Concern grows that cyber won’t remain insurable risk
Cyber remains the big risk that keeps French risk and insurance managers awake at night. They are concerned about its impact on their business and the role that insurance will, or will not, play in helping them mitigate its effect.
This is the key message from a recent survey of French risk managers, conducted by local risk management association Amrae.
Speaking as part of the Risk Frontiers Europe 2022 survey, Oliver Wild, president of Amrae, told Commercial Risk Europe that it is becoming increasingly difficult to insure cyber risk, with very little appetite in the insurance market.
“If you look at the history of cyber insurance, six or seven years ago, everyone wanted to sell you a policy with very little analysis of the exposures and what the risk really was about. Since then, there have been a number of large claims and now a number of carriers don’t want to insure cyber at all. Overall, there is significantly reduced capacity in the insurance market now,” he said.
An Amrae survey earlier this year found that 70% of association members see cyber as a big risk that keeps them awake at night, far ahead of regulatory and compliance risks in second place on 53%.
At that time, only 4% of respondents said they were in charge of managing cyber risks, while 79% were involved with its mitigation. Just 6% said they were responsible for managing GDPR risks, while 41% provided support to those who are in charge.
Wild said the picture has not changed much in the intervening months. When it comes to insurance, he said five years ago he could buy quite large cyber capacity cheaply. Now, the price has increased three-fold and capacity has been halved, with significant exclusions and sub-limits introduced.
One of those is around ransomware. Back in August, Amrae welcomed a bill that will explicitly legalise ransomware payments by insurers in France as long as insureds have filed an official complaint about the incident.
The move looks set to make it more difficult for insurers in France to justify refusing to pay ransoms after some, including the biggest French insurer AXA, ruled out payments on grounds that they fuel criminal activity.
Payment of ransomware is not forbidden in France but insurers feared that they may end up in trouble for doing so. AXA was one of those. But the report from France’s Ministry of Economy concluded that victims of ransomware attacks, as well as their insurers, should be allowed to pay ransom demands as long they file a complaint to authorities about the attack.
The goal of the bill is to boost transparency and better understand cyber risks, so that the insurance market can work on modelling and take steps to boost risk prevention among clients.
Another proposal in the report is broader exchange of information between the public and private sectors about cyber losses. Data around cyber and the true value of losses is needed, agreed Wild.
He said Amrae research during the past few years has shown insurers need to cover a wider range of risks, including SMEs, rather than concentrating on the largest corporates, for the cyber market to function better.
Market contraction
However, with prices going up and cover reduced things have actually gone into reverse.
“In 2022, we find that the market has actually contracted, which means there is insufficient premium income to cover even a small number of claims. The market is obviously not sustainable like that. Some carriers have actually paid out the premium of the past five years in just one year,” said Wild.
The French ministry’s report flags statistics by a government agency that show cyberattacks increased by 155% in France between 2019 and 2020. In the following year, the number jumped another 101%. Anssi, the French cybersecurity agency, estimates that 54% of all French companies suffered some kind of cyberattack last year.
In spite of that alarming jump in risk, Wild said risk managers at some of the larger French corporates are saying their company might walk away from the insurance market if it cannot step up to the plate on cyber.
He added that part of the reason is cyber risk management has improved among large French firms.
“What has changed for the large corporates is that there has been significant investment in cybersecurity in terms of resources and strategy. A lot more is being spent on detection. Corporates know these attacks will happen and that you will never build a wall high enough, as the cybercriminals will always be able to climb higher. But what you can do is detect the problem much more quickly and then deal with it. Having the capacity to react is key,” said Wild.