Does cyber insurance no longer provide insurance?
The insurance world is facing major changes. A few years ago, AXA’s CEO Henri de Castries said: “a world 4 degrees warmer will be impossible to insure.”
In recent years, insurance companies have seized the opportunity of the new cyber insurance market. While the first studies carried out four years ago showed the interest of the major insurers in this new field, the latest studies are not so clear.
What are these new offers (context of application, risk coverage) and why are we facing a change of attitude from insurers? What solution could give more equity in a still immature but evolving market?
The cyber insurance market
We have seen a strong evolution of the cyber insurance market over the last five years; and it is not every day that new business opportunities emerge in this area!
First of all, we are faced with an increase in cyber risks linked to the explosion of the attack surface, particularly following the introduction of teleworking and new modes of communication within companies, regardless of their size and activity.
These cyber risks can be categorised into five main groups:
- The risk of theft/loss of Intellectual Property (IP), know-how, and other digitised expertise in the company’s information systems (ISS);
- Reputational risk, which contributes to the confidence of both customers and suppliers;
- The risk of operational loss or disruption of IT services due to an external or systemic operational incident (e.g. fire or network outage);
- The risk of regulatory non-compliance, in particular with regards to the protection of personal data (GDPR); and
- The risk linked to IS malfunction or inaccessibility to data and services (data encryption and DDoS).
Although the first two risks (IP theft/loss and reputational damage) are the most important, they are generally not covered by cyber insurance clauses, as they are difficult to assess. On the other hand, cyber insurance offers a purely financial cover, the estimation of which is left to the company.
The risks of operating loss or fire linked to an external event were usually covered by insurers long before the emergence of our digital society. With the advent of specific cyber insurance contracts, these two clauses were extracted from standard contracts and integrated into cyber insurance, along with the risks of regulatory non-compliance and data inaccessibility.
Cyber risk is often difficult to estimate and becomes a subject for the executive committee. As a member of this committee, the financial director will propose to his peers that this risk be covered financially by cyber insurance, as is done for fraud or fire. This is why there has been a strong increase in cyber contracts, particularly in the United States.
The CESIN (Club des Experts Sécurité de l’Information et du Numérique) publishes an annual barometer of cybersecurity trends.
In 2019, cyber insurance was a strong trend and had been so for several years (see extract below).
However, in 2020 and again in 2021 (see below), only about a quarter of respondents used their cyber insurance in the event of an attack, probably because of the deductible and the potential increase in their premiums in subsequent years.
Cyber risk management process
Generally speaking, the insurance manager contributes to the coverage of risks related to essential business functions by finding the best solution to transfer the residual risk to a trusted third party, such as an insurance company. The insurance manager must now put in place a new cyber contract with the help of the risk management department and of the cybersecurity director who will identify, categorise, and define the risk mitigation actions and, in the end, hand over to senior management the choice of accepting the cyber risks or transferring them to a third party.
It is important to remember that the cybersecurity director will need to ensure that all action plans to reduce the risks identified in a due diligence are in place before transferring the residual risk to cyber insurance or a third party contractor.
At Silicon’s cybersecurity day last December, Cathy Loiseau and Jean-François Louâpre reminded us that cyber insurance is not compulsory: [… it is one of the elements for reducing cyber risks, (or at least their impact) … but not the probability of occurrence.] We are talking here about the financial impact because cyber insurance does not correct the origin of the problem.
Although there are no standard clauses for cyber insurance, companies are entitled to ask to cover—in addition to operating loss, fraud, and organisational or contractual damage—risks relating to:
- support to and development of the crisis unit;
- payment of forensic investigation costs;
- coverage of notification and legal costs in case of loss of personal data.
With regard to ransomware attacks, more and more insurers are following the recommendations of the ANSSI and marking their difference by stopping reimbursement of extortion costs, where applicable.
AMRAE published in May 2021 the LUCY report, which finally gives an analysis based on the figures produced by brokers. In summary of this document, the loss ratio is estimated at 167%… thus showing a clear lack of profitability for cyber insurers. But the details of this report highlight that only four claims made by large companies caused the heaviest losses and offset the gains generated by all other contracts!
Without concurring with the recent stance taken by the director of AMRAE, Olivier Wild (who indicated the end of cyber insurance), we note that two alternatives to cyber insurance are emerging: On the one hand—as proposed by AMRAE—the development of insurance captives that propose to pool the risks within a structure—for instance, a group and its partners—and to capitalise to cover the risk. Since this captive does not aim to make a profit, it will pay any profit back to the shareholders. On the other hand, a preventive activity through a solid continuous control of cyber risks, as proposed by YesWeHack (bug bounty programme) and member of the FnTC (Fédération Numérique des Tiers de Confiance).
As we can see, there are interesting alternatives to cyber insurance policies, the premiums for which have risen sharply this year. It is therefore even more important for the cybersecurity director and the insurance manager to put in place actions to reduce the probability of occurrence of cyber risks and their impact, while at the same time financially valuing these residual risks in order to submit them to the executive committee, which will have to either accept them or transfer them to a trusted third party of its choice.
 A risk estimated at 100 will have a premium of 10+ (with insurer’s costs) over 10 years and will only be covered once every 10 years
 The residual risk is the risk remaining after the implementation of action plans that aim to reduce the risks as much as possible
- Cyber industrial safety
- Security and Stability in Cyberspace
- Cyber risks
- Operational security
- Antifraud action
- Digital identity & KYC
- Digital Sovereignty
- Digital transition