4 min

Does cyber insurance no longer provide insurance?

The insurance world is facing major changes. A few years ago, AXA’s CEO Henri de Castries said: “a world 4 degrees warmer will be impossible to insure.

In recent years, insurance companies have seized the opportunity of the new cyber insurance market. While the first studies carried out four years ago showed the interest of the major insurers in this new field, the latest studies are not so clear.

What are these new offers (context of application, risk coverage) and why are we facing a change of attitude from insurers? What solution could give more equity in a still immature but evolving market?

Cyber risks - Michel Juvin - 26 January 2022
Michel Juvin

With nearly 40 years of experience in information management—and more particularly in cybersecurity—Michel Juvin is in a favourable position to analyse the latest societal developments in this forced march towards digitisation on which we are. Michel shares his experience by regularly publishing (more than thirty articles) on technical, functional, and organisational subjects. He also shares his thoughts with his peers to better understand the issues and risks to which cybersecurity directors are exposed. Within the framework of his contributions to the curricula of schools (IHEDN, EGE, IAE, and even vocational schools), he has developed a number of information courses on cybersecurity techniques and procedures to be put in place. Michel Juvin is also a member of CESIN and regularly provides expertise to his peers in the framework of the internal mentorship programme.

View all posts

The cyber insurance market

We have seen a strong evolution of the cyber insurance market over the last five years; and it is not every day that new business opportunities emerge in this area!

First of all, we are faced with an increase in cyber risks linked to the explosion of the attack surface, particularly following the introduction of teleworking and new modes of communication within companies, regardless of their size and activity.

These cyber risks can be categorised into five main groups:

  1. The risk of theft/loss of Intellectual Property (IP), know-how, and other digitised expertise in the company’s information systems (ISS);
  2. Reputational risk, which contributes to the confidence of both customers and suppliers;
  3. The risk of operational loss or disruption of IT services due to an external or systemic operational incident (e.g. fire or network outage);
  4. The risk of regulatory non-compliance, in particular with regards to the protection of personal data (GDPR); and
  5. The risk linked to IS malfunction or inaccessibility to data and services (data encryption and DDoS).

Although the first two risks (IP theft/loss and reputational damage) are the most important, they are generally not covered by cyber insurance clauses, as they are difficult to assess. On the other hand, cyber insurance offers a purely financial cover, the estimation of which is left to the company.

The risks of operating loss or fire linked to an external event were usually covered by insurers long before the emergence of our digital society. With the advent of specific cyber insurance contracts, these two clauses were extracted from standard contracts and integrated into cyber insurance, along with the risks of regulatory non-compliance and data inaccessibility.

Cyber risk[1] is often difficult to estimate and becomes a subject for the executive committee. As a member of this committee, the financial director will propose to his peers that this risk be covered financially by cyber insurance, as is done for fraud or fire. This is why there has been a strong increase in cyber contracts, particularly in the United States.

The CESIN (Club des Experts Sécurité de l’Information et du Numérique) publishes an annual barometer of cybersecurity trends.

In 2019, cyber insurance was a strong trend and had been so for several years (see extract below).

However, in 2020[2] and again in 2021[3] (see below), only about a quarter of respondents used their cyber insurance in the event of an attack, probably because of the deductible and the potential increase in their premiums in subsequent years.

Cyber risk management process

Generally speaking, the insurance manager contributes to the coverage of risks related to essential business functions by finding the best solution to transfer the residual risk[4] to a trusted third party, such as an insurance company. The insurance manager must now put in place a new cyber contract with the help of the risk management department and of the cybersecurity director who will identify, categorise, and define the risk mitigation actions and, in the end, hand over to senior management the choice of accepting the cyber risks or transferring them to a third party.

It is important to remember that the cybersecurity director will need to ensure that all action plans to reduce the risks identified in a due diligence are in place before transferring the residual risk to cyber insurance or a third party contractor.

At Silicon’s cybersecurity day last December, Cathy Loiseau and Jean-François Louâpre reminded us that cyber insurance is not compulsory: [… it is one of the elements for reducing cyber risks, (or at least their impact) … but not the probability of occurrence.] We are talking here about the financial impact because cyber insurance does not correct the origin of the problem.

Although there are no standard clauses for cyber insurance, companies are entitled to ask to cover—in addition to operating loss, fraud, and organisational or contractual damage—risks relating to:

  • support to and development of the crisis unit;
  • payment of forensic investigation costs;
  • coverage of notification and legal costs in case of loss of personal data.

With regard to ransomware attacks, more and more insurers are following the recommendations of the ANSSI and marking their difference by stopping reimbursement of extortion costs, where applicable.

AMRAE[5] published in May 2021 the LUCY report, which finally gives an analysis based on the figures produced by brokers. In summary of this document, the loss ratio is estimated at 167%… thus showing a clear lack of profitability for cyber insurers. But the details of this report highlight that only four claims made by large companies caused the heaviest losses and offset the gains generated by all other contracts!

Without concurring with the recent stance taken by the director of AMRAE, Olivier Wild[6] (who indicated the end of cyber insurance), we note that two alternatives to cyber insurance are emerging: On the one hand—as proposed by AMRAE—the development of insurance captives that propose to pool the risks within a structure—for instance, a group and its partners—and to capitalise to cover the risk. Since this captive does not aim to make a profit, it will pay any profit back to the shareholders. On the other hand, a preventive activity through a solid continuous control of cyber risks, as proposed by YesWeHack (bug bounty programme) and member of the FnTC (Fédération Numérique des Tiers de Confiance).

As we can see, there are interesting alternatives to cyber insurance policies, the premiums for which have risen sharply this year. It is therefore even more important for the cybersecurity director and the insurance manager to put in place actions to reduce the probability of occurrence of cyber risks and their impact, while at the same time financially valuing these residual risks in order to submit them to the executive committee, which will have to either accept them or transfer them to a trusted third party of its choice.

Send this to a friend