Through interviews with key players from the finance and insurance sector, we invite you to discuss topics that are currently shaking our industries. Today’s focus is on cyber insurance.
We had the pleasure of speaking with Olivier Lopez, professor at Sorbonne University, director of ISUP and scientific director at Detralytics. For 4 years, Olivier has explored every corner of cyber insurance. Among his work, he observed the rise of a new risk and the lack of methods to quantify the risk. He is currently co-leader of a research project on the subject with the Risk Foundation, funded by the AXA Research Fund.
Hello Olivier! Why everyone is paying attention to cyber insurance nowadays ?
Recently, we have witnessed an aggravation of the cyber threats due to the raise of the use of digital technology and our dependence on it, which was accentuated by the Covid-19 crisis. Our economic sector and our daily life are increasingly exposed to these cyber risks. The weight of digital technology in the economy now makes it necessary to use insurance tools to protect oneself and it is in this context that it is necessary to build a cyber insurance market, which is currently in full development.
In 2020, 192 significant ransomware attacks were listed by the National Agency for Computer Systems Security compared to 54 attacks in 2019, an increase of 255% in one year (Source CERT-FR). Why should we fear cyber risk?
Cyber risk is scary for two main reasons. On the one hand, we can have a “classic” case of an entity being attacked, which incurs a huge cost linked to various consequences of a cyber-attack, including loss of activity. On the other hand, it is not excluded that the phenomenon takes on a greater scale and it is often difficult to predict. We are talking about so-called accumulation phenomena, which are massive phenomena that can endanger pooling. It has already been the case particularly with the “Wannacry” or “NotPetya” episodes which both took place in 2017.
What are the issues resulting from these massive events for insurers?
This is where it gets problematic. The NotPetya case, for example, has been assimilated to an act of cyber warfare. We could say that this case does not necessarily fall within the scope of insurance since there are notably exclusion issues that are introduced in guarantees and which can protect the insurer against this type of event. In reality, this is quite illusory because the exclusions are difficult to define in the context of cyber insurance, and it is also quite possible to have massive events that cannot be assimilated to acts of war.
From an actuarial perspective, what are the main challenges in developing adequate cyber insurance products?
One of the difficulties is pricing. Putting a price on a cyber risk can be complicated, especially considering the competition of other insurers, which can complexify the pricing. Another critical point is the risk management, in other words, the management of the commitments made by the insurer,. Indeed, the insurer must be able to manage the greatest number of risks and therefore offer sufficiently broad coverage to meet the needs of society in terms of cyber insurance. The challenge for actuaries is therefore, on the one hand, to develop cyber insurance products that both have an adequate pricing for the risk and are sufficiently robust to really serve as an umbrella in the event of a cyber major catastrophe.
In addition, today, we are trying to exclude from the guarantees a certain number of events that are poorly controlled facing a risk we are scared of. This exclusionary logic is undoubtedly partially necessary, but it also limits the quality and attractiveness of products and therefore limits the number of people who will sign for these cyber insurance contracts and, consequently, slow down pooling.
What are the challenges for the actuarial sector?
As I said, the stake is in a way quite historical because it is not every day that there is a new risk of this magnitude that emerges. Insurance is expected to be one of the resilience factors in this area of cyber risk and the challenges for the actuarial sector are to develop a solid knowledge of this risk, to succeed in mastering it and to be able to offer solutions that remain attractive.
What methods are used to assess these risks to date?
There are different methods and different models that allow us to better understand these risks, although these methods and models are not obvious and (not yet) completely successful. Ideally, these tools should be able to overcome certain difficulties and therefore take into account criteria that are sometimes difficult to measure such as the scale of the event, its severity or the speed of its evolution over time.
Facing all these difficulties, what advice would you give to actuaries who wish to approach cyber insurance?
Before tackling the issue of cyber insurance, we must understand the risk and the major issues associated with it. To do so, one must take into account not only the technical elements but also the functioning of the risk, the functioning of cyber-attacks and the human aspect of it, which is particularly crucial and almost preponderant over the rest. Indeed, one of the specifics of cyber risk is that it is essentially a human risk with the potential of disaster wish is not necessarily natural. In addition, the phenomenon can evolve rapidly over time and potentially be extremely severe. Since this is a relatively new risk, we have imperfect knowledge of it. It is necessary to learn gradually by integrating both expertise but also reliable statistical information and robust actuarial techniques.. If we want to be able to anticipate and manage cyber risk, we therefore need tools that have the ability to anticipate and model the behavior of the various players, and to adapt to their constant evolution. If we do not fully understand these mechanisms, there’s always the risk of a delay in the risk assessment.
One final word ?
Update your operating system!