In an increasingly digital economy with risks of cyberattacks on a relentless uptick, the cyber insurance market is booming and becoming highly competitive. On the French market, which represents around €45 million, insurance services are starting to grow and develop.
The first services appeared a few years ago, through American companies specialised in key accounts and industrial risks. For the last four or five years, general insurers have been positioning themselves on this market and setting out to conquer VSEs and SMEs. These represent a market potential that we estimate at €1.7 billion. Cyber insurance products prioritise coverage of civil liability as well as property damage and personal damage. Some go beyond financial compensation by offering to provide experts to manage the incident and allow the entrepreneur to resume business as usual.
With the digital transformation of companies and the entry into force of the new European General Data Protection Regulation (GDPR) in 2018, competition to conquer this new business and cover these risks will only intensify.
However, VSEs and SMEs take a very different approach to cyber risks as opposed to large groups and enterprises. The former lack the structure and organisation of the latter. Many VSEs and SMEs do not have a risk manager, or even in some cases an IT department, to effectively identify and manage these new risks for them. In this mixed environment, risk assessment by insurers is complex, considering that it goes hand in hand with premium pricing and coverage level.
How can workstations and smartphones, as sensitive infrastructure points, be verified as suitable, up to date and capable of withstanding cyberattacks? How can Internet connection security be monitored? Are backups performed frequently and secured outside the company? Company managers cannot answer these questions if they are not well versed in the subject.
Questions of industrialisation of risk assessment and risk surveillance over time, as well as intervention in the event of a loss, are going to arise. Insurers wishing to differentiate themselves must build a complete service based on different risk typologies. They must also establish coverage and services enabling a company to quickly resume its activities in the event of a loss and meet new regulatory requirements. As a matter of increasing necessity and even inevitability, IT service providers are being called upon to meet insurers’ needs in full in terms of diagnosis and advising all along the insurance value chain. To this end, IT infrastructure assessment tools must be rolled out. Analysis and recommendations will allow insurers to establish the most appropriate conditions for insurance.
Under these circumstances, collaborative efforts and even partnerships between insurers and suppliers of security, backup and IT support solutions to prevent losses and support companies that have suffered losses will become unavoidable. The notion of a complementary dynamic between insurers and IT service companies is beginning to emerge.
Partnerships will develop according to models recognisable from the health insurance sector (e.g. between mutual insurance companies and opticians or hearing aid specialists) or from the car insurance sector (e.g. with authorised mechanics). These are just a few of many examples that might be cited. Partnership models encompassing distribution of these insurance products, management and compensation in the event of losses have yet to be established.
The challenge for insurance companies eager to conquer this promising market is to approach the conquest in an industrial and secure manner by building good frameworks for distribution, risk assessment, management and handling of losses. Given that companies are increasingly being exposed to these risks, sooner or later, insurance coverage for these risks will no doubt become mandatory.