There is an urgent need to find a solution to cyber insurance problems

Things are heating up as the meetings of the Association for Risk Management and Business Insurance (Amrae) approach, taking place from February 2 to 4 in Deauville. While renewals of insurance contracts for companies are even tighter than a year ago, and while waiting for Bercy’s action plan on cyber risk insurance, the subject of coverage of risks related to cyberattacks is a bone of contention between risk managers and insurers.

Cyber ​​insurance no longer responds
A small survey carried out in December by Amrae among around a hundred companies, including 70% of large accounts, indicates that it is on cyber coverage that the greatest difficulties of renewal are concentrated (price increases, new limits , or even non-pure and simple renewal) on 1East January. “Some insurers don’t even answer the phone anymore…”regrets Philippe Cotelle, director of Amrae, co-chairman of its cyber commission, and risk manager of Airbus Defense & Space. In its 2022 cybersecurity forecast, solutions provider BeyondTrust feared “a tsunami of cyberinsurance cancellations”. A credible prediction?

We are not far from it, if we listen to Oliver Wild, the president of Amrae, who declares in CIO-Online What “The cyber insurance market may not exist next year”, describing from “contracts emptied of their substance”.

Concretely, the situation looks like this: premiums explode (more than double in sectors such as logistics and industry), deductibles increase, the risks accepted by insurers are reduced, and guarantees are reduced. Or, the offer is simply no longer offered. “The number one problem is capacity. Faced with a long-term risk, financial exposure to cyber risk is constantly growing, the market provides a short-term response, which varies by a year or even “month to month”explains Philippe Cotelle.

How did we get here ?
The capacity problem, ie the insurer’s maximum financial commitment, has several causes. On the one hand, the poor technical results of the branch. The volume of claims compensation was multiplied by three between 2019 and 2020, bringing the claims/premiums ratio to 167% against 84% a year earlier. In other words, cyber has not been profitable for insurers, who have reimbursed more than the premiums collected. According to Amrae, this inflation is due to four very large claims (10 to 40 million euros each) declared by large companies, representing only 1% of claims compensated in 2020.

On the other hand, there are not enough customers to pool the risk, because very few companies are insured. In 2020 according to Amrae, 87% of large companies (>1.5 billion euros in turnover) were covered, but only 8% of ETIs, 0.0026% of SMEs between 10 and 15 million euros of turnover (an underestimated figure because of the sample, but nevertheless ridiculous), and 1% of municipalities with more than 5000 inhabitants. In 2020, this represented 135 million euros in premiums according to France Assureurs, i.e. only 0.225% of all non-life insurance premiums.

This creates a vicious circle. “The loss ratio increases in amounts, which scares insurers. To respond to a problem of frequency, they can easily play on the deductible. On the other hand, for a problem of intensity, they reduce the capacity per risk, which is counter productive”. The offer is not attractive enough, so there are fewer customers, so less pooling, so less capacity… It’s the cat biting its own tail.

Double paradox
Insurers and reinsurers are all the more cautious because they have poor control over this risk, which is recent compared to others, and for which they have less data. This is why France Assureurs (formerly the French Insurance Federation) favors the areas of development that are prevention, data sharing, and the removal of regulatory vagueness, on the reimbursement of ransoms, in particular. Axa and Generali have already indicated that they no longer support ransom payments, which are strongly discouraged but not prohibited by law.

In summary, it is increasingly difficult to obtain insurance, whereas companies have never needed it so much. And the market is experiencing a double paradox: a lack of supply from large companies, and a weak demand from ETIs, SMEs and local authorities. According to Stéphane Blanc, president of Antemeta, a cloud and security solutions provider, However, 60% of SMEs that are victims of a cyberattack go out of business within 18 months.

What solutions?
For large companies, one solution is to create captive insurance companies, sorts of mutual funds within a group, regulated like an insurer. A legislative change, supposed to facilitate the creation of captives, was expected this year but it was postponed. They also invest heavily in cybersecurity. “The information required to convince insurers is increasingly complicated and highly technical. Their level of requirement has reached thresholds which, given an answer, are not found in the guarantees offered. These questionnaires also raise questions about security and confidentiality. Why so much effort for such low coverage? Why not reinvest all or part of these bonuses in even more cyber security?”, asks Philippe Cotelle. On average, according to Amrae, large companies are covered for guarantees of 38 million euros.

SMEs do not have as much money to invest and find it difficult to sort through security solutions. Amrae has made proposals, in coordination with Anssi and, to create a repository of comparable and labeled offers. “The State must be a coordinator to guide companies on the cheapest and most efficient path, and thus lead them to be insurable”. It also suggests that brokers put more emphasis on the crisis management support services package in cyber insurance offers. Marc Bothorel, cybersecurity referent of the CPME, proposes to establish a tax credit for hardware and software equipment, like the check France Num which helps VSEs to digitize themselves.

Bercy to the rescue
For its part, Bercy should publish in the first quarter the conclusions of its working group on cyber insurance, set up on June 30, 2021. During a hearing in the Senate on November 25, the deputy director in charge of insurance at the general director of the Treasury, Lionel Corre, indicated that the action plan could combine a law and agreements of place. The work covers four areas: the content of guarantees; risk quantification; how to distribute the risk between companies, insurers, reinsurers, and the State; and mobilization of the ecosystem.

Will be addressed in particular the issues of old contracts that do not explicitly exclude cyber risk and therefore vague, ransoms, the creation of a new cyber branch, and the management of systemic risk. Lionel Corre, who left his post on 1East February to join the Boston Consulting Group, which may delay the conclusions of the task force, did not want to give false hope to the sector. “We have not found a recipe to duplicate, including in the United States”he declared before the senators.

Leave a Comment