A parliamentary report on cyber insurance proposes, among other things, to prohibit insurers from paying ransoms. It also recommends a clarification of this profession which seeks its place in the assistance provided to companies’ security policies.
MP Valérie Faure-Muntian (LREM) threw a stone into the pond with her report on cyberinsurance. In this document, several proposals are made to clarify this booming sector. On the ransomware part, the report makes a shock proposal which recommends the inclusion in the law of prohibiting the payment of ransoms by insurers.
The economic equation actually works against cyberinsurers, the volume of premiums increased by 49% in 2020 (to €130 million), the amount of compensation paid was multiplied by 3 (to €217 million in 2020), specifies the report. The latest figures published by the US Treasury can make you dizzy, 398 million dollars in ransoms paid in the first half of 2021. According to the MP, France would have become an Eldorado for pirates after the decision of the US administration to sanction companies which matched the ransoms (thus making the US market a little poorer). An idea also taken up by the parliamentarian in her report.
Ransomware negotiator, a rising role
Regarding the payment of ransoms strictly speaking, all the participants of the Assises de la Sécurité which took place in Monaco are not against it. “In some cases, payment is the best solution to return to normal activity”, slips a CISO from a large group who wished to remain anonymous. Yet the official doctrine is indeed not to pay the ransom, a watchword recalled by Guillaume Poupard, director general of Anssi, without however “blaming the victims”.
On the other hand, it is more critical of insurers who “focus on ransoms and have the ability to negotiate.” An open door to the arrival of unscrupulous intermediaries. He prefers to emphasize the other part of MP Valérie Faure-Muntian’s proposal to “focus more on prevention, support and ensuring the consequences for a company”.
A vehicle for improving business security
For Guillaume Poupard, “cyberinsurance has a role to play in setting rules, good practices, it is a complementary way to improve business security”. Insurers would therefore push client companies to strengthen and optimize their security. They would thus constitute a brick of the security policy. “It is fully in line with the company’s PSSI (information systems security policy), acknowledges Christophe Tallot, CIO of Mazars. The latter has just obtained the 27001 certification which specifies the requirements relating to information security management systems (ISMS). Obtaining hailed by insurance, but which does not prevent the surge in insurance premiums, “it has doubled this year”, observes the leader.
Within the parliamentary report, the MP pleads for the development of an ecosystem by bringing national insurance companies closer to French cybersecurity companies. Among the latter, we can cite Citalid, which offers a platform for quantifying financial exposures. A way to find out the benefits of being cyber-insured, the amount of premiums, coverage and exclusions. The city councilor also advocates an effort by this ecosystem with SMEs-SMIs, local authorities and administrations where cyberinsurance remains “fragmented and discontinuous”. There is therefore still work to be done to structure this sector which has had an erratic existence (we remember the suspension of Axa from the guarantee of payment of ransoms), but the parliamentary report gives food for thought. To meditate then…