Cyber insurance : why does it scare away insurers?

Is cyber risk one of the greatest enemies of insurers? In any case, this is the conclusion drawn by the World Economic Forum of Davos and by France Assureurs, a professional representative organisation for insurance companies in France, and this is not unfounded: in 2021, about 1 000 Belgian companies and one French company out of two have already been victims of cyber attacks. Despite this observation, the situation on the market may become even more severe: from a car insurance perspective, the self-driving car and the connected car can both have a serious impact on the latter, and, in a more futuristic and global approach, the scope of the metaverse too.

Cyber insurance : how far have we come?

While the cyber insurance market was established in the 2000s across the Atlantic, on the European market and more specifically in France and in Belgium, this market is struggling to get its bearings.

In Belgium and in France, the availability of this type contract for professionals has been around for five years. The few current clients are mostly among the leading multinationals and, to a lesser extent, among small- and medium-sized companies, as well as some target independent companies. From the insurers’ side, few of them offer a cyber insurance cover. Additionally, Wallonia offers fewer such contracts than elsewhere in Belgium. On these markets, the cyber risk cover comes in two forms: the cover is either embedded in a civil liability insurance or legal protection, or it stands in a unique insurance policy.

On the French professional indemnity market, a total of 185 million euros for cyber premiums has been paid in 2021 (Source: AMRAE). However, we learn from AMRAE’s Lucy 2022 report that cyber insurance contracts do not meet the larger companies’ expectations, in particular due to the high insurance coverages. Therefore, even if this market is driven by the few large companies that are currently clients, those that are not yet clients would rather insure themselves alone or in groups of mutual insurance companies, as we will discuss below.

 

“Cyber insurance contracts do not meet the larger companies’ expectations, in particular due to the high insurance coverages.”

 

 

As far as the specific features of cyber insurance policies are concerned, various clauses may be included. An opt-out clause for losses arising from an attack that results in a disaster effect for the targeted state should be mentioned. If the contract does not have an exclusion clause for such conflicts, clauses excluding losses from war are also mentioned. Nevertheless, as pointed out by the Direction du Trésor, the implementation and efficiency of such clauses are not necessarily clear. This is the case when the term ‘cyber war’ is not clearly defined in law. The policyholder’s claim cannot be clearly defined also if the origin of the attack cannot be determined.

Threats of a cyber attack

The forms of cyber attacks are more and more diversified. Among them, we can find malwares and ransomwares, as well as identity theft. Furthermore, for a greater impact on the company’s image or finances, identity theft is the attackers’ best weapon.

Cyber attacks’ threats are numerous and cause substantial damage to a company: costs related to the immediate consequences of the incident, whether it be the management of the incident or the financial losses of the company, property damage and the company’s civil liability. In addition, business interruption and operational loss are the main risks. As a result, cyber risk is considered an operational risk by many insurers.

Another worrying threat for companies and consequently for insurers is the payment of a ransom of up to 500.000€. However, in France, the issue of ransom payment is currently being discussed, particularly because an insurance policy that includes a clause in favour of ransom payment is seen as encouraging cybercriminals to commit such acts. The French Ministry of the Economy recently published a report clarifying the right of policyholders to ask the insurer to pay the ransom, but this is not an obligation on the insurer. In light of this situation, it is advisable as an insurer to support its policyholders as much as possible in the event of a cyber attack, without paying the cyber ransom.

Why is this market developing slowly?

Whether in Belgium or in France, insurers are mistrustful because there is very little statistical data on the cyber risk and its rapid evolution does not allow for an obvious adaptation, especially in an environment that is still very unfamiliar and difficult to control.

Assessing financial risk is a barrier for insurers, particularly because of the lack of data. In France, one of the reasons for the poor development of this market is due to the balance between the value of premiums and the value of calculated damage: in 2020, indeed, French insurance companies collected 217 million euros in damage and 126 million euros in premiums (source: AMRAE), which causes a shortfall for them. The cost of damage for a victim company is particularly difficult to quantify for two reasons. The first one is the interdependence of our society’s information systems, which is at the origin of accumulation phenomena, as Olivier Lopez, Director of the Institute of Statistics at the University of Paris, explains in this interview. The second is the black number, i.e. the gap between known and actual acts of cyber attack which stems from the victims’ fear of the consequences for their reputation.

It is also very difficult to predict the damage of this type of attack, mainly because an attack can have several targets: even if it remains unusual, it can happen in an attack against several states. Moreover, despite the infrequency of this particular case, this possible attack aimed at different targets simultaneously is frightening for insurers. As a result, and due to the increasing number of attacks, insurance premiums are high, whereas the offer is already not very developed. As a result, the cyber insurance market cannot evolve. In addition, insurance companies are cautious in their choice of customer profiles because they are concerned about their solvency, because of a lack of knowledge about cyber insurance products, and an underestimation of the importance of cyber-attacks, especially for SMEs.

 

“The legal framework of cyber insurance contracts is not clear enough whether for insurers or policyholders.”

 

 

The market’s own structure prevents its correct development as well. The legal framework of cyber insurance contracts is not clear enough whether for insurers or policyholders, given that implicit guarantees and ‘silent’ covers exist. The latter means that cyber risks are covered by property insurance contracts, but of which policyholders and insurance companies are not aware. From the policyholder’s point of view, this cover can be beneficial as it is included in this type of policy. However, as they are not informed of its coverage, they do not activate it and the cover is not considered in the calculation of the premium. For insurance companies, this practice is dangerous, especially as the latter may be confronted with an unforeseen risk if he does not include the real consequence of the risk in the calculation of the premium. As a result, the coverage of insurance contracts is not always clear to the policyholder, so fewer policies are taken out. Moreover, the imprecision of the “silent” cover can negatively impact the solvency of the insurer. In this respect, following the publication of EIOPA, the Autorité de Contrôle Prudentiel et de Résolution (ACPR) strongly encourages insurers to “examine all the guarantees given in their contracts with regard to cyber risks and, where appropriate, to clarify and make more explicit the wording of the terms and conditions of policies with regard to the coverage or exclusion of these risks, to provide an ambiguity-free offer to policyholders”.

As mentioned above, the ransom impacts the market’s development, because some contracts cover the ransom, while others do not. This insurance cover can have an undesirable effect: the rise of cyber attacks. However, the insurers’ federation Assuralia states that this guarantee is an advantage for policyholders and should not cause them any fear: by being covered against ransom, insured companies benefit from the help of experts who can decrypt these ransom demands and can enlighten the customer about them.

Lastly, whether or not insurance companies, that are victims of a cyber attack, are covered against administrative sanctions, for example in the event of failure to notify a data breach, is a matter of concern for companies that might wish to take out such policies. In that specific case, it may be covered by the insurer, as opposed to the criminal fine. In addition, some insurance contracts may include compensation concerning costs related to the implementation of a crisis communication plan by the victim company.

Step by step, the efforts continue…

Despite the current geopolitical situation, measures in the insurance market are being taken to develop even more cyber insurance policies. In France, the Ministry of Economy proposes to set up a working group to define what constitutes cyber war in order to establish possible legal exclusions to contracts. Moreover, the ACPR and France Assureurs will study the market’s main clauses to improve the level of information of policyholders. They have the ambition to create a cyber attack observatory to solve the data shortage. In Belgium, Assuralia believes that a collaboration between the private sector and insurers could foster the development of this market, with the help of the Center of Cyber Security whose main missions are to raise public awareness and help victims.

At the European level, EIOPA believes that the creation of a European cyber attack reporting database based on a common taxonomy can enable the insurance industry to improve its assessments and data collection so that these types of risks can be properly measured, monitored and managed.

In any case, if insurers do not keep up, some companies (Airbus, Veolia and Adeao) have foreseen a future disaster by creating a mutual insurance company on the Belgian territory, Miris Insurance, to cover the risk of cyber attacks. It is still awaiting approval from the Belgian regulator, but it should be operational before January 1st 2023.

This statement by large groups highlights the management of cyber insurance by insurers. It is clear that it is essential that insurance companies take up this challenge more clearly because they run the risk that other stakeholders, such as Miris, will become essential in this market. Finally, mutual insurance companies like Miris could develop and offer competitive and possibly more attractive insurance products.

The issue of cyber insurance is therefore a key issue to be addressed by insurance companies, as this would put the latter at a disadvantage in the insurance market.

Sources :