While risks associated with cyber security are constantly increasing, cyber insurance premiums are decreasing. This is the paradoxical conclusion of the authors of the Howden report, the British insurance company. “ Ransomware activity continued to grow as geopolitical instability took hold and generative artificial intelligence grew », states the report in its introduction. This increase is confirmed in France by Anssi. In addition to purely criminal activities, there are actions by groups acting on behalf of states: geopolitical instability gives rise to attempts to destabilize information systems, as we have seen with the increased activity of Iranian hacker groups since the start of offensives in the Gaza Strip.
Likewise, generative artificial intelligence poses new risks through the use of deepfakes. Last February, for example, an employee of a company in a Chinese financial center received calls via video conference from someone posing as an executive at his company asking him to transfer the equivalent of $26 million US dollars to designated bank accounts.
Also readKylian Mbappé, Elise Lucet, Cyprien… Commercial deepfakes invade social networks
15% price reduction
Faced with this increase in risk, it may seem strange that insurance companies are lowering their prices. But this is actually the case: the drop is 15% compared to 2022, according to Howden. “ We have actually observed a decrease of about 15%, confirms Alexandre Andreini, CTO of Stoïk, a French cyber insurance company with a strong presence in mid-sized companies and SMEs. This is true in France, but it is lower in Germany, where prices are relatively stable. »
There are several explanations. First of all, the premium amount experienced a very strong growth in 2021 and 2022. It is therefore quite logical that it will experience a slight decrease. Additionally, customers were wary and sometimes discovered to their own cost that they were not covered as they thought. “Fewer companies are willing to invest significant amounts in cyber insurance after bad experiences when the insurance refused to pay in the name of clauses subtly inserted into the contract”explains Ilia Kolochenko, General Director of ImmuniWeb. To bring them back, companies had to adjust their prices and the risks they covered. Cyber insurance has thus become much more mature with better risk calculation and, above all, better prevention.
Cyber insurance premiums fall after sharp rise, according to Howden Credit: Howden
The risk has changed
At the same time, the risk of attack has changed, although it is still high. “ With regard to incidentologyexplains Alexandre Andreini, the frequency has not decreased, rather the reports show an overall increase, but the severity of incidents has decreased. » In short, more incidents, but less dramatic consequences. “ It is not a coincidencecontinues Alexandre Andreini, because if the prices fall, this is not the case for security checks, which are stricter at the time of signing “.
Also readInsurance companies’ fears before the Olympics
In fact, neither insurance companies nor security specialists can eliminate all vulnerabilities. But insurers can encourage companies to implement security measures that will reduce the financial impact of an attack. Businesses fear loss of data and operational losses caused by downtime in IT services. Before letting them sign a policy, insurance companies will first conduct an information system audit and demand the implementation of draconian security measures. It is a bit like the principle of a seat belt in a car, it does not prevent accidents, but it reduces the severity of bodily damage in the event of a collision. In addition to these security checks, which vary by company, insurers conduct regular audits of information systems and report vulnerabilities over time.
Occupational protection has been strengthened
Criminals have learned their lesson and ransomware is no longer very popular. Of course, this does not mean that they have disappeared, but large companies are today relatively protected: sensitive data is copied in real time to separate servers, so that in the event of criminal encryption, the company can restart relatively quickly. As a result, the number of claims has decreased, according to Databarracks, while the number of organizations with cyber coverage has increased. Only 36% this year reported an incident, compared to 58% in 2022.
Also readCyberattacks: paying ransoms will not calm mistrust between insurers and companies
Finally, the insurance market is cyclical: when profits are there, companies engage in increased competition, which pushes prices down. As a result, if the number of incidents increases, they lose money and have to increase premiums to make a profit again. And the cycle begins again. Cyber insurance is no exception to this rule.
