Faced with the resurgence of cyberattacks, more and more French companies are choosing to use dedicated coverage. But, in a market that is far from mature, the approach is sometimes an obstacle course, except for very large groups.
More than one French company in two (54%) was the subject of a cyberattack in 2021. This is the alarming observation drawn up by a recent report by the Directorate General of the Treasury, devoted to the development of cyber risk insurance. A protean cyber risk, intimately linked to the growing use of digital technologies and which can result both from human error within the targeted company and from an actual computer attack: malwareattempts to phishing and other ransomware are now fully part of the security concerns of companies, regardless of their size or sector of activity. This exponential increase in cyber risk, further fueled by the health crisis, the use of telework or the war in Ukraine, has paradoxically not resulted in a similar increase in the coverage of these specific risks: still according to the Treasury, the risk Cyber today represents only 3% of damage insurance contributions for professionals.
How can this decorrelation be explained? This has its origins, firstly, in the difficulties that companies often experience in apprehending this particular risk – an observation that applies particularly to French SMEs, of which only 0.0026% are currently covered against cyber risk, compared to 87% of large companies. On the side of insurers, reluctance is also in order, while the volume of claims compensation has tripled between 2019 and 2020, with a claims/premiums ratio at 167% against 84% the previous year. For the latter, the account is not there, especially since a cyberattack often tends to “spill over”: not only is the computer system of the targeted company affected, but its reputation , its stock price or its market shares can take a hit – as evidenced, for example, by the 250 million losses suffered by Saint-Gobain following a cyberattack in 2017. These are all elements that make the cyber risk a special field of expertise, and cyber-insurance a particularly complex model to industrialise.
Reconciliation between insurers and reinsurers, “in-house” cyber-insurance, etc.: advanced avenues
In fact, as MP Valeria Faure-Muntian pointed out in a report published in October, the French cyber insurance market still needs to be structured. In the meantime, several large groups have decided to take the plunge themselves, by launching their own insurance company dedicated to cyber risk. Airbus, Michelin, Veolia, Sonepar or the German BASF thus announced, at the end of September, their intention to pool their cyber-risks within a new structure, called Miris which, they deny, has no not intended to replace insurers but to secure their cover: “we do not want to replace insurers”, argues the Airbus representative, “but to collaborate by supplementing their available offer in a co-insurance approach”. The founding members of Miris each brought 5 million euros to the table, for a possible individual coverage of 25 million euros.
The initiative must, however, still receive the approval of the regulator, before issuing, its designers hope, its first policies by the beginning of the year 2023. It testifies both to the feeling of urgency and to a a certain nervousness on the part of economic players in the face of the wait-and-see attitude of an insurance world that is struggling – it’s a shame – to reassure. In the short term, however, the solution could come from moves towards rapprochement between French insurers and foreign reinsurers, by focusing on internationalization to cover cross-border risks – which is often the case with cyber risks. For example, the merger between the French mutualist Covéa (MAAF, GMF, MMA) and the Bermudian reinsurer PartnerRe, which is developing a capacity for global observation of these transnational risks, will enable the French leader in mutuals to rely on PartnerRe’s fine analysis of international risks to insure its own clients against cyberattacks.
Many outstanding questions
Many questions remain, however, unanswered. In particular, but not exclusively, on the delimitation of the perimeter of such cyber-insurances: should they, for example, cover the payment of a possible ransom? Opinions diverge, both within the insurers themselves and the political class: while the Anssi (National Agency for the Security of Information Systems) accuses insurers paying ransoms of financing cybercrime, MP Valeria Faure -Muntian comes out squarely in favor of “prohibiting insurers from guaranteeing, covering or indemnifying the ransom”.
The same dilemma on the prospect of making cyber insurance compulsory: Valeria Faure-Muntian wants to force companies working with the State to use it, while Amanda Maréchal, of the pro insurer QBE, believes that such an eventuality would lead to “disempower companies” in their efforts to protect themselves from attacks. In short, the debate is open and is not, in a sector in full structuring, close to being decided.