ABIL was speaker at ILA conference on « Tax risk and other hot topics: where do we stand and is your insurance policy facing them? ». Slides are available heer: Template_ILA PPT_ENG D&O 20022018 V.6
Concerns by directors and officers about the risks of personal liability have increased over the years, most probably as a consequence of the more regulated and complex business environment they are confronted with daily.
The recent global financial crisis has put directors and officers of both public and private companies under regulatory scrutiny like never before, and legislators have introduced new rights of action allowing claimants to bring civil claims.
Securing a good Directors & Officers Liability Insurance (D&O Insurance) certainly is one the most effective ways to protect individual directors against claims. But managing the risk also involves D&Os becoming well aware of their regulatory obligations.
The subject is obviously already abundantly covered in Luxembourg and in our capacity as insurance broker we do not intend to provide here a comprehensive overview of the matter. It is however worth remembering, by way of introduction to our upcoming “D&O insurance” newsletters, some of the framework principles applicable to the liability of directors and officers.
A complex and evolving legislative and regulatory landscape
Directors and officers are agents of the company (contrat de mandat). As a consequence, they do not enter into any personal engagement concerning the company’s obligations and the actions of a director should be treated as being the actions of the company itself. This principle, set out in article 58 of the Luxembourg Law of 19 august 1915 on commercial companies (the Companies Act), is the first line of defense available to directors & officers, allowing them to protect their own personal assets from claims against the company. Nonetheless, the shelter from personal responsibility is far from absolute. Directors will indeed be held personally liable towards the company or third parties for their own errors, negligence or even omissions in the performance of their duties.
To put it simply, a distinction is made between three sources of general civil liability:
- In first instance, directors are accountable to the company for mismanagement in the performance of their contractual duties (article 59(1) of the Law of 19 august 1915). The company is in principle the only party entitled to invoke such contractual liability, in his quality as principal in the agency relationship. Eventually, it will have to take action against each of the directors separately, as the liability here is not joint and several. Frequent errors of mismanagement include not attending to the board meetings, lack of supervision of delegates, entering into contracts on terms detrimental to the company, various omissions and negligence such as dismissal of an employee without valid reason or even not providing for adequate insurance;
- Article 59(2) of the Law also establishes an aggravated liability of directors & officers to both the company and third parties (such as creditors) for breach of the Law or the company’s articles of association. This action may be founded either in contract or in tort, depending on whether the claimant is the company or a third party. The law here provides for a rebuttable presumption of joint and several liability of the board of directors. To avoid liability, the directors must prove that they did not commit any tort and that they gave notice of the alleged facts to the general meeting of shareholders as soon as they knew them. Such liability may for instance be invoked when directors delay the approval or filing of the annual financial accounts, do not convene the general meeting of shareholders, or breach the statutory distribution of competencies between the company’s bodies.
- Finally, in limited circumstances, directors & officers may be held liable to third parties for damage under the general rules of tort law (article 1382 of the Civil Code), but only when the directors have engaged in tortious conduct (as opposed to a mere management fault). Some examples here include the abusive continuation of a loss-making activity or the undertaking of obligations that the company is obviously not able to meet.
Next to those general civil liability principles, directors and officers can incur many other liabilities under specific laws.
Firstly, the Luxembourg tax administration may hold managers personally liable for the payment of the company’s own taxes. As far as direct taxes are concerned, the source law is to be found in articles 103, 109 & 118 of the General Tax Law (Abgabenordnung). The tax authorities must notably prove that the managers refrained from paying the taxes (such as the withholding tax on salaries and wages for instance) in a fault-based way. Newly appointed directors are even liable for events occurred prior to the start of their mandate, if they were made aware of them. Same applies in the frame of indirect taxes. Following the 2017 Luxembourg Tax reform, directors are now also jointly liable for the VAT due by the company in the event of a culpable breach of VAT compliance obligations and/or non-payment of the VAT (articles 67-1 to 67-4 of the VAT law). All those liabilities are primarily imposed on the directors in charge of the day-to-day management of the company, whether de jure or de facto. The issue of directors and officers being held liable for company’s taxes is certainly not limited to Luxembourg and many other jurisdictions, including Belgium, Germany and Italy, have introduced similar provisions in their tax legislations.
Directors and officers are furthermore exposed to various administrative and/or criminal fines and penalties.
In the tax field again, the law distinguishes between three forms of tax offenses in the area of both direct and indirect tax: simple tax fraud (avoidance of taxes or benefit from undue reimbursements); aggravated tax fraud (when the amount of tax evaded is substantial); and tax swindle. Whereas simple tax fraud is subject to administrative sanctions to be imposed by the tax authorities, the other two offences are criminally prosecuted. Those entrusted with the daily management of the company would be well advised to closely monitor the fulfillment of any of the company’s tax obligations.
In another vein, directors and officers may also be subject to criminal sanctions and administrative fines for breach of laws on privacy protection. The foregoing applied in Luxembourg for instance to directors who violated the right of privacy of employees (such as the secrecy of correspondence), or to directors whose company used a video-surveillance system without the prior approval of the NCDP (National Commission of Data Protection).
The law of 10 August 1915 on commercial companies also imposes, next to the civil liability regime, criminal penalties on the directors and other officers in case of abuse of company assets, abuse of power and votes, failure to call a general meeting or non-presentation of accounts. Other more specific legislations do just the same, such as securities laws (prospectus legislations, market abuse), insolvency laws (reckless or fraudulent bankruptcy), money laundering laws, environmental laws and anti-trust laws.
And liability does not end there: today, the duties and liabilities of corporate directors at companies in Europe is a factor both of domestic and European legislation. Initiatives such as the General Data Protection Regulation (severe penalties against directors for non-compliance with the higher organizational standards in terms of their use of personal data), the e-Privacy Directive, the Cybersecurity Directive, the Environmental Liability Directive will put even more pressure on the directors and officers in the near future.
An increased regulatory and shareholder scrutiny
Directors and officers now face more scrutiny than ever before, especially from regulators. Regulatory investigations and enquiries are considered to be the greatest risks facing directors in most jurisdictions.
In Luxembourg for instance, the CSSF is playing an increasingly active role by ways of on-site inspections, formal requests, recommendations, injunctions and even fines imposed on directors & officers. One need only look to the annual reports published by the CSSF on its website (http://www.cssf.lu/en/documentation/publications/annual-reports) to find out the many real case examples of investigative measures and sanctions conducted by the regulator against directors and officers. The CSSF has been constantly recruiting new agents over years, notably in the area of supervision. No doubts therefore that the pressure won’t be reducing in the next years. While much of this has indeed been felt already in the financial sector, other new sectors are targeted as well, including energy, high tech, telecommunications, pharmaceuticals, manufacturing, real estate development and construction.
Shareholder litigation is another rising issue, the numerous examples of class action claims against directors and officers, especially in listed companies, speak for themselves. Derivative or securities actions – where shareholders sue directors or officers on behalf of the company – are the most common form of shareholder litigation in most European countries. Mergers and acquisitions (M&A) and initial public offerings (IPOs), where there are increased reporting requirements, are common causes, with claimant typically challenging the price, process, deal protection provisions and disclosures.
Se Conformer et s’assurer
Les responsabilités des dirigeants aujourd’hui sont nombreuses car le monde de l’entreprise est en constante évolution. Les exigences réglementaires et l’apparition de nouveaux risques obligent l’employeur à se mettre en conformité, les répercussions juridiques peuvent être importantes en cas de non-respect.
Si nous prenons comme exemple les risques liés à la sécurité et à la santé au travail, et bien que les assurances puissent pallier à certaines conséquences financières, les conséquences humaines sont irrémédiables.
On peut imaginer plusieurs types d’incidents. On pense bien entendu à un accident grave touchant un employé sur le lieu de travail ou chez un client. On peut également envisager le mal-être au travail ou des problèmes de pollution.
Quelles assurances doit-on considérer ?
Lorsque de tels évènements surviennent à Luxembourg, plusieurs contrats d’assurances doivent intervenir :
- La Responsabilité Civile exploitation va couvrir les dommages encourus par un tiers et causés par le personnel ou les biens de la société. Un dommage subit par un visiteur sera donc couvert par ce contrat. En cas d’accident d’un employé, la sécurité sociale interviendra en premier lieu mais il est possible qu’elle se retourne contre la société en cas de défaut dans la sécurité, et donc contre son assureur RC. Une pollution accidentelle (imprévisible et soudaine) chez un tiers pourrait être couverte également.
- La responsabilité des administrateurs pourrait aussi être recherchée. Il leur appartient en effet de veiller à mettre en place dans la société un environnement de travail sain et sécurisé. On n’accepte plus de nos jours que l’on soit négligent avec la sécurité du personnel. Si un tel fait peut être invoqué, les dirigeants pourront être appelés en responsabilité et l’assurance de la responsabilité des administrateurs (D&O) protégera le patrimoine privé des dirigeants personnes physiques.
- dans le même ordre d’idée, l’ambiance au travail est importante et l’entreprise se doit d’éviter le harcèlement, la discrimination … Les assurances de la responsabilité de l’employeur vont couvrir les frais de défense et conséquences financières.
- les conséquences directes d’une pollution accidentelle pour les tiers seront normalement couvertes en RC exploitation, mais les dommages plus complexes (biodiversité …), ceux provenant d’une pollution graduelle ou encore les dommages sur site propre seront couverts par des polices pollutions spécifiques . Celles-ci couvriront également les pollutions consécutives d’un incendie (pollution d’une nappe phréatique par les eaux d’extinction par exemple).
L’employeur peut donc diminuer les risques financiers avec une assurance mais il convient de se conformer à la réglementation et de gérer ces risques particuliers. Ainsi, vous pouvez faire appel à des services externes de prévention qui propose des prestations d’audit et évaluation de la sécurité, aide à implémenter les outils de prévention, documentation en vue de la mise en conformité réglementaire … Ces mesures de prévention devraient à terme avoir un impact positif sur votre sinistralité et rendre pérenne votre programme d’assurances, raison pour laquelle nous collaborons avec ces consultants.
ABIL a animé le 10 octobre 2017 une conférence organisée par Silicon Luxembourg et dédiée à la gestion des risques des start-ups et à leurs assurances. Les slides sont accessibles Silicon 102017 1.2.
ABIL a présenté aux membres de l’ALJB sa vision pratique de la gestion d’un programme d’assurances pour Banque. Vous trouverez les slides en suivant ce lien : ALJB sept 20107 1.7
In our previous article we examined the different risks faced by companies. One of them was the “Operational Risk”, being the risk of loss resulting from inadequate or failed internal procedures, systems or policies, or from external events. That definition comes from the financial sector, but it can be extended to the start-up world.
That article was published on 14/07/2017 by Philippe Goutière, ABIL, on Silicon Luxembourg.
The depth and breadth of operational risks to which start-ups are exposed will depend on their specific activities, products or customers. But it is fair to say that start-ups are generally speaking more acutely exposed to them. New products, new processes, new people, increased regulatory scrutiny… they all contribute to an increase in operational risks. It is a challenge to manage all of them.
Operational risk includes a variety of events, including:
- Fraud by employees or third parties, with or without the assistance of computer equipment, such as fraud on bitcoin platforms, fake president fraud, hacking, ransomware…;
- Employment risks, in particular relating to key people retention, health and safety issues, discrimination issues, excessive turnover…;
- Business risks related to clients, products or business practices, such as loss of customers, product failure, non-compliance with regulation…;
- Risks of damaging physical assets, such as fire, terrorism…;
- Business disruption and systems failures risks, such as consequent to a DDOS attack, a cloud or network failure;
- Execution risks, such as fat finger errors, wrong entries, failed reporting.
Often, insurances are a pretty good solution to manage those risks.
- Fraud insurances: protect the company’s assets against the risks of fraud;
- Liability insurances, such as Directors & Officers’ liability (D&O), General Liability, Professional Liability, Product Liability, Employment Liability, Civil Liability, Tenants Liability;
- Cyber insurances, covering the consequences of electronic attacks and system failures;
- Data Protection insurances, covering the consequences of a loss of data, including business interruption losses and administrative fines (as imposed foreseen under the GDPR);
- Property insurances, protecting the tangible assets;
- Kidnap & ransom insurances, protecting individuals travelling in unsafe countries on behalf of the company;
- Trade risk insurances, protecting the company against commercial and political risks;
- Travel, key man, pension … to protect people or the company itself.
In all instances, it is important that all your insurance policies are looked at as a whole to avoid gaps and overlaps. For holdings or other top companies in Luxembourg, insurance policies will also contribute to the substance and the support Group risk management’s policies.
Finally, specific insurance coverages should be considered when performing acquisition or executing exit strategy. Transactional insurances facilitate acquisition or sale of companies and other products support IPO
That article was published on 30/06/2017 by Philippe Goutière, ABIL, on Silicon Luxembourg.
Those who work in start-ups are usually some of the most talented people in their respective fields. And it is going to take all that talent to turn a business opportunity, the one in which they believe, into real value. But the flipside of opportunity is “risk”. Needless to say, that risks can have negative consequences and in some cases, destroy both the company and its founders in the shortest time.
While risk is an integral part of entrepreneurship, there are different ways to approach it. Entrepreneurs who succeed with their company over the long term have all one point in common: they are aware of the risks to which their business is exposed and have learned to manage them.
What are those risks?
There are obviously a multitude of risks and threats that affect start-ups. Early-stage companies are commonly said to face the following ones in particular:
- financing risk: you can’t raise money when needed;
- product risk: you can’t translate your concept into a working or attractive product;
- business development risk: you can’t get deals with other companies;
- timing risk: You are too early or too late to the market;
- technology risk: you rely on poor systems; or
- credit risk: your customers are not paying you in due time.
The more you grow, the more you discover additional risks. Just consider the following ones affecting companies at any stage of development: market risk, legal (regulatory) & tax risk, people risk, political risk or environmental risks…
What are the best practices?
The best practice can be summarized in one simple advice: Manage your risks!
« Risk Management » is the activity of thinking about what could go wrong in the company, and what are the best ways to mitigate the risk. Companies who have an adequate understanding of their risks are in a superior position to those who do not; on the long run they will outperform.
There are no exceptions, even for start-ups; they should implement a corporate governance including a strong risk governance element. Board is ultimately responsible for every activity within an organization. Together with senior manager, he should have a deep understanding of both the opportunities that the company is pursuing, and the risks that are related to them. He should ask the right questions, such as: what are the main risks we face? What is the likelihood of those risks occurring, and what would be the consequences for the company? How much of that risk do we want to (and are we able to) manage internally? …
In many instances, insurances will prove very useful risk management tools, by transferring the adverse effects of a risk to a third party. Some of those insurances are mandatory by law, others are taken out because of a deliberate decision of the risk management body within the company.
In the following articles, we will focus on some of the key risks that you may face in running your business. For each of them, we will consider both internal risk management and external risk transfer solutions. We hope you enjoy the reading.
If your company is involved in M&A transactions, or if your activities include the acquisition or disposal of assets such as portfolio companies and real estate, you are probably familiar with the concept of “Representations and Warranties” (R&W).
R&W are assurances given by the seller to a buyer about an asset and relating to various matters such as title, tax liabilities, employment, litigation or environmental issues.
Under the transaction documents, sellers are usually required to indemnify the buyer for breaches of R&W. That explains why those guarantees are often heavily negotiated and can form one of the most difficult aspects of the deal negotiations. Buyers naturally seek maximum protection from sellers while sellers try to minimize their liability in respect of the transaction.
If the buyer has concerns as to the creditworthiness or the ability of the seller to deliver on its promises, then security is usually sought. Sellers may need to arrange for guarantees or hold a portion of the sale proceeds in escrow to ensure that funds are available in the event of a breach, or to give the buyer the right to hold back and retain a portion of the payment. These options are however unsatisfactory for the seller, as they eventually prevent him from liquidating a fund or limit and delay returns to investors. Also, and notwithstanding the guarantees, the buyer may still feel uncomfortable with the level or security obtained.
In this context, Reps & Warranties insurance (further “R&W Insurances”, also known as Warranties and Indemnities Insurances) are considered as a great tool to facilitate mergers, acquisitions, divestitures and other business transactions. They supplement or replace the seller indemnity obligations by insuring all (or most) of the representations made within the Sale and Purchase Agreement (SPA).
Key policy features:
- Policyholder: The policy may be purchased either by the seller or by the buyer.
- Tailor-Made Policy: policies are tailored to match the R&W negotiated in the SPA as closely as possible. There will be little difference between what could be claimed against the seller and what the seller (or the buyer as the case may be) can claim against the R&W policy.
- Term: The policy term will run from the closing of the deal and for the full survival period negotiated in the SPA, or beyond if required.
- Exclusions: They are usually limited to matters disclosed in diligence, intentional/criminal acts and fraud by the policyholder. Depending on the deal, insurers may want to limit coverage in respect of specific losses, such as resulting from breaches of covenants or forward-looking statements.
- Covered Amounts: They are negotiated between the parties to the insurance contract. The insurance market as such has a capacity higher than EUR 500M.
- Retention: The parties to the insurance will agree on a self-insured retention, to be borne by the insured. This is generally set at 0.5 % of the value of the transaction, but may vary depending on several factors, such as the industry, the size of the deal or the willingness to retain a higher part of the loss and consequently reduce the premium. For real estate transactions, the retention is more likely to be 0.1% of the transaction value.
- Premium: The costs of these insurances typically range between 1% and 3% of the insured amounts. Factors such as the nature of the deal, the jurisdiction or the target asset are taken into account. Premiums are generally lower for real estate deals (0.8% to 1%) and titles guarantees (0.3%).
Benefits of a Buyer-side policy
When taken out by the Buyer, the policy shall pay them directly for losses arising out of a post-closing discovery of seller’s breach of a representation or warranty in the SPA. Buyer-Side policies:
- supplement or sometimes substantially replace the indemnification provisions provided in the SPA;
- extend the survival of certain R&W, if required up to seven years, which allows considerably more time to detect and effectively recover for post-closing losses;
- offer additional protection to the buyer beyond the negotiated indemnities;
- protect buyers against the collectability or solvency risk of an unsecured indemnity provided by a seller (e.g., a financially distressed seller, multiple sellers or cross-border transactions);
- distinguish a bid over other bids in an auction process, by requiring a seller to provide short survival periods, modest liability caps and reduced escrow amounts for breaches of representations and warranties in a bidder’s draft purchase agreement;
- preserve key relationships by mitigating the need for a buyer to pursue claims against management sellers, eventually now working for the buyer;
- provide the buyer with a direct right of action against the insurance policy. No need to first seek recourse against the seller;
- protect the buyer from fraud or misleading information by the seller.
Benefits of a Seller-side policy
Under a seller-side policy, the insurer indemnifies the seller for its indemnification obligations to the buyer, resulting from breaches of its R&W in the SPA. Seller-Side policies:
- provide the seller with a “clean exit” by reducing or eliminating the need to establish escrows or purchase price holdbacks, thereby enabling the seller to more quickly distribute greater portions of the purchase price to its investors and eventually close the fund;
- increase the purchase price obtained, while the buyer has full recourse under the warranties;
- protect minority/passive sellers concerned with joint and several liability for indemnifying the buyer;
- provide additional comfort for individual or family sellers;
- provide a solution for situations where there is a lack of ownership history such as restructurings.
A private equity firm wanted to exit its investment in a technology company at an enterprise value of EUR 500M. The buyer required substantive warranties with an indemnification obligation of EUR 50M, which the private equity owner was unable to give as it could not take on long-tail financial liabilities during the divestment phase of its fund’s life-cycle. Management of the technology company were prepared to warrant up to EUR 10M (representing 50% of their EUR 20M stake in the technology business).
Placing part of the purchase funds into a holdback escrow to cover potential warranty claims would prevent a clean exit for the private equity firm. On the other hand, the buyer was not prepared to consider a reduction in the consideration.
The buyer was able to purchase an insurance policy with a limit of EUR 40M to meet the total EUR 50M indemnity requirement. The policy was structured so that the buyer had to first pursue management up to their EUR 10M limit. The SPA therefore provided for a warranty cap of EUR 10M, backed by management’s escrow and the PE seller assumed no additional liability.
Why chose ABIL S.A. as your risk adviser or insurance broker?
ABIL is a Luxembourg based company specialized in risk management, advisory and insurance brokerage services, focusing in particular on companies active in the financial, advisory and technological sectors, as well as on large multinationals.
You may count on ABIL to tailor your R&W insurance policy to your specific needs and positively contribute to the success of the transaction. We also offer specific solutions to cover Tax liabilities, should there be a particular tax issue mentioned in your R&W.
We are at your disposal to address any question regarding and respond to any request for quotation.
163, route d’Arlon
The increased scrutiny by tax administrations and the consequent risk of a specific tax position being challenged have created uncertainties among the business community. The management of tax exposures becomes a key concern for companies, in particular in M&A deals or restructurings. A specific insurance market has emerged to cover risks related to tax issues.
Focus on an emerging product: Tax Liability Insurance
Imagine that you must proceed with a transaction or investment where there is uncertainty in the application of tax laws or inadequate time to obtain an advance tax ruling. The risk exists in that the tax treatment of the transaction is challenged by the tax authorities, potentially leading to substantial costs and liabilities.
Tax liability insurances are designed to fill the risk gap that results from uncertainty about a tax liability. As a risk transfer tool, it enables the company both to free up and to attract capital.
A customized insurance solution…
The wording of the insurance is tailor-made to cover your very specific tax exposure. Retentions are negotiable and the policy period is generally aligned with the applicable limitation period. Premium typically range between 2.5 % and 10 % of the insured limit, depending on the probability of an adverse outcome.
Coverage may address:
- expenses incurred by the insured in engaging outside legal advisers and/or accountants in order to resolve the dispute with a relevant tax authority;
- interest and insurable fines or penalties as well as additional tax payable if the dispute is lost;
- gross-up of taxes payable (ie if the taxpayer is found to have an additional tax liability, the insurance proceeds may be deemed taxable: the policy will cover any tax incurred on receiving the proceeds).
Exclusions will vary from policy to policy but will generally consist in:
- losses resulting from inaccurate facts or omission of material information given by the insured;
- criminal or fraudulent acts or intentional violations of law; and
- changes in legislation after the inception date.
… for a wide variety of tax risks
Insurance companies will consider offering insurance in respect of a very wide variety of tax risks provided they are able to review detailed advice from the insured’s financial advisers or its lawyers setting out the background, the potential tax liability and a legal analysis of the likelihood of the liability arising. Tax Liability insurance is suitable for risks turning on questions of law rather than fact and is unlikely to be available for promoter-driven, repetitive or purely tax motivated transactions, or those cases already subject to audit, litigation or on appeal from a tax authority.
Examples of risks covered by insurances include:
- whether a foreign subsidiary qualifies as a “legal entity” under local corporate income tax rules;
- whether a company meets the tests relating to an exemption or specific tax treatment;
- the risk resulting in the claw-back of a historic claim for stamp duty land tax group relief;
- the risk resulting in the tax authority questioning the validity of tax credits claimed by an entity.
When assessing a tax exposure, insurers will look at:
- the type of risk, with a preference for those in connection with or as a result of a merger, acquisition, restructuring, recapitalization… or another type of transaction that demonstrates a clear business purpose other than to achieve a particular tax result;
- the jurisdiction, preferably those politically stable, with developed legal system and a tax authority or tribunal with a recognized, accepted route of appeal and a reputation for competence, probity, fairness…;
- legal advice or opinion from reputable lawyers or tax advisers provided to the insured. They will carefully review the advice to assess its merits and also identify any weaknesses or concern;
- the likelihood of challenge from a tax authority which may be based on political climate or a tax authority’s propensity to challenge certain tax practices or target industries.
Case Study – VAT Risk
An insurance solution was sought for a scheme involving a land development incorporating the construction of a number of holiday homes. Under the scheme, the land owner and building developer (which were connected parties) entered into separate but inter-conditional contracts with the purchaser of the land – for the freehold sale of the land and the subsequent design and build services respectively (rather than a single sale of land containing completed holiday homes). Insurance was offered against the risk of a successful challenge that the sale of the land would be standard rated as opposed to VAT-exempt.
What are the strategic benefits?
- transfers an uncertain liability from the insured to the insurer;
- reduces the insured’s concerns about the potential for an adverse tax challenge;
- transforms contingent claims into a quantified insurance cost;
- can facilitate a sale or acquisition by providing certainty and managing negative financial impact;
- can preserve or enhance the value of a business or an asset;
- can be used where parties do not want or do not have time to obtain prior clearance from tax authorities.
Why chose ABIL S.A. as your risk adviser or insurance broker?
ABIL is a Luxembourg based company specialized in risk management, advisory and insurance brokerage services, focusing in particular on companies active in the financial, advisory and technological sectors, as well as on large multinationals.
ABIL will have you engaged with a selection of specialized “tax liability” insurers and will be advising in a first stage on responsiveness, experience in tax liabilities, and reputation for claims payment. We will also review your insurance contract with a particular focus on the scope of losses included and excluded, the impact of knowledge qualifiers, the term of coverage, operational restrictions and potential subrogation provisions.
We are at your disposal to address any question and respond to any request for quotation.
Si votre activité professionnelle implique la collecte, le traitement, la conservation ou la propagation d’informations privées ou sensibles, vous vous demandez probablement jusqu’à quel point vos ordinateurs, serveurs, programmes ou services cloud sont capables d’en assurer la sécurité.
Notre dépendance aux systèmes d’information n’a jamais été aussi importante et on peut prévoir que cela s’accentuera encore à l’avenir. La moindre défaillance technique est susceptible d’occasionner des retards, des pertes d’exploitation ou des dommages à des tiers, particulièrement lorsque des données privées sont en jeu. Parallèlement à cela, la criminalité informatique s’est accrue et complexifiée. Les journaux publient quotidiennement des exemples d’attaques, telles que les « hacking », les « distributed denial of service » (DDoS) ou les « ransomware » (prise en otage de données par des logiciels malveillants).
Avec la récente approbation du Règlement Général de Protection des Données (RGPD), qui sera applicable au Luxembourg dès le 25 mai 2018, l’Europe a mis en place un régime de protection des données personnelles beaucoup plus strict qu’auparavant. Les sociétés sont dorénavant exposées à d’importantes responsabilités et pénalités en cas de perte de données privées, pouvant aller jusqu’à 4% du chiffre d’affaires global du groupe avec un maximum de EUR 20m.
Comment se préparer au RGPD ?
La conformité au RGPD est obligatoire et beaucoup d’entités tombant dans son champ d’application devront entreprendre d’importantes réorganisations. Les consultants et avocats spécialisés seront d’une aide précieuse pour vous permettre de mettre votre organisation et vos procédures à jour. Ce sera en outre l’occasion de revoir votre infrastructure informatique et vos systèmes de sécurité, afin d’assurer la protection des données contre des attaques « cyber » ou des pannes inopportunes.
L’utilisation de l’assurance Cyber en tant qu’outil d’atténuation du risque
Bien qu’obligatoire, la conformité à la loi ne vous immunise pas contre une attaque « cyber » ou les effets dévastateurs qu’elle pourrait causer à votre réputation ou à votre responsabilité. Même les systèmes de sécurité les plus robustes ne pourront jamais offrir une garantie à 100%.
Nous vous conseillons dès lors les polices d’assurances « cyber » pour vous aider à réduire ce risque résiduel et apporter un niveau supplémentaire de protection à votre société.
L’assurance cyber existe depuis plus de 15 ans aux USA, où certains Etats tels que la Californie appliquaient déjà des législations similaires. Un marché de l’assurance cyber s’est développé récemment en Europe et les assureurs offrent désormais diverses solutions pour tous types de sociétés, à des prix abordables.
Que cela couvre-t-il ?
Les assurances Cyber proposent une solution complète pour la gestion des risques et incidents de type « cyber ».
En premier lieu, le contrat propose une assistance immédiate pour résoudre les problèmes urgents de sécurité informatique ou juridique consécutifs à une atteinte à la sécurité ou à des pertes de données. En pratique, les assurés auront accès à des spécialistes en ces domaines, consultants et avocats, qui interviendront dès les premières heures de la découverte du problème pour le définir et le résoudre.
La police d’assurance paie en outre divers coûts supportés afin de faire face au problème survenu: les frais de remise en état des systèmes, les frais de notification tels qu’imposés par la RGPD, l’accompagnement auprès des Autorités de Protection des Données, les frais de communication externe pour réduire le risque de réputation, ainsi que les autres frais nécessaires pour enquêter, gérer et réduire l’incident, dans le cadre des investigations liées à la fraude, des consultations juridiques ou encore du contrôle de l’utilisation des données des clients.
L’assureur supporte aussi les frais nécessaires pour restaurer et reconstituer les données perdues de l’assuré.
La section responsabilité du contrat couvre aussi les réclamations introduites à l’encontre de la société suite à une défaillance de la sécurité de son réseau ou à une incapacité à protéger les données. Cela comprend les réponses à apporter aux exigences et enquêtes du régulateur, ainsi que le paiement des frais de défense et du dommage éventuel subi par un tiers (clients, employés …).
Dans certaines circonstances, le contrat rembourse les pertes d’exploitation et les dépenses opérationnelles consécutives à une interruption matérielle des activités causées par une défaillance de sécurité.
Enfin, le volet vol et extorsion offre une réponse au vol d’argent, de titres ou d’autres valeurs, ou aux menaces externes d’intenter une telle attaque, ainsi qu’aux demandes de rançon par un logiciel malveillant.
Qu’est-ce qui n’est pas couvert ?
Les polices d’assurance Cyber interviennent en excédent d’une franchise. Celle-ci est exprimée soit en argent, soit, pour les pertes d’exploitation, en temps écoulé (période d’attente). Cette période d’attente ne s’applique bien entendu pas aux mesures immédiates (urgentes) offertes par l’assurance.
Les garanties et exclusions varient significativement d’un assureur à l’autre. Nous relèverons les suivantes en particulier :
- Les pertes résultant d’une défaillance électrique, mécanique ou d’infrastructure autre que l’IT (comme la fibre optique, les pannes d’électricité ou l’interruption d’une communication satellite) ;
- Les dommages physiques ou corporels, autres que les dommages aux données (il existe néanmoins des solutions permettant de couvrir ce risque particulier) ;
- Les atteintes aux droits de propriété intellectuelle.
Pourquoi choisir ABIL comme votre conseiller ou courtier d’assurances
ABIL est une société luxembourgeoise spécialisée en gestion des risques, conseils et courtage en assurances, se concentrant particulièrement sur les sociétés actives dans le domaine financier, les services intellectuels, le secteur technologique et les multinationales.
Vous pouvez compter sur ABIL pour adapter votre police Cyber à vos besoins spécifiques. ABIL réalisera également une revue complète de vos autres polices connexes, telles que celles couvrant la responsabilité des administrateurs, la responsabilité professionnelle/produit/générale, la fraude, la Kidnap & Ransom, ou encore l’incendie, afin de s’assurer que la police Cyber s’y adapte au mieux.
Nous sommes à votre disposition pour répondre à vos questions ou à toute demande d’offre.