During the 2022 edition of the Cyber Security Conference, the spotlight was once again put on cyber insurance by wondering about the alternatives that companies would have if they did not join the proposed contracts.
Around this round table, which was moderated by Florence Puybareau, Director of Content and Communication DG Consultants, was Anne Cridlig, Head of Professional Indemnity & Cyber Department Financial Lines Zurich Insurance, Philippe Cotelle, Administrator of AMRAE (l Association for Management of Business Risks and Insurance), Sébastien Heon, Cyber Solutions Deputy Chief Underwriting Officer Scor, and Gilles Berthelot, Digital Security Director SNCF Group.
In an introductory remark, Florence Puybareau recalls that it has been several years since a roundtable discussion has been set aside for cyber insurance, but that in light of recent events and the different positions taken, the Steering Group for Assizes has decided to organize a new roundtable on this topic.
She adds that there have indeed been and are more and more cyber-attacks, especially ransomware, and that CISOs have expressed their difficulties and their fears.
The topic of cyber insurance is therefore more relevant than ever and the purpose of this roundtable was to explore the responses of insurers and reinsurers and to have some ideas on how CISOs and Risk Managers or Directors of ‘Insurance’ can find solutions to cyber risks.
LUCY 2: an analysis of the evolution of the cyber insurance market
Philippe Cotelle analyzed the LUCY 2 study (Light on Cyber insurance) published in June 2022. The purpose of the study is to be able to provide a better reference to the development of the market, premiums and compensations in a context of an economy that has become increasingly digital as companies increase exposure to cyber risks, and this in the long term. He gave the example of the cyber attack that had hit the company Merck, whose losses were estimated at 1.4 billion dollars, showing that the way to finance cyber risk is crucial for companies. To finance risk is to insure it.
In 2020, the LUCY study showed that insurers in France lost a lot of money on cyber insurance with a loss rate of 167%, meaning they paid 1.67 times more than they claim they received in premiums. 4 injuries in 2020 alone were enough to absorb the entire premium in the French market.
By 2021, the LUCY study showed an increase in premium volume of almost 40%. On average for companies with more than 1.5 billion the insurance premiums have doubled and the deductible has multiplied by 10 with an average of DKK 4 million. The insured amount fell on average by 25% to DKK 30 million.
Regarding ETIs (mid-sized enterprises), the phenomenon is different, because in 2021 many bought cyber insurance and the increase in premiums was less significant with a strong improvement in insured claims. On the other hand, a multiplication by 5 of the compensation amount, with a compensation ratio of 250%, which means that the insurance companies paid 2.5 times more claims than they received premiums.
In conclusion, one can fear that the insurance requirements in 2022 will be as strong for ETIs as what we experienced for large companies in 2021.
Cyber too risky for the reinsurance sector
On the reinsurance side, Sébastien Heon of Scor, “the one who allows the insurance company to insure” according to Florence Puybareau, recalls that the reinsurance company has insurance companies as clients, which means that in exchange for a part of the premium that the latter receive on an industry such as cyber, the reinsurance pays part of the compensation. Capital is provided to insurance companies so that they can deliver their subscriptions, sign new contracts and so that they have the financial capacity to honor the contracts. We bring fluidity to the insurance market.
Reinsurance is based on natural disasters, that’s how it was born. It works because there is a geographic pooling of risk. The reinsurance company will build its financial capacity in a geographically diversified way, betting that there will not be natural disasters per year in all countries of the world at the same time, at least before the reality of climate change.
The problem in cyber is that there is no geographic spread possible for cyber risk, because a cyber attack like the one in Ukraine can affect the United States (in the case of Merck) and other places in the world at the same time. Natural disasters also occur seasonally, but no seasonality for cyber attacks. Not being able to diversify the cyber risk, either geographically or over time, has a very important consequence, which is that the cyber risk for a reinsurance consumes a lot of capital, due to the mobilization of a large part, because it cannot be diversified either geographically or temporally. So it is very expensive.
Another element to emphasize is that the reinsurers also have reinsurers themselves, which are called retrocessionnaires. And in terms of cyber, this industry is underdeveloped because it’s generally founded by the financial markets, which bring in capital, but they have little appetite for cyber because they fear cyber risk and don’t really understand how it works. They don’t know if these are short or long risks.
And finally, reinsurance is a highly regulated business with standards that set the limit of capital that can be committed for a given risk. He concludes by saying that reinsurers have now reached the maximum amount of capital they can allocate to cyber risk.
Should the cyber risk be covered, if so how?…
Florence Puybareau takes the opportunity to outline that it must be concluded that the responsibility for this tense situation would therefore be the fault of the supervisory authority and that it should be invited to the round table conference in 2023.
She gives the floor to Gilles Berthelot and tells him that SNCF would therefore here represent the companies that would become victims of this situation, but Gilles replies with humor “more like cash cows”.
Gilles Berthelot explains that SNCF and other companies have the impression of always paying more while being less covered, with some frustration. Premiums are increasing, deductibles are increasing and maximum coverage is decreasing.
Anne Cridlig, who represents the insurance company, explains that 2020 and 2021 have been two terrible years in which ransomware attacks have multiplied, which has been very expensive both in terms of intensity and number, and that it is one of the challenges to be addressed in an insurance market that is only ten years old in France. We are not in a market as mature as for liability or fire and property damage insurance. And that the geopolitical context of potential threats finally does not help to be calm in the face of this cyber risk, with the risk associated with interconnection on the Internet, which can lead to several customers being attacked at the same time. The costs of reinsurance will therefore not improve.
All these observations led Florence Puybareau to ask the question of alternative solutions to the cyber insurance model as practiced today.
Anne Cridlig suggests ongoing discussions between the insurance company and the companies (Risk Manager, RSSI, Broker, Director of Insurance) to jointly assess the identified risks, understand the context and then propose appropriate solutions.
Sébastien Heon suggests thinking about the question of whether the company should simultaneously cover daily risk and what can be considered a disaster, following the model of fire risks or damage to property.
Gilles Berthelot raises the current considerations about captive (an insurance or reinsurance company belonging to a company or group whose commercial activity is not insurance). Philippe Cotelle, appeals for a need to reflect on the possibilities of pooling cyber insurance between several companies. The last question was whether the insurance company could not in the future bring a case against the software publishers.
To catch up, watch the full roundtable on Assise’s YouTube channel.