Interview with Stoik, the cybersassurance insurance company

With the crisis, the cyber attacks have multiplied and no one is spared: SMEs, large companies and institutions are frequently targeted by cyber attacks. And SMEs in particular are hardly insured against this risk.

Stoik, after a significant fundraiser, therefore decided to enter this market by proposing a solution combining security software and cyber insurance. He is also the first actor to propose this kind of formula. Jules Veyrat, co-founder and CEO of the start-up, tells us more in an interview.

How to explain the resurgence of cyberattacks since the beginning of the crisis?

The simplest explanation is that of telecommuting, because of a Poor security of remote connections. Indeed, more and more employees need to connect remotely, so businesses need to put in place systems that can be connected. And the more remote connections there are, the more attackers have gateways if the security barriers are not properly set up.

COMPARE CYBER RISKS INSURANCE

Is it possible to easily protect against these attacks?

With Stoïk, we support companies and there are a lot of steps that can be put in place. I take a specific example that is of the order of a company policy: in order to access the distance to sensitive dates, it is far better that a company imposes more login credentials. This is a practice that may seem pretty obvious, but it makes computer systems very secure because it allows for a simple one phishing it is no longer enough to connect.

What makes ransomware so popular?

A ransomware is a virus that can be used to import the same individual, but has no computer skills. In addition, the economic model of ransomware he is very smart. And the more they work, the more they are developed. The more companies pay the ransom, the more money it gives to the hackers to develop even more powerful attacks.

That’s why you never have to pay ransoms and insurers they do not have to be reimbursed. This is as much our position as that of ANSSI, or the state.

What types of care cyberattacks are likely to increase in the coming years?

We must first differentiate the attack vector from the type of attack. On the one hand, there is the way in which attackers enter a computer system and on the other, what they do. For this second aspect, it’s always the same types of problems: attackers leak a date, retrieve it, or they block the computer system. Following this, they can ask for a ransom or even ask for nothing, if the attack was carried out simply for the pleasure of harm.

On the other hand, the vector of attack, we touch on the great issue of cybersecurity and cyber insurance. We are in a game of cat and mouse all the time. Information systems directors (ISDs) are closing their doors one by one and trying to protect themselves, while attackers are constantly noticing flawed news. So it is unknown at this time what he will do after leaving the post fails in two years. We know, however, that there will be news because the attackers are constantly looking for new methods.

There is something very special about cyber risk: its constant evolution, which makes it essentially difficult to control. Today there is a lack of step back and date to understand the types of attacks and their impact on companies. Moreover, it is possible that in our day or in the years to come, we will always lack data because the attacks will have evolved. This risk is therefore very volatile. This is also what makes it so interesting from a technical and insurance point of view.

Their cyber risk is relatively new. Is the son of the apparition unique in history?

they cyber risk has something very special: its permanent evolution, which in essence makes it difficult to control. This is in line with what I said before: today there is a lack of feedback and data to understand the types of attacks and their impact on companies. Moreover, it is possible that in our day or in the years to come, we will always lack data because the attacks will have evolved. This risk is therefore very volatile. This is also what makes it so interesting from a technical and insurance point of view.

But then, how do you compensate for a cyber risk if you have a hard time estimating its impact?

Going by a company’s insurance statement, there are clearly identifiable expense items for thecompensation. Not all the consequences of a cyber attack are identifiable, especially in terms of the impact on notoriety. Several of the three main points of cyber insurance in compensation are:

  • crisis management: it is the cost of providers who intervene to help ensure that the crisis has the least possible impact on the company, with technical, legal and crisis communication experts;
  • the consequences of a date leak: from the moment the data leaks, the company has direct cost items, including in respect of its professional liability (a customer may require repair for the leakage of his data, for example);
  • minor consequences of a computer system outage: there are going to be computer system overhaul costs and operating loss, which is calculated fairly efficiently.

It is therefore necessary to insure against cyber risk, because large expenditure items are covered, but in the end, every effort must be made to prevent the attack from happening due to the consequences that cannot be taken into account. load.

How do Europe and France stand in terms of protection against cyber risks? What about the United States and China?

This is harder to say for the Asian market, but it is certain that the US market is 10 years ahead of the European market. Across Europe, France is one of the best students in terms of insurance and security. More in the United States, it is more mature, much more actors in security and cybernetics. Above all, there is a much sweeter mindset of the logic of insurance. In the United States, when you see a risk that can be very costly, insurance is obvious. In France, it takes longer to make it clear that this is a risk to be insured against.

Why are insurers so reluctant to offer cyber insurance?

Today, France and Europe lack the backwardness and data on cyber risk. It is difficult to estimate loss expectations based on company profiles. Insurers are so timid because they don’t have the technological baggage to audit and understand the true level of risk of the companies they have to insure. They have a logic that is the same as for housing or other insurance products, a declarative logic where you check boxes. Except for computer risk, you need advanced computer skills. Without these skills, one cannot understand cyber risk. Traditional insurers therefore lack the tools to fully understand this risk.

A report by the Association for Risk Management and Business Insurance (AMRAE) in 2020, especially that the claims / premium ratio was 162% for insurers. In other words, they lost a lot more in compensation than they did in premiums. And they don’t know how to offset those losses, except by raising prices. Which is not a very viable long term strategy.

Finally, does an SME have any interest today in taking out cyber risk insurance?

Yes, insurance is a pure economic calculation: is it worth investing so much in terms of the loss I may have over the coming months or years? Given the cost of attacks and their growing frequency, this is obviously a good bet for an SME to insure, provided it insures itself with players with this. technological knowledge.

Commentary Does Stoik stand out from its competitors?

What sets us apart is that we are a cybersecurity company that sells insurance, and not an insurer that sells cybersecurity insurance. Concretely, it changes that with the insurance policy, all our customers have access to the tools that we develop, which is meant to help them and that we make available free of charge. So we insure and help protect ourselves, reduce the risk for the same price, or even less than other insurances. This is what makes us more attractive to the customer.

Especially since we think our model is viable because these tools allow us partly to select customers from a technological point of view and only with the statement evoked earlier, and secondly to continuously improve our portfolio risk and return to a win-win logic with customers. We want to help them protect themselves, they also want to protect themselves and everyone benefits if there is no attack.

Leave a Comment