Legislative clarification for cyber insurance
A report by the National Assembly’s Insurance Study Group highlights the need to clarify the contractual terms and concepts relating to cyber insurance.
The cyber insurance market is booming. On the one hand, cyber-risks are increasing considerably for companies, tempted to adopt an insurance approach in addition to traditional cybersecurity. On the other hand, insurers certainly multiply the offers but these are not always satisfactory as the AMRAE (Association for the Management of Risks and Insurance of the Company) mentioned. An intervention by the Legislator is therefore a possibility that has been studied in a recent report, produced for the Insurance Study Group of the National Assembly, by the deputy Valéria Faure-Muntian in collaboration with Romain Dewaele.
The report recommends in particular to clarify the contractual terms and concepts relating to cyberinsurance as well as to harmonize the terms of assessment (as has been done on health contracts for example) and to provide for hybrid cyber-insurance / cybersecurity offers. intended for VSEs/SMEs. The MP also stigmatizes some shortcomings such as the absence of a formal and indisputable prohibition for an insurer to pay a ransom, although the logic of the current texts would tend towards such a prohibition. The legality of the coverage of administrative fines is not clear (the prohibition is clear for criminal fines), in particular those imposed by the CNIL, but the deputy, this time, advocates authorization instead. To facilitate the monitoring of cyber-attacks, the MP would also like an anonymous census managed by the GIP ACYMA (Cybermalveillance.gouv.fr) whose resources would be reinforced. Faced with a risk that may become systemic, the possibility of public-based reinsurance is a hypothesis defended by the report.
The training of magistrates would also need to be improved, the report points out, without this being strictly speaking a matter of cyber-insurance. In the same way, several initiatives are planned to improve the coordination of cybersecurity players, favor small French players and increase the awareness of company personnel (and in particular insurers).