More French firms are buying cyber risk insurance covers in 2018, in part because board members are worried they will face blame after an attack

Laure zicry

More and more French companies are buying cyber risk insurance covers in 2018, because of several contributory factors.

Among these is the fear among board members that they face the sack for seeming ineffective or culpable in the wake of a major cyber-attack, according to Laure Zicry (pictured), Willis Towers Watson’s head of cyber for Western Europe.

Alongside this fear, a growing number of firms have suffered first-hand experience of cyber-attacks, or else fear the EU’s incoming General Data Protection Regulation (GDPR), enforceable from 25 May 2018.

“In France, most of the companies are buying cyber insurance, either because they have suffered a claim, either because they know GDPR is coming, or, increasingly, because of questions being asked by company board directors,” Zicry told StrategicRISK.

Attacks in 2017 have brought the risk home to some board directors, who may have previously shut themselves away from cyber risk, leaving it to their IT departments, without troubling to ask the Chief Information Security Officer whether there is a plan or protection in place.

They are also increasingly waking up to GDPR.

“Some board directors have observed that they can be sued, or lose their jobs, after a damaging cyber-attack. We saw that in 2017 with the Equifax’s cyber-attack. Some companies remain unaware of the liabilities, but I would say that is now a relatively small percentage,” she added.

2017 was a year of cyber extortion – particularly the WannaCry. Not/Petya virus also did huge losses.

Companies such as the shipping firm Maersk had to replace computers across their enterprise, globally, and temporarily rely on manual processes not used in years.

“Companies lost a lot of money in the recent Not/Petya attack, and as a result, clients now understand the insurance coverages better.

Ransomware can have a lot of costs and can have huge impact on the assets of the company. These types of attacks are one of the biggest,” said Zicry.

A common question about cyber insurance is whether companies rely on existing policies, updating them to cover such risks, or buy standalone covers – which typically include consulting and crisis management services.

Zicry said: “We make gap analyses on their existing policies. We sometimes suggest to the client that they can be insured on their traditional policies but most of the time we suggest that they buy a standalone cyber policy.”

She is also working on a project to map out the cyber exclusions in place across Western Europe. Willis Towers Watson has also launched its “in house” Cyber wording. “It has been launched in France, and we’re now working on implementing it for all Western European languages,” Zicry added.