Q: Who is affected by cyber risk?
Laetitia Fouquet (LF): Cyber risk is, of course, linked with our increasing digitalisation. It impacts not just technology itself but also the whole business and supply chain. And it has the potential, in certain circumstances, to become systemic.
Historically, the focus has been on cyber risk to financial and professional services, both of which handle a lot of valuable data. But not all attacks relate to stealing and leveraging access to data. Stopping a manufacturer, for example, may be more lucrative to cyber criminals. Today, ransom demands have increased and appear to be increasingly tailored to the impact of an attack on the victim. In short, all sectors need to be prepared for attacks, which may sometimes be focused or supported by national entities.
Daphne Naudy (DN): In context, it’s imperative to start a dialogue between insureds and insurers. It’s also important for all sectors to overcome any reluctance to share lessons about their own exposure and how best to respond to and mitigate losses.
Q: What are the different types of cyber incidents and what tools are needed to understand them?
DN: Gathering multi-sector data on types of attacks, losses and reactions will be pivotal to understanding cyber trends and risks, and in driving preparedness for insurers and insureds. In Europe, the LUCY (Light Upon Cyber Insurance) database has been set up to trace premium and cyber claims and has enabled the Cyber Commission to compare incidents in Italy, Belgium and France, which all saw increased loss ratios and cyber premiums in 2020.
Data collected by the Cyber Commission also shows that cyber attacks are not necessarily linked to poor IT system maintenance, but that cyber criminals are increasingly sophisticated. Incidents can be caused by hacking, system infiltration or malicious insiders (50%); fraudulent instructions (18%); supply chain (15%); unintended disclosure (9%); card fraud (5%); and physical devices (3%).
Ransomware, a malicious software designed to encrypt data or systems until a ransom is paid, is one of the most prolific types of attack, with an incident every 11 seconds in 2021.
Last year, a global decrease in cyber claims was frequently reported, largely attributable to better risk awareness and impact of serious attacks, and a probable reduction of available insurance coverage, for instance in terms of imposed limits, increased deductibles or more restrictive terms and exclusions.
Q: What are European trends in cyber risk, loss and coverage?
DN: In Italy, there has been an increased uptake of cyber insurance and the country’s loss ratio has decreased from 80% in 2020 to 23% in 2021, despite a rise in cyber claim notifications. Belgium, where the market is led by SMEs, has seen a rise in cyber policy subscriptions and premium levels, while its 2020-2021 cyber claim frequency remained stable.
Meanwhile, 2021 saw 11 large corporations in France not renewing cyber policies and turning to other self-insuring options. SMEs, at the heart of the French economy, have seen an increase in cyber programmes and claims, and a lack of cyber insurance capacity. Today, most SMEs still don’t take cyber risk seriously and perceive that cyber coverage may not fully meet their needs, but they need to work with key stakeholders to prepare for risks. Many sell risk exposures to insurers without collaborating to take full advantage of insurers’ knowledge and of what cyber cover can offer them.
Europe’s cybersecurity regulation lags behind the US, so it’s important to develop standards that apply to insurers’ policy purchase requirements, as well as to the whole supply chain.
Q: What is the role of a loss-adjusting company like Charles Taylor in this context?
LF: Our cyber team has been involved in global cyber claims since 2014 and has a wealth of knowledge on emerging threats, geographical trends and vulnerabilities. We’ve assisted in cross-border data breaches and other major events, as well as claims involving supply chain attacks (such as Kaseya). We work with all lines of business, from the SME market to large corporates.
The outcome of a cyber attack will depend on its severity and the strength of any response. Repercussions can include anything from limited IT costs to major service interruption, issues with suppliers and clients, loss of revenue and third-party claims. Appointing a specialist adjuster makes a huge difference to the way in which a cyber incident is managed, on its outcome, and to any financial and reputational exposure.