simpler insurance like the travel insurance that is bought.
Thanks to our important local distribution network and the partnerships we have formed, Foyer aims to become the leader in this new cyber-insurance market.
We believe that in the mid and long term, due to current technological and behavioral changes, (digitization, robotics, hyper-connectivity of people and materials, etc.) the traditional insurance we know well will give way to a cyber insurance boom, a transition for which we are already preparing.