Faced with the resurgence of cyber attacks, more and more French companies are choosing to use dedicated coverage. But in a market that is far from mature, the approach is sometimes an obstacle course, except for very large groups.
More than every other French company (54%) was subject to a cyber attack in 2021. This is the alarming observation drawn up in a recent report by the Financial Directorate of the Ministry of Finance on the development of cyber risk insurance. A protean cyber risk, closely linked to the growing use of digital technologies, which can arise both from human error in the targeted company and from an actual computer attack: malwaretrying to phishing and other ransomware are now fully part of the security concerns of companies, regardless of their size or sector of activity. This exponential increase in cyber risk, further driven by the health crisis, the use of telework or the war in Ukraine, has paradoxically not resulted in a similar increase in the coverage of these specific risks: still according to the Ministry of Finance, the risk cyber represents today only 3% of non-life insurance contributions for professionals.
How can this decoration be explained? This originates, firstly, in the difficulty that companies often experience in perceiving this particular risk – an observation that is particularly true of French SMEs, of which only 0.0026% are currently covered against cyber risk, compared to 87 % of the large companies. On the part of insurance companies, restraint is also in order, while the volume of claims has tripled between 2019 and 2020, with a claims/premium ratio of 167% against 84% the previous year. For the latter, the account is not there, especially since a cyber attack often tends to “spill over”: not only is the computer system of the targeted company affected, but its reputation, its share price or its market shares can be affected – as, for example, appears of the 250 million losses that Saint-Gobain suffered after a cyber attack in 2017. These are all elements that make cyber risk a special area of expertise, and cyber insurance a particularly complex model to industrialize.
Reconciliation between insurers and reinsurers, “in-house” cyber insurance, etc.: advanced paths
Indeed, as MP Valeria Faure-Muntian pointed out in a report published in October, the French cyber insurance market still needs to be structured. Meanwhile, several large groups have decided to take the plunge themselves by launching their own insurance company dedicated to cyber risk. Thus, Airbus, Michelin, Veolia, Sonepar or the German BASF announced at the end of September that they intended to gather their cyber risks in a new structure, called Miris, which they deny does not intend to replace insurance companies, but that ensure their coverage: “we do not want to replace insurance companies”, argues the Airbus representative, “but to collaborate by complementing their available offers in a co-assurance approach”. The founding members of Miris each brought 5 million euros to the table, for a possible individual coverage of 25 million euros.
However, the initiative still needs the regulator’s approval before, its designers hope, it issues its first policies at the beginning of the year 2023. It testifies both to the sense of urgency and to a certain nervousness of economic actors towards the wait-and-see attitude of an insurance world struggling – it’s a shame – to reassure. In the short term, however, the solution may come from approximations between French insurance companies and foreign reinsurance companies by betting on internationalization to cover cross-border risks – which is often the case with cyber risks. For example, the merger between French mutualist Covéa (MAAF, GMF, MMA) and Bermudian reinsurer PartnerRe, which is developing a capacity for global observation of these transnational risks, will enable the French mutual leader to rely on PartnerRes fine analysis of international risks to secure its own customers against cyber attacks.
Many outstanding questions
However, many questions remain unanswered. In particular, but not exclusively, about the delineation of the perimeter of such cyber insurances: should they, for example, cover the payment of a possible ransom? Opinions are divergent, both within the insurance companies themselves and the political class: while Anssi (The National Agency for Information Security) accuses insurance companies that pay ransoms to finance cybercrime, MP Valeria Faure-Muntian is clearly out to “ban insurance companies from guaranteeing , coverage or indemnity for the ransom”.
The same dilemma about the prospect of making cyber insurance compulsory: Valeria Faure-Muntian wants to force companies that collaborate with the state to use it, while Amanda Maréchal, from the professional insurance company QBE, believes that such an eventuality would lead to ” emaciation of companies” in their efforts to protect themselves from attacks. In short, the debate is open and, in a sector in full structuring, is not close to being decided.