Cyber strategy

Insurance: why improving cybersecurity means optimizing budget

Why take out cybersecurity insurance, what does it cover, and what does it mean for cybersecurity budget.
7 min

The cost of cybercrime is expected to reach 100 billion euros in France by 2024, and French SMBs have been attacked nearly 20 times more than large corporations over the past year, according to a report by Campus Cyber. And elsewhere in Europe? In Germany, the cost of cyberattacks to the economy is estimated at 148 billion euros. Worldwide, the cost is estimated at $8,000 billion.  

To protect themselves, organizations can implement technical protection measures with various cybersecurity solutions; and to guard against the economic consequences of an attack, they can take out cyber insurance. Indeed, insurance can help to alleviate the costs associated with rebuilding an information system, repairing damaged equipment…  

But is it possible to cover all risks? When does insurance cover an organization, and when doesn’t it? How can prevention and cybersecurity solutions help reduce insurance costs?

Why take out a cybersecurity insurance? 

According to data reported by BNP Paribas, digital technology is a growth driver for over 80% of companies.   

A cyber attack can therefore systematically have a direct impact on finances, whether in terms of service interruption, data theft, legal consequences or damage to reputation…  

Cyber insurance is therefore an obvious solution to improve resilience. To achieve this, it is first necessary to identify the risks weighing on the organization, as well as the responsibilities involved.  

However, when it comes to SMBs (99% of the economic structure in France, for instance), although 70% say that cyber threats are a major concern, more than half feel that they lack information on best practices and the measures they need to take to protect themselves.   

What’s more, 93% of SMBs won’t even have a dedicated cybersecurity budget in 2023! Against this backdrop, it’s hard to get your head in the game, whether it’s to protect your information systems effectively or to take out cyber insurance.

Cyber insurance: the figures 

In the wake of the major Wannacry and Notpetya cybersecurity incidents in 2017, large companies have mobilized to strengthen their cybersecurity, and guard against the consequences of an attack. 

Unfortunately, the same cannot be said for small and medium-sized businesses. In fact, Philippe Cotelle, director of Amrae (Association for Enterprise Risk and Insurance Management), estimated in 2023 that “around 10% of small and medium-sized businesses are cyber-insured today. The figure is less than 10% for SMBs”.   

Over and above the budget that an insurance policy represents, the process generally involves resources that SMBs can’t always commit to, notably forms containing several hundred questions that organizations have to fill in, and which enable insurers to determine whether or not they’re going to commit. 

Cybersecurity insurance and NIS2: what about essential organizations? 

According to a survey conducted by ENISA in 2023, 74% of essential service operators (OES) do not have cyber insurance, with price being the most frequently cited reason. Also, only 37% of OESs surveyed have identified insurance as a risk reduction lever, and in most cases (88%), CISOs are not involved in the choice of whether or not to take out insurance. The road to mass adoption still seems a long one! 

While some standard insurers have developed offers that include cyber risks, conversely, since the Wannacry and Notpetya attacks mentioned earlier, others have shied away from covering cyber risks, given their ubiquity and the scale of some of the damage. Notpetya was qualified as an act of war, which insurers do not cover – we’ll come back to this in the next section.  

But what risks can be covered by cyber insurance?  

The risks covered by a cyber insurance

Cyber insurance can cover the following risks:  

  • Loss of funds paid out as a result of a social engineering attack, extortion or fraud, 
  • Data loss and recovery.  

It can also cover the following associated costs:   

  • Forensic expertise to investigate the causes and damage of the cyberattack, 
  • Legal action, compensation for customers or third parties,  
  • Identification of victims, and costs associated with informing them in the event of a data breach (this is a legal obligation),  
  • Public relations to inform the public and restore the organization’s reputation. 

While most insurances cover costs relating to ransomware, malware, phishing attacks or data theft, the extent of coverage obviously has an impact on the amount of the premium, a determining factor in the choice of insurance policy.  

On the other hand, you should be aware that cyber insurance does not cover risks such as loss of intellectual property resulting from a data breach, the cost of setting up a security infrastructure, business interruption or loss of opportunity resulting from a cyberattack, or even state-sponsored cyberattacks which, as we mentioned earlier, can be qualified as acts of war.  

In all cases, it is advisable to check exclusions with the insurance company before taking out insurance, to avoid unpleasant surprises. The same applies to the choice of deductible, which will determine the amount of the insurance premium (the lower the deductible, the more the organization pays). 

Increased demands from cyber insurers 

To cope with the growing risks of cyber security, and the consequent risk of premium payments, insurers have tightened their requirements. In France, for example, because of the market in deficit in 2020, they have decided to tighten underwriting conditions, increase premium rates, raise deductibles and reduce coverage limits. The following year, for large companies, for example, 100 euros paid in gave rise to 16 euros in compensation.  

Today, while organizations are more inclined to pay ransom when they are covered by insurance, they are not always 100% covered in the event of a security incident. For example, in the case of ransomware, a study carried out by Dell in 2024 shows that ransoms are not covered in full: only 28% of companies surveyed were able to see the ransom amount fully covered; for 43% of these, the insurance policy provides for a limit to the amount of compensation paid out.  

Insurance cannot, therefore, cover all the damage caused by an attack. It is also the responsibility of organizations to put in place the best practices and tools to protect themselves effectively against security incidents. 

To validate this, we mentioned earlier the (particularly tedious) forms to be filled by organizations wishing to take out insurance. Insurers require policyholders to take number of security measures. Which ones?  

What you need to do to take out a cyber insurance 

To cope with growing claims, insurers have not only raised premiums and reduced claims, as we have already discussed, they have also tightened the conditions of access to their services.   

The implementation of robust security measures means that an insurer is more likely to offer an insurance premium at a reasonable rate, and this is sometimes a sine qua non condition. It’s exactly the same as for car insurance: you need to be able to prove that you’ve undergone regular technical inspections in order to be covered.  

In practice, these cybersecurity measures can be as follows: MFA, patch management, security team training, IAM, PAM, EDR, SIEM… 

A Newtrix study reports that in 2023, 30% of organizations with cyber insurance applied additional security measures to qualify for the policy, compared with 22% in 2023.  
In addition, the application of these measures may have helped to reduce the overall cost of the insurance contract.   

So, not only does equipping your security teams with an EDR guarantee peace of mind, it’s also a way of optimizing your insurance budget and benefiting from better coverage!  

Looking for cybersecurity solutions,
but don’t know how to choose or manage them? You can rely on a MSSP!