The cyber insurance market’s search for maturity

The cyber insurance market is an emerging market. In 2021, it was valued at 219 million euros, or 3.1% of total corporate property insurance premiums (7.07 billion euros in 2021) and .35% of turnover for property and liability insurance companies. This last segment is subject to rapid growth. The volume of premiums thus grew 52% in 2021, which makes it the most significant market trend, according to data by France Assureurs.

In the process of finding its structure, the cyber insurance market is still far from having reached maturity. After suffering losses in 2020 (Claims/Premiums ratio of 167%), it became balanced again in 2021 with a ratio of 88% for all companies. This was achieved at the cost of price increases, a tightening of conditions and therefore a very clear decline in insurance coverage, according to the second edition of the LUCY study (« LUmière sur la CYberassurance« ) led by AMRAE, dedicated to insurance coverage of cyber risk in France.

“For the insurance sector, this recovery effort paid off: the large business segment became profitable for the most part. But it also scared away 4.4% of previously insured companies, which preferred to find other solutions to cover cyber risk,” analyzes Philippe Cotelle, administrator of AMRAE and president of its Cyber ​​committee, vice-president of Ferma and Risk Manager of Airbus Defense & Space.

This 4.4% decrease in large business coverage means that of the 251 large businesses that had taken out a policy in 2020, eleven did not do so in 2021. This figure may seem insignificant, but in a market that should still be growing, “it’s a potent sign,” considers Philippe Cotelle.

A potential crisis of confidence among companies

Intermediate-sized enterprises are currently following the same fluctuating path, a year behind large companies: their Claims/Premiums ratio, which deteriorated sharply in 2019 (481%) returned to balance in 2020 (85% ) before going back to red in 2021 (261%). “These companies can therefore expect the same treatment as large companies when they renew contracts in 2022, i.e. a very sharp increase in premium rates coupled with a severe tightening of conditions,” analyzes Philippe Cotelle.

Another study by AMRAE, published at the end of October 2022, and titled “State of the Market and Outlook for 2023 – Corporate Insurance”, confirms the general increase in cyber insurance premiums. “Overall, premiums have gone up 60% on average, even more for some accounts,” claim this study’s authors.

According to the LUCY study, all of these events are likely to cause a crisis of confidence in companies. “This crisis of confidence could lead large companies to explore additional avenues to insurance coverage: self-insurance to manage frequency risk; multi-company pooling to increase capabilities and reduce the risk of volatility linked to serious claims, etc.”

Cyber insurance, a resilience factor, mainly for large companies

Despite it all, there is a demand for cyber insurance, mainly from large companies, which alone make up 82% of the volume of premiums paid for this type of policy. In 2021, the coverage rate of companies generating more than 1.5 billion euros in revenue was 84%. However, it falls to 9% for intermediate-sized enterprises and .2% for all other categories (SMEs, VSBs and microenterprises), according to figures from the LUCY study.

“The cyber insurance market, which is still new, can be a strengthening factor in regard to the resilience of economic players. Companies are becoming aware of the consequences of cyber risk. Above all, most cyber risk is controllable: 97% of cyber claims covered by insurance led to compensation of less than three million euros in 2021″, specifies the French Treasury in its latest report titled « The growth of cyber risk insurance”.

Legal uncertainties that must be quickly addressed

But among the steps recommended in the Treasury’s report, one measure sparked debate within the cyber and insurance communities: the insurability of cyber-ransoms (dependent on the filing of a complaint, which makes it possible to improve the investigative work of the competent authorities, while strengthening support for victim companies).

The principle of insurability of cyber-ransoms is a source of uncertainty for companies. « By allowing the solvency of the victims, the reimbursement of cyber-ransoms could disrupt public order in that it could encourage committing offenses and would likely contribute to financing terrorist organizations, » specifies the Treasury report, emphasizing that this point has not yet been decided by case law.

Another grey area raised by the Treasury: the uncertainty around the implicit guarantee of cyber risk by traditional insurance policies (property and civil liability insurance contracts). “From the insurer’s point of view, since the policy was not initially drawn up for this purpose, the calculation of the premium does not take into account the realization of the consequence of the risk […]. From the insured party’s point of view, the business faces uncertainty in regard to the extent of the damage covered, which can have an effect on demand by discouraging companies from taking out cyber risk insurance policies.”

Although some insurers have taken steps to clarify their clauses, the diversity of practices remains a cause for doubt in regard to the reality of cyber risk coverage for policyholders. This also reduces the comparability of offers and can generate disputes.

Avoiding the risk transfer argument

Another argument against cyber insurance is raised by some specialists, among whom Michel Juvin, a cybersecurity expert: the transfer of risk to cyber insurers does not make the risk itself disappear.

“Cyber ​​insurance is just financial coverage. CFOs think that by transferring the risk to an insurer they are getting rid of it, but in reality this is not the case. The impact of a cyberattack on people and organizations is very real, the stress and work overload it causes can never be compensated. This notion of risk transfer does not work in favor of CISOs! », comments the cybersecurity expert.

“What comes to mind is a company that spends 100,000 euros on cyber insurance premiums. You have no idea what can be done with this amount of money, in terms of cybersecurity”, adds Michel Juvin. “If you properly secure your data and application portfolio, you do not need to take out insurance. In the event of an attack, damaged systems still make it possible to operate despite everything, we see it in hospitals.”

However, Michel Juvin was more measured in regard to small companies. According to him, they are the most likely to benefit from cyber insurance. “They don’t always have access to the ecosystem of cybersecurity service providers large businesses do, and thus can’t benefit from the same level of protection. Cyber insurers can bridge this gap, offer risk analysis and provide partners to reduce risk for these companies”, he concludes.

The cyber insurance sector is a complex area, which is currently almost exclusively intended for large companies. Its stabilization in the coming years will make it possible to clarify a certain number of contract clauses and to offer the market prices that take into account all the risks covered, so that insurers and policyholders can get their bearings. Eventually this stabilization should give SMEs and VSBs access to this type of coverage.