There is an urgent need to find a solution to the cyber insurance problem

Things are intensifying as the Risk Management and Business Insurance Association (Amrae) meeting in Deauville approaches from February 2nd to 4th. Corporate insurance policy renewals are even more stringent than they were a year ago, and while waiting for Bercy’s action plan on cyber risk insurance, the subject of risk coverage related to cyber attacks is between risk managers and insurance companies. Is the bone of the controversy.

Cyber ​​insurance no longer responds
According to a small survey conducted by Amrae in December on about 100 companies, including 70% of large accounts, the biggest difficulty in renewal is concentrated in cyber coverage (rising prices, new). Limitations, and even impure simple updates) 1er January. “Some insurance companies can’t answer the phone anymore …”Lamenting Philippe Cotelle, Director of Amrae, Co-Chair of Cyber ​​Committee, Risk Manager of Airbus Defense & Space.. Solution provider Beyond Trust was afraid in 2022 cybersecurity forecasts “Tsunami of cyber insurance cancellation”. Reliable prediction?

If you listen to Olivia Wilde, President of Amley, we’re not too far away. CIO-online than “Cyber ​​insurance market may not exist next year”, Description from “Contract that is virtually empty”..

Specifically, the situation is as follows: Insurance premiums will explode (more than double) In fields such as logistics and industry), The deduction amount will increase, the risk accepted by the insurance company will decrease, and the guarantee will decrease. Or it’s just that the offer is no longer offered. “The biggest problem is capacity. Faced with long-term risk, our financial exposure to cyber risk is constantly increasing, and the market offers a short-term response that changes year by year and even“ monthly ”. To do.Philippe Cotelle explains.

How did we get here?
There are several causes for capacity issues, the insurer’s greatest financial commitment. On the one hand, the inadequate technical consequences of branching. The amount of claim compensation is In 2019 and 2020, the premium / premium ratio was 167%, up from 84% in the previous year. In other words, cyber was not profitable for insurance companies that paid more than the premiums collected. According to Amrae, this inflation is due to four very large claims declared by large corporations (10 to 40 million euros each), representing only 1% of the claims covered in 2020.

On the other hand, very few companies are insured, so there are not enough customers to pool the risk. According to Amrae, 87% of large companies (with sales of over € 1.5 billion) were covered in 2020, while 8% of ETIs and 0.0026% of SMEs had sales of € 10 million to € 15 million. Was between (underestimated numbers for the sample, but still ridiculous), and 1% of municipalities with more than 5,000 inhabitants. According to France Assureurs, in 2020 this is equivalent to a premium of € 135 million. That is only 0.225% of all non-life insurance premiums.

This creates a virtuous circle. “The loss rate is high and scares the insurer. It’s easy to play with deductions to address frequency issues. On the other hand, for strength issues, capacity per risk is reduced and vice versa. It will be effective. “”.. The offer isn’t attractive enough, so it has fewer customers, less pools, less capacity … it’s a cat biting its tail.

Double paradox
Insurers and reinsurers are even more cautious due to their lack of control over this risk these days and the lack of data compared to other insurers. This is why the French guarantor (formerly the French Insurance Federation) favors development areas such as prevention, data sharing and regulatory ambiguity, especially with regard to ransom refunds. Axa and Generali have already shown that they no longer support ransom payments. Ransom payments are not strongly recommended, but are not prohibited by law.

In summary, getting insurance is getting harder and harder, but companies haven’t needed much insurance in the past. And the market is experiencing a double paradox. Supply shortages from large companies and low demand from ETIs, SMEs and local governments. According to Stéphane Blanc, president of Antemeta, a cloud and security solution provider. However, 60% of SMEs victims of cyberattacks will be out of business within 18 months.

What is the solution?
For large companies, one solution is to set up a captive insurance company, a type of investment trust within the group, regulated like an insurance company. An amendment to the law, which should facilitate the creation of prisoners of war, was expected this year, but has been postponed. We are also investing heavily in cybersecurity. “”The information needed to convince an insurer is becoming more complex and highly technical. The level of those requirements has reached a threshold not found in the guarantees provided, given the answer. These questionnaires also raise questions about security and confidentiality. Why do you work so hard for so low coverage? Want to reinvest all or part of these bonuses in cybersecurity? “, Ask Philip Cotel. On average, large companies are covered by a € 38 million guarantee, according to Amrae.

SMEs don’t have much money to invest and find it difficult to organize security solutions. Amrae has worked with Anssi and to make a proposal to create a repository of comparable and labeled offers. “The state must be the coordinator to guide the company to the cheapest and most efficient way, thereby insuring the company.”.. It also suggests that brokers are placing more emphasis on crisis management support service packages in their cyber insurance offers. Marc Bohorel, the referent of CPME’s cybersecurity, proposes to establish tax credits for hardware and software equipment such as: Check FranceNum This helps VSE digitize itself.

Bercy to rescue
Bercy needs to publish the conclusions of the Working Group on Cyber ​​Insurance, which was established on June 30, 2021, in the first quarter. At a Senate hearing on November 25, Lionel Corre, Deputy Director of Insurance, Deputy Director of Finance, said the action plan could combine law and location agreements. The work covers four areas. Warranty details. Risk quantification; how risk is distributed among companies, insurers, reinsurers, and states. Ecosystem mobilization.

In particular, it does not explicitly eliminate cyber risk and therefore addresses the issues of ambiguous ransoms, the creation of new cyber branches, and old contracts for managing systemic risk. Lionel Colle who left his post in 1er February, when I joined the Boston Consulting Group, which could delay the Task Force’s conclusions, didn’t want to give the sector false hopes. “No recipes were found to duplicate, including the United States.”He declared in front of the Senator.