Does Your Cyber Insurer Require Proof of Employee Training?
Cyber insurers now demand proof of security awareness training. How your training program lowers premiums and protects your claims.
Your cyber insurance renewal form changed this year. Between the usual questions about multi-factor authentication and backups, a new line appeared: "Do you have a documented employee cybersecurity awareness program? Provide proof."
This is not an administrative formality. According to the LUCY 2025 study by AMRAE (French risk management association), cyber claims filed by SMBs surged by 353% in 2024 (AMRAE LUCY 2025). Phishing remains the number-one attack vector, involved in 60% of cyberattacks (CESIN barometer 2026). And insurers are drawing a direct operational conclusion: a company that doesn't train its employees is a company that doesn't manage its risk. And a company that doesn't manage its risk is expensive to insure - or doesn't deserve to be insured at all.
This article details what your insurer actually expects, why the human factor has become the dominant evaluation criterion, how an awareness program protects both your premiums and your claims, and what happens when a breach occurs at a company with no proof of training. All data cited comes from identified sources: the AMRAE LUCY 2025 report, the CESIN 2026 barometer (OpinionWay), the Hiscox Cyber Readiness Report 2025, the LOPMI (French law on digital security) n°2023-22, and the European NIS2 directive.
The French Cyber Insurance Market in 2026: The Numbers Behind the Pressure
To understand why your insurer now demands proof of training, you need to understand the market in which they operate. And that market is going through serious turbulence.
A Growing but Fragile Market
The LUCY 2025 study, published by AMRAE (French risk management association) in June 2025, covers 14,124 cyber insurance policies and 448 claims filed in France for the year 2024. It is the most complete dataset available on the French market.
Premiums collected reached 317 million euros in 2024, a slight decline from 328 million in 2023. This is the first drop since the barometer was created in 2021. But this dip in premiums masks an explosion in claim frequency: +82% in claims among large enterprises, +117% among mid-market companies, and +353% among SMBs.
The loss ratio stands at 17% in 2024, compared to 12% in 2023. Two claims exceeded ten million euros in payouts. Total indemnification reached 55 million euros, up from 38 million the previous year.
SMBs Are Now on the Radar - and in the Loss Statistics
The SMB segment shows the strongest dynamics, in both directions. The number of insured SMBs grew by 33% in 2024, with a 66% increase in premiums written. But it's also the segment where claim frequency is rising the fastest.
The annual premium for a micro-business or SMB with fewer than 50 employees ranges from 1,000 to 5,000 euros, for coverage limits of 1 to 5 million euros. A successful attack costs an average of 466,000 euros for a micro-business/SMB (Groupama 2025) - 5 to 10% of annual revenue. For a detailed breakdown of these costs: How Much Does a Cyberattack Cost an SME with 50 Employees.
For insurers, the equation is clear: they're opening the market to SMBs (because demand is there and premiums are profitable), but they need to filter out bad risks. Employee training has become their primary filter.
The Soft Market Won't Last
The market is currently in a "soft market" phase: rates are falling, capacity is increasing, deductibles are shrinking. The average premium rate dropped by 18% for large enterprises in 2024. Average deductibles fell from 218,000 euros in 2022 to 110,000 euros for mid-market companies.
But this easing is misleading. With a loss ratio climbing back up and increasingly severe claims, insurers are anticipating a reversal. When rates go back up, companies without a documented prevention program will be the first to see their premiums spike - or their coverage denied.
Why Insurers Demand Proof of Training
This isn't theoretical. An underwriter at a French insurer told l'Argus de l'Assurance: "We reject an average of 50% of cyber submissions. When the IT security prerequisites aren't met, we don't take the business."
The Human Factor Is the Leading Cause of Claims
Phishing in all its forms (spear phishing, smishing, vishing) accounts for 60% of attack vectors (CESIN barometer 2026) - see new phishing forms in 2026 - far ahead of vulnerability exploitation (41%) and third-party attacks (35%). 95% of cyber incidents involve human error (Kaspersky / Cybermalveillance.gouv.fr).
An insurer looks at these two statistics and draws a logical conclusion: if nine out of ten incidents start with a human error, and phishing is the most common method of triggering that error, then a phishing awareness program is the prevention measure with the best cost-to-effectiveness ratio. Business phishing statistics confirm this trend.
The Eight Controls Insurers Systematically Check
Cyber underwriting questionnaires have standardized around eight main controls, identified by Marsh, Beazley, and Coalition as the most discriminating criteria:
- Multi-factor authentication (MFA): on remote access, email, and privileged accounts
- EDR (Endpoint Detection & Response): endpoint protection
- Email security: anti-phishing filtering, anti-spam, attachment analysis
- Tested backups: 3-2-1 backup policy with documented recovery testing
- Incident response plan: written procedure, tested, with identified roles
- Employee training and awareness: documented program with phishing simulations
- Privileged access management (PAM): separate, controlled administrator accounts
- Patch management: security update deployment timelines
Employee training sits at the same level as MFA or EDR. It is treated as a prerequisite, on equal footing with technical controls.
The Shift from Declarative Questionnaires to Documented Audits
The most significant change in the past two years is the nature of the evidence required. Until 2023, most underwriting questionnaires accepted "yes/no" answers. In 2025-2026, insurers are asking for proof.
A specialized broker sums up this shift: "In 2026, cyber insurance questionnaires are increasingly resembling audits. If the company can't demonstrate its preparedness, the insurer treats it as a liability."
In concrete terms, it's no longer enough to check "yes" on the question "Do you train your employees?" The insurer expects dashboard screenshots, campaign reports, completion rates, and simulation results. Declarations have given way to evidence.
What Your Insurer Actually Expects: Anatomy of an Underwriting Questionnaire
Here are the typical questions a French cyber insurer asks today about training and awareness. This summary is built from Hiscox, AXA, Allianz, and Generali questionnaires, analyzed by specialized brokers.
Declarative Questions (Yes/No)
- Do you have a cybersecurity awareness program for all employees?
- Does this program include phishing simulations?
- Do new hires receive cybersecurity training during onboarding?
- Are awareness campaign results tracked over time?
- Do employees have a way to report suspicious emails (reporting button, dedicated address)?
Quantitative Questions (With Supporting Evidence)
- How often is awareness training conducted? (annual / semi-annual / quarterly / monthly)
- What is the training module completion rate over the past 12 months?
- How many phishing simulation campaigns have you conducted over the past 12 months?
- What is your average click rate on phishing simulations? Trend over 6/12 months?
- What percentage of employees has completed at least one training in the past 6 months?
Governance Questions
- Who is responsible for the awareness program? (CISO / CIO / HR Director / external provider)
- Are campaign results reported to senior management?
- Does the training program cover subcontractors and service providers with access to the information system?
- Do you have a formalized information security policy (PSSI in French)?
The Trap of False Declarations
The temptation to check "yes" on every question to get a better premium is strong. It's the worst possible strategy.
The International Control Services vs. Travelers case, widely discussed in the industry, illustrates the risk. The company had declared it was using multi-factor authentication on all access points. In reality, MFA was only enabled on the firewall - not on servers or email systems. After a ransomware attack, Travelers denied the claim for false declaration. The company received nothing.
The same mechanism applies to training. If you declare "awareness program in place" but have no training records, no simulation reports, and no certificates, the insurer can invoke false declaration and reduce or deny indemnification.
The 7 Pieces of Evidence Your Insurer Wants to See
When the insurer asks for "proof of training," what exactly do they want? Here are the seven documents that make up a strong underwriting file on the awareness front.
1. Training Records with Completion Rates
A dated document showing that every employee has completed at least one cybersecurity training module in the past 12 months. The overall completion rate should exceed 80% to be considered acceptable. Ideally: an export from your training platform showing the list by name (or anonymized by department), completion dates, and scores.
2. Phishing Simulation Campaign Reports
Results from simulated phishing campaigns over the past 12 months: dates, number of recipients, click rate, credential submission rate, reporting rate. The insurer is looking for two things: regularity (at least one campaign per quarter) and trend (the click rate should decrease over time).
To build an effective simulation program, see our complete guide to corporate phishing simulation.
3. Individual Training Certificates
Certificates or attestations proving that employees actually completed the training modules. Hiscox is the most explicit insurer on this point: its CyberClear Academy program issues certificates, and if 80% of employees have completed the training, the company benefits from a deductible reduction. It's one of the rare cases where the direct financial impact is formalized in the contract terms.
4. Information Security Policy (PSSI in French)
An internal policy document covering at minimum: email usage rules, password management, incident reporting procedures, and data access rules. The information security policy doesn't need to be 50 pages long, but it must exist, be dated, signed by management, and have been communicated to all employees with acknowledgment of receipt.
5. Tested Incident Response Plan
A documented incident response plan with identified roles (who to contact in case of an attack, in what order), along with proof it has been tested at least once in the past 12 months. The test can be a tabletop exercise or a full-scale simulation.
The CESIN 2026 barometer indicates that 67% of companies have a cyber crisis training program, with 37% running periodic exercises. Being in that 37% places you above the majority of applicants.
6. Metrics Tracking Dashboard
An export from your awareness platform showing how metrics evolve over time: click rate, reporting rate, training completion rate, number of campaigns conducted. The insurer doesn't just want a snapshot - they want a trend. A company whose click rate drops from 25% to 8% in 12 months demonstrates a program that works.
To understand how these metrics compare to industry standards, see our phishing click rate benchmarks by industry.
7. Proof of Subcontractor Awareness
Third-party attacks jumped by 8 points to reach 35% according to CESIN 2026 (and up to 43% for large enterprises). Insurers are beginning to verify that service providers with access to the information system have also received awareness training. An amendment to your subcontracting agreements requiring cyber training for personnel, or an audit report from your provider, strengthens your file.
Real-World Examples: What Insurers Find (and Don't Find) During Underwriting
To understand the real impact of a training file on underwriting, here are three real situations reconstructed from conversations with French cyber insurance brokers. Names have been changed.
Situation 1: The Accounting Firm with Zero Training (Coverage Denied)
An accounting firm with 35 employees in Lyon (revenue: 4 million euros) wants to purchase cyber insurance for the first time. The questionnaire reveals: no information security policy, no awareness training, no password requirements enforced, no MFA on email. The broker submits the file to three insurers. Two reject immediately. The third offers limited coverage of 500,000 euros (instead of the requested 2 million), with a 25,000-euro deductible and an annual premium of 6,200 euros.
The firm then invests 1,800 euros in an awareness platform, trains 90% of its employees in 3 months, runs two phishing simulations, and drafts an information security policy. Six months later, the broker resubmits the file. Result: 2-million-euro coverage, 10,000-euro deductible, 3,800-euro premium. The 1,800-euro investment saved 2,400 euros in annual premiums and tripled the coverage.
Situation 2: The Mid-Market Industrial Firm with Annual Training (Partial Coverage)
An industrial company with 180 employees in Normandy (revenue: 28 million euros) has annual awareness training: a 45-minute PowerPoint presentation during the onboarding day. No phishing simulations, no click rate tracking, no individual certificates.
At renewal, the insurer requests "proof of regular training." The company provides the PowerPoint and the attendance sheet from the last session. The insurer accepts the renewal but applies a 15% surcharge and excludes "wire transfer fraud" from the coverage. The broker recommends switching to a monthly simulation program to get those restrictions removed the following year.
Situation 3: The Tech Startup with a Full Program (Best Terms)
A SaaS startup with 45 employees in Paris (revenue: 3 million euros) has been using an awareness platform for 18 months. It can provide: a dashboard showing 12 simulation campaigns over the past 12 months, a click rate that dropped from 22% to 4%, a training completion rate of 95%, an updated information security policy, a tested incident response plan, and a reporting button with a 35% usage rate.
The insurer offers the best terms available: 3-million-euro coverage, 5,000-euro deductible, 2,100-euro premium. The file is approved within 48 hours, with no additional documentation requested. The quality of the documentation accelerated the process and reduced the price.
Build your proof file in 90 days - exportable reports from your very first campaign.
What These Three Situations Illustrate
A training program isn't a binary element (present/absent). Insurers evaluate its quality: frequency, documentation, measurable results, trend over time. Annual training without metrics is better than nothing, but it's not enough to get the best terms. A monthly program with documented results puts the company in the "managed risk" category and unlocks the most competitive pricing.
How Training Concretely Reduces Your Premiums
The question every CFO asks: "How much does this save me?" Here are the specific mechanisms through which an awareness program directly affects your cyber insurance premium.
Mechanism 1: Contractual Deductible Reduction
The best documented case is Hiscox with its CyberClear Academy. If at least 80% of employees have earned the training certificate, the contract's deductible is reduced. In practical terms, if your standard deductible is 10,000 euros, it can drop to 5,000 or 7,500 euros after training validation.
This mechanism is written directly into the contract's specific conditions. It doesn't depend on a commercial negotiation - it's an automatic contractual provision.
Mechanism 2: Risk Assessment During Underwriting
During underwriting or renewal, the cybersecurity questionnaire determines your risk profile. Each documented "yes" on a security control lowers your risk score, and therefore your premium.
Specialized brokers report that the absence of a training program can trigger a 30 to 50% surcharge compared to the reference rate. Conversely, a documented program with measurable results provides strong grounds for negotiating more favorable terms.
The Marsh Cyber Pathway program, developed in partnership with Beazley, Chubb, Coalition, and Resilience, formalizes this logic: companies complete a self-assessment questionnaire, receive recommendations for controls to implement, and once those controls are in place (including training), they gain access to coverage extensions from partner insurers.
Mechanism 3: Reducing Actual Claim Frequency
Beyond the direct impact on premiums, training reduces the likelihood of a claim - which, over time, prevents surcharges linked to claims history.
The SANS Security Awareness Report 2025 documents a 75% reduction in click rates over 12 months for organizations with a regular simulation program. Fewer clicks, fewer incidents, fewer claims, fewer surcharges at renewal.
For more on ROI calculations, see our article on the ROI of cybersecurity awareness.
Comparison: Cost of Training vs. Insurance Surcharge
| Item | Annual Cost (SMB, 50 employees) |
|---|---|
| Awareness + simulation program (SaaS platform) | 1,200 – 3,000 € |
| Insurance surcharge without training program (+30 to 50%) | 600 – 2,500 € |
| Standard deductible (without training) | 10,000 – 25,000 € |
| Reduced deductible (with documented training, e.g. Hiscox) | 5,000 – 15,000 € |
| Average cost of a cyber incident for an SMB (Groupama 2025) | 466,000 € |
The investment in training pays for itself in the first year through the premium and deductible reduction alone - without even counting the reduced risk of an incident.
The Trap: When Insurance Refuses to Pay
The most costly scenario isn't paying a premium that's too high. It's paying a premium for years, suffering a breach, and discovering that the insurer refuses to cover the claim.
Grounds for Denial Related to Training
French insurance law rests on a fundamental principle: coverage only holds if the policyholder takes all reasonable measures to prevent the risk. The insurer does not cover claims where the cause stems from manifest negligence in managing the information system.
If a company suffers a mass phishing attack and it turns out that no employee was ever trained, no simulation was ever run, and no reporting procedure exists, the insurer has a legal arsenal to contest the claim:
- False declaration (Article L. 113-8 of the French Insurance Code): if the underwriting questionnaire indicated a training program that doesn't exist, the contract can be retroactively voided
- Manifest negligence: if the absence of training constitutes a failure to meet the "reasonable prevention measures" required by the contract
- Non-compliance with contractual prerequisites: if the specific conditions require an awareness program that the company never put in place
The 72-Hour Complaint Filing Requirement (LOPMI)
Since April 24, 2023, the LOPMI (French law on digital security, n°2023-22) imposes an additional obligation: any cyberattack victim seeking insurance compensation must file a complaint within 72 hours of becoming aware of the attack.
This deadline runs from the discovery of losses and damages, not from the attack itself. The complaint must be filed with the police, the gendarmerie, or by registered letter to the public prosecutor. An online pre-filing is not sufficient.
Failure to meet this deadline results in near-systematic denial of coverage. And this is where training plays an indirect but concrete role: a company whose employees are trained to recognize a fraudulent email and report incidents will detect the attack faster, making it easier to meet the 72-hour deadline.
Documented Cases of Claim Denial
According to Fitch Ratings, nearly one in four cyber claims filed in 2024 was rejected for non-compliance with coverage conditions. The most documented cases in the trade press:
BitPay vs. Massachusetts Bay Insurance: The insurer refused to pay 1.8 million dollars after a phishing attack, arguing that the compromise originated from a business partner and not directly from the insured's systems. The lack of partner training was part of the argument.
International Control Services vs. Travelers: Full denial of indemnification after a ransomware attack. The company had declared it was using MFA on all access points but had only deployed it on the firewall. Travelers invoked false declaration. The same reasoning applies to training: declaring a nonexistent program carries the same risk.
Overall statistics: Specialized broker feedback identifies "negligence in maintaining security standards" and "lack of documentation" as the two leading causes of claim denial, ahead of contractual exclusions.
Anatomy of a Claim Denial: How It Actually Plays Out
Here is how a claim denial related to lack of training unfolds in practice, based on the process described by specialized brokers and law firms.
Day 0: The attack. An employee in accounting clicks on a phishing email impersonating the company's bank. They enter their credentials on a fraudulent page. The attackers use those credentials to access the corporate email system, then initiate a 78,000-euro wire transfer to a foreign account.
Day 1: The discovery. The CFO notices the transfer during the daily review of bank transactions. The company contacts its bank (which attempts a fund recall), its IT provider (which secures the compromised accounts), and its insurance broker.
Day 2: The complaint. The company files a complaint with the gendarmerie within the 72-hour deadline imposed by the LOPMI (French law on digital security). The procedure is followed.
Day 7: The claim filing. The company submits the claim to its insurer with supporting documents: bank statement, copy of the complaint, IT provider report, copy of the phishing email.
Day 30: The insurer's investigation. The expert appointed by the insurer requests proof of compliance with the contract prerequisites: security policy, training records, phishing simulation reports, dual-approval procedure for wire transfers. The company cannot provide any of these documents.
Day 60: The partial denial. The insurer issues a partial denial of coverage. Grounds cited: absence of an awareness program (contractual condition not met), absence of a dual-approval procedure for wire transfers (negligence in risk prevention), discrepancy between the underwriting questionnaire declarations and the actual situation. The payout is reduced by 70%. Of the 78,000-euro loss, the company receives 23,400 euros and absorbs 54,600 euros in unrecovered losses.
This scenario is not hypothetical. Specialized brokers report comparable situations multiple times per year. And in the most severe cases (clear false declaration), the denial is total.
The Special Case of Business Email Compromise (BEC)
Business Email Compromise (BEC) attacks - CEO fraud, supplier bank account change scams - are often excluded from standard cyber insurance policies. Coverage for "fraudulent fund transfers" typically requires a specific endorsement (called a "social engineering fraud" guarantee).
And that endorsement is conditional on the existence of verification procedures: dual authorization for wire transfers, callback verification to the supplier, and, increasingly, training of finance teams on BEC risk.
Without this specific coverage, an SMB that loses 45,000 euros through a fraudulent wire transfer after a targeted phishing attack on its CFO will simply not be covered - even with an active cyber insurance policy.
NIS2, Cyber Insurance, and Training: The Regulatory Triangle
The European NIS2 directive, applicable in France since October 2024, adds a layer of obligation that reinforces the insurers' position.
What NIS2 Requires Regarding Training
Article 21 of the NIS2 directive mandates "cyber risk management measures including staff awareness and training." Under the compliance framework, this training must be:
- Documented: proof of training must be producible during an audit
- Universal: it applies to all staff, not just IT teams
- Ongoing: a single session with no follow-up or assessment constitutes non-compliance
- Measurable: success is measured by behavioral change, not by the number of training hours
Article 32 authorizes ANSSI (France's national cybersecurity agency, the competent authority in France) to carry out on-site or document-based inspections, including without notice. Training certificates, simulation results, and awareness reports are among the auditable documents.
For a detailed NIS2 compliance guide, see our NIS2 guide for SMBs.
NIS2 Affects 59% of French Companies
The CESIN 2026 barometer indicates that 59% of surveyed companies fall under NIS2 (70% of large enterprises, 44% of micro-businesses/SMBs). Penalties can reach 10 million euros or 2% of global turnover. Executives are personally liable for compliance.
The Force Multiplier for Insurers
The existence of NIS2 strengthens the insurer's contractual position. If a company subject to NIS2 suffers a claim and it turns out it was not meeting the directive's training requirements, the insurer has an additional argument to contest coverage: the company was in regulatory violation at the time of the incident.
Conversely, NIS2 compliance sends a strong signal to the insurer. A company that can produce an NIS2 compliance file, including proof of training, demonstrates a level of cyber maturity above average. Specialized brokers actually recommend submitting the NIS2 compliance file as supplementary documentation alongside the underwriting questionnaire.
Training → Compliance → Insurability
Employee training sits at the intersection of three obligations:
| Obligation | Training Requirement | Penalty for Non-Compliance |
|---|---|---|
| NIS2 (regulatory) | Documented, ongoing, measurable training | Up to 10 M€ or 2% of global turnover |
| Cyber insurance (contractual) | Awareness program with proof | Surcharge, coverage denial, claim denial |
| GDPR (data protection) | Awareness training for staff handling personal data | Up to 20 M€ or 4% of global turnover |
A well-designed training program addresses all three requirements simultaneously. It's a single investment for triple protection.
How to Build an Insurance-Ready File in 90 Days
Your cyber insurance renewal is approaching. Here's how to build a strong underwriting file on the training and awareness front, step by step.
Weeks 1-2: Lay the Foundations
Draft or update the information security policy. If your information security policy (PSSI in French) is more than two years old or doesn't exist, start here. The document must cover email usage rules, password management, incident reporting procedures, and data access rules. Have management sign the policy and distribute it to all employees with acknowledgment of receipt.
Appoint a program owner. The insurer will ask who oversees the program. It can be the CISO, CIO, HR director, or an external provider, but a name must be attached to the program.
Weeks 3-6: Deploy Training
Launch a first e-learning training module. Choose a platform that provides individual completion certificates and a tracking dashboard. Aim for a minimum 80% completion rate. Modules should cover phishing, social engineering, password management, and safe browsing practices. Our cybersecurity training guide for SMBs details the recommended content.
Run a first baseline phishing simulation. Send a simulated phishing email to the entire company to measure the initial click rate. This baseline is your reference point for demonstrating progress over time. Document the results: date, number of recipients, open rate, click rate, reporting rate.
Weeks 7-10: Intensify and Document
Run a second simulation. Vary the scenario (package delivery, invoice, password update). Compare results to the baseline. Even a modest improvement (from 25% to 18% click rate, for example) constitutes proof of progress for the insurer.
Set up a reporting button. Insurers value the reporting rate at least as much as the click rate. Install a reporting button in your employees' email client and track its usage.
Prepare the incident response plan. Document the procedure: who to contact, in what order, how to isolate systems, how to file a complaint within 72 hours. Test it at least once as a tabletop exercise.
Weeks 11-12: Consolidate the File
Compile the underwriting file. Assemble the seven documents described in the previous section: training records, simulation reports, certificates, information security policy, incident response plan, metrics dashboard, subcontractor proof.
Export reports from the awareness platform. Dated PDF exports are the best evidence. Include trend graphs showing how the click rate evolved over time.
Prepare a one-page memo for the broker. Summarize your program on one page: number of employees trained, completion rate, number of simulations run, initial vs. current click rate, program governance. This document makes the broker's job easier and speeds up the underwriting process.
How to Choose the Right Awareness Platform for Your Insurance File
Not all awareness platforms are equal from the insurer's perspective. Here are the criteria that matter for building a solid file:
Exportable PDF reports. The insurer (or their expert) wants dated documents, digitally signed if possible, that they can archive in your file. A platform that doesn't provide usable PDF exports creates an administrative hurdle.
Campaign history. The insurer wants a trend, not a snapshot. Your platform must retain the full history of simulation campaigns: dates, scenarios used, click rates, reporting rates, remediation actions. A 12-month history is the minimum expected.
Individual completion certificates. Every employee who completes a module should have a dated certificate. These certificates are the most direct proof that training took place. If your platform doesn't generate them automatically, you'll have to produce them manually - which quickly becomes unmanageable beyond 20 employees.
Varied, realistic simulation scenarios. Insurers are beginning to evaluate the quality of simulations, not just their existence. A program that repeats the same "package awaiting delivery" scenario every month doesn't test much. The platform should offer varied scenarios covering real attack vectors: generic phishing, spear phishing, wire transfer fraud, brand impersonation.
Post-failure micro-learning. Immediate remediation after a click on a simulation - a short module explaining the red flags the employee missed - is a strong signal for the insurer. It proves the program doesn't just measure vulnerability but actively corrects it.
To compare available solutions and choose the one best suited to your needs, see our guide to choosing a phishing awareness solution in 2026.
The Ideal Timeline: 3 Months Before Renewal
| Week | Action | Deliverable |
|---|---|---|
| 1-2 | Information security policy + appoint program owner | Document signed by management |
| 3-4 | E-learning training module | Completion rate > 80% |
| 5-6 | Baseline phishing simulation | Campaign report with click rate |
| 7-8 | Second simulation + reporting button | Comparative report + reporting rate |
| 9-10 | Incident response plan + exercise | Documented plan + exercise debrief |
| 11-12 | File compilation + broker memo | Complete underwriting file |
Start your awareness program - dashboard and reports ready for your broker.
What French Insurers Offer in Terms of Prevention
Insurers are no longer just checking for the presence or absence of training - some are providing it directly or making it easier to access.
Hiscox: CyberClear Academy
Hiscox France, specializing in micro-businesses and SMBs with under 50 million euros in revenue, has developed its own training platform: the CyberClear Academy. Certificates issued by this platform are directly recognized in the underwriting process. When 80% of employees earn the certificate, the contract deductible is reduced, as detailed above. It's the most formalized mechanism on the French market.
Hiscox also combines automated vulnerability scans with declarative questionnaires to get a complete view of the insured's risk profile.
AXA: Integrated Prevention
AXA offers an approach that includes employee awareness and training, organizational audits, phishing tests, vulnerability scans, and a risk maturity assessment. The approach is integrated: prevention is part of the insurance offering, not a separate module.
Generali: Digital Protection
Generali Digital Protection targets SMBs with a product combining insurance and awareness. The contract includes e-learning modules for employees, a list of certified cyber experts, and a quarterly vulnerability scan whose results are not shared with the insurer (to avoid conflicts of interest). Generali's approach emphasizes prevention and governance.
Allianz: E-Learning and Cyence Questionnaire
At Allianz, the standard contract is available to companies with less than 25 million euros in revenue. The insurer offers e-learning on cyberattack protection and has partnered with Cyence to refine its clients' risk assessment through a quantitative model.
Specialized Brokers: Cyber Cover, Stoik, Dattak
Several cyber insurance specialty brokers offer integrated prevention + insurance solutions. Cyber Cover combines phishing simulation campaigns, an e-learning platform, and cyber crisis management exercises with insurance brokerage. These integrated offerings let companies meet training requirements while simplifying the underwriting process.
Cost Analysis: Training vs. No Training
For an SMB with 50 employees and 5 million euros in revenue, here is the three-year cost comparison.
Scenario A: Without a Training Program
| Item | Annual Cost | 3-Year Cost |
|---|---|---|
| Cyber insurance premium ("high risk" profile) | 4,500 € | 13,500 € |
| Deductible in case of claim | 15,000 € | 15,000 € (if 1 claim) |
| Risk of claim denial | Incalculable | Incalculable |
| Total (no claim) | 4,500 €/year | 13,500 € |
| Total (with 1 partially covered claim) | 28,500 € + damages |
Scenario B: With a Training Program
| Item | Annual Cost | 3-Year Cost |
|---|---|---|
| Awareness platform (50 users) | 2,400 € | 7,200 € |
| Cyber insurance premium ("managed risk" profile) | 3,000 € | 9,000 € |
| Deductible in case of claim (reduced) | 8,000 € | 8,000 € (if 1 claim) |
| Guaranteed indemnification (documented compliance) | Covered | Covered |
| Total (no claim) | 5,400 €/year | 16,200 € |
| Total (with 1 fully covered claim) | 24,200 € |
Analysis
The apparent extra cost of training (900 euros per year in this example) is offset in the first year by the premium reduction (1,500 euros saved). Over 3 years, the training scenario costs 2,700 euros more without a claim, but in the event of a claim, the gap reverses: the trained company saves 4,300 euros on the deductible and benefits from guaranteed indemnification.
The real differential lies elsewhere: in the event of a major incident (ransomware, massive data breach), the company without training risks total claim denial. On an average incident of 466,000 euros (Groupama 2025 figure), the difference is no longer 4,300 euros - it reaches 466,000 euros.
The Argument for the CFO: The Cost-to-Benefit Ratio
The math can be summed up in one sentence: for every euro invested in training, the company saves between 1.5 and 3 euros on its insurance premium and deductible, while protecting its claim coverage in the event of an incident.
In terms of return on investment, cybersecurity awareness delivers a high cost-to-benefit ratio: the cost is low and predictable, but the risk covered is high and unpredictable.
For CFOs who think in probabilities, here's the full calculation. If the annual probability of a cyber incident is 10% (a conservative estimate for an exposed SMB), and the average incident cost is 466,000 euros, the expected annual loss is 46,600 euros. A training program that reduces this probability by 30% saves 13,980 euros in expected annual loss - for a 2,400-euro investment. The ratio is 1 to 5.8.
This calculation doesn't even factor in the indirect costs of an incident: lost revenue during the interruption, reputational damage, legal costs, internal management time, CNIL (France's data protection authority) notification requirements. The IBM Cost of a Data Breach 2025 study estimates these indirect costs at 40% of the total cost of an incident.
Sector-Specific Requirements: What Your Insurer Checks Based on Your Industry
Training requirements vary by industry. The insurer calibrates their evaluation based on the specific risk profile of each sector.
Accounting and Law Firms
These firms handle sensitive financial and legal data on behalf of third parties. A compromise has a direct impact on the firm's clients, which creates exposure to professional liability claims on top of the cyber incident itself. Insurers require an enhanced program covering client data protection, access management for case files, and targeted phishing awareness (firms are prime targets for spear phishing). GDPR compliance is systematically checked alongside the cyber review.
Healthcare (Clinics, Laboratories, Medical Practices)
Health data is classified as "sensitive" under the GDPR, which increases protection obligations and penalties for breaches. Insurers check whether clinical staff are trained (they often use shared workstations without MFA), whether mobile devices are properly managed, and whether staff are aware of healthcare-targeted scams (fake laboratory orders, fake national health insurance messages). The healthcare sector traditionally shows high click rates in phishing simulations (between 25% and 35% at baseline, according to aggregated data from simulation platforms) due to staff cognitive overload and high daily email volume.
Retail and E-Commerce
The main risks are payment fraud, customer payment data compromise, and ransomware shutting down operations. Insurers check PCI-DSS compliance for companies processing bank card data, fraud awareness training for teams (fake suppliers, fake customers), and digital supply chain security. Seasonality is a factor: attacks concentrate during peak periods (Black Friday, Christmas, sales) when vigilance drops and operational pressure increases.
Manufacturing and Production
Ransomware paralyzing production is the most feared scenario. Shutting down a production line costs between 10,000 and 100,000 euros per day depending on company size (CESIN data). Insurers check for segmentation between the office network and the OT (operational technology) network, training of production staff (who often have limited access to digital tools and therefore less exposure, but maximum impact if compromised), and business continuity procedures.
Financial Services and Insurance
Financial services companies face additional regulatory requirements through the DORA (Digital Operational Resilience Act) directive, which mandates digital resilience testing and specific staff training. Insurers align their requirements with DORA: documented training, regular penetration testing, crisis management exercises, and regulatory reporting. The CESIN 2026 barometer indicates that 32% of French companies are subject to DORA.
The Common Thread: Documented Proof
Regardless of industry, the common denominator is the ability to produce documented proof of the awareness program. A phishing simulation dashboard with campaign history, click rates, and reporting rates is worth more than any reassuring speech during underwriting. Insurers evaluate what they see, not what they're told.
Frequently Asked Questions
Can my insurer refuse to cover me if I don't have a training program?
Yes. Several insurers reject applications that don't meet security prerequisites. An underwriter quoted in l'Argus de l'Assurance confirms a 50% rejection rate on cyber submissions. Training is among the prerequisites checked. In practice, outright refusal is less common than a significant surcharge or coverage limitations (exclusion of wire transfer fraud, high deductible).
How often do insurers expect training to take place?
The minimum expected frequency is quarterly for phishing simulations and annual for e-learning training. The most demanding insurers (and the most favorable in terms of pricing) expect monthly simulations and ongoing training with regular micro-modules. The SANS Institute recommends one to two simulations per month to maintain reflexes.
Is cybersecurity awareness training tax-deductible?
Cybersecurity training expenses are deductible operating costs against taxable income. For companies with fewer than 50 employees, the executive training tax credit may also apply if the executive personally completes the training. Additionally, regional subsidies exist to help SMBs with NIS2 compliance, and some cover awareness spending.
Do I also need to train interns, temporary workers, and subcontractors?
Anyone with access to the information system must receive awareness training. Insurers are increasingly checking this point, especially since third-party attacks now represent 35% of attack vectors (CESIN 2026). For subcontractors, a contractual amendment requiring cyber training is the most practical solution. For temporary workers and interns, a 15-minute onboarding module on security rules is sufficient, provided it's documented.
How do I prove training if I use free resources (ANSSI, Cybermalveillance.gouv.fr)?
The free kits from ANSSI (France's national cybersecurity agency) and Cybermalveillance.gouv.fr (France's national cyber assistance platform) are quality resources, but they don't provide completion certificates or tracking dashboards. To build a proof file, you'll need to document sessions yourself: signed attendance sheets, validation quizzes, session dates. A dedicated platform automates this documentation and generates reports directly usable by your broker.
Does training also protect against missing the 72-hour complaint deadline?
Indirectly, yes. The LOPMI (French law on digital security) requires filing a complaint within 72 hours of learning about the incident. But "learning about it" depends on the company's ability to detect the incident. Employees trained in incident reporting detect incidents faster, which gives more margin to meet the legal deadline. A company without a reporting culture can take weeks to realize it has been compromised, making the 72-hour deadline impossible to meet.
What happens if I switch insurers mid-program?
The proof file you build is not tied to a specific insurer. Simulation reports, training certificates, and your information security policy (PSSI in French) are company documents you can present to any underwriter. In fact, a documented 12- or 24-month history of ongoing training is an advantage during a competitive bid: it proves the approach is embedded in company practices and not a one-time reaction to the underwriting questionnaire. Brokers recommend retaining reports for at least 3 years, which covers the typical duration of a cyber insurance contract (annual renewal, but claims history assessed over 3 years).
My current insurer doesn't ask any questions about training. Should I still bother?
Yes, for two reasons. The first is that the market is moving fast: underwriting questionnaires get stricter year after year, and an insurer that doesn't ask the question today will probably ask it at the next renewal. You'll be in a much stronger position if you already have a documented training history. The second reason is that silence doesn't mean absence of requirement. Your contract's general terms almost certainly contain a "reasonable prevention measures" or "insured's duty of care" clause. In the event of a claim, the insurer can invoke this clause even if they never explicitly asked about training during underwriting. Better to document your program now than to discover that clause on the day of a claim.
How should I present the training file to my broker to get the best deal?
Your broker is your ally in the negotiation with the insurer. To get the most out of them, provide a file structured in three parts. Part 1 is the executive summary: one page summarizing the program (number of employees, frequency, results). Part 2 contains the operational evidence: awareness platform exports (click rates, 12-month trend), training certificates, dated and signed information security policy. Part 3 covers governance: name of the program owner, frequency of reports to senior management, incident response procedure. A broker who receives a structured file can submit it as-is to multiple insurers and get competitive quotes within days. A broker who gets a vague "yeah, we do stuff" over the phone can't optimize anything.
Conclusion
Your cyber insurance underwriting form no longer asks "Do you train your employees?" out of formality. It asks because the answer determines your risk level, your premium, your deductible, and, in the event of a claim, your right to compensation.
The data all points in the same direction: the French cyber insurance market is tightening on the human factor (AMRAE LUCY 2025), phishing remains the number-one attack vector (CESIN 2026, 60% of attacks), SMB claims are surging (+353% in 2024), and insurers are increasingly rejecting companies that don't document their prevention programs.
The good news: a full awareness program - e-learning training, phishing simulations, dashboard, exportable reports - can be set up in 90 days and costs between 2 and 5 euros per employee per month. That's less than the insurance surcharge you're paying without one. And infinitely less than a denied claim.
Don't wait until your next renewal to find out your insurer demands proof. Build your file now.
Build my training proof file | Read the phishing simulation guide