Risk Manager Profile: Philippe Cotelle – The rise of the cyber man

Philippe Cotelle, Amrae board member and vice president of Ferma, talked to Adrian Ladbury about how his career has evolved and the critical role that risk and insurance management now plays in the modern economy, particularly in the face of the fast-rising cyber threat. For many, particularly smaller firms, the cyber risk appears to be unmanageable. But Cotelle is working hard to share experience and knowledge about how to manage and transfer this risk more effectively and secure real resilience.

Like many risk and insurance managers, Cotelle started his professional life as an engineer, in his case in the space sector, starting out at Airbus in its satellite business in the mid-1990s.

This was an exciting time for those working in this sector as the business was literally taking off. But by the end of the decade the number of launches was tailing off and there were plenty of experienced engineers around, so the ambitious young Cotelle looked for a new challenge.

This came at French reinsurance giant Scor, one of the leading space reinsurers at the time. “Like most young people I was impatient and when the senior underwriter called – an ex Airbus colleague who went to the same engineering school as me – I was interested. I had no idea about reinsurance, but I went for it,” said Cotelle.

This was quite a dramatic period for the satellite insurance sector, not least because the six most expensive satellites insured at the time were declared a total loss due to a generic technical issue. “This was the biggest-ever loss, costing $1.8bn, equal to the total market premium at the time,” explained Cotelle.

Being thrown in at the deep end at a such as fluid time for the space and satellite insurance market provided a steep and invaluable learning curve for Cotelle.

When Airbus won a major contract from the UK government to build its satellites, he was invited back to help manage the group’s fast-evolving risk and insurance requirements.

This was when Cotelle really delved into the world of cyber risk, an area that he quickly saw as a critical and rapidly evolving area that has become his area of expertise.

Adding SPICE to the mix

He threw himself into the new area and in 2016 developed SPICE (Scenario Planning for Identification of Cyber Exposure), through which he and colleagues developed risk and exposure scenarios for different levels of cyberattacks and then analysed in detail what that would mean for their business.

The scenarios ranged from an attack that stops a business ordering from its supplier to disrupting customer billing or even a total shutdown. Cotelle and his team then analysed the wider enterprise-wide effects of these scenarios in financial terms.

Senior management at Airbus was happy with this ground-breaking and pragmatic approach because it enabled them to identify the most sensitive aspects of the business.

SPICE also critically helped quantify the return on investment from the cyber insurance budget. As a result of this work, Cotelle implemented the first global dedicated cyber insurance programme for Airbus group and all its 150 subsidiaries worldwide.

This work also emphasised the wider fundamental mismatch between cyber insurance demand and supply, immaturity of the market and lack of transparency.

Back in 2016, the cyber insurance market was still very soft and growing fast, while the coverage being bought was very unclear. There was confusion over whether so-called ‘silent cyber’ coverage was included or not, within broader liability and property lines.

The absence of transparent communication and consistent data sharing among carriers and customers was a real problem, which inevitably led to serious contract uncertainty and the push to remove silent cyber during the subsequent hardening market.

Cotelle saw the coming crisis within the cyber insurance market and, in response, led the development of LUCY (Lights Upon Cyber Insurance) at Amrae.

LUCY asked insurers to provide cyber exposure data from across their portfolios on an anonymous basis. A report was created showing premiums and claims in the French cyber market by size of company and potential problems facing the market.

The findings of the LUCY project were quite dramatic, showing, for example, that in 2020 four claims alone were enough to wipe out the entire market premium.

As vice president of Ferma, Cotelle decided to apply the methodology across more European countries and is now working on plans to support the cyber insurance market development globally.

The rise of the cyber threat is another reason why risk and insurance managers in France and across Europe have taken a more central and strategic role within their corporations in recent times.

Clearly this threat, along with other core systemic risks such as those related to natural catastrophes and pandemics, cannot be tackled on a silo basis. Such risks need a properly joined-up approach on an enterprise-wide basis, with risk and insurance management at the heart of the effort.

Enterprise risk management (ERM) is carried out by a different department at Airbus, but ERM and insurance teams work very closely together, particularly on cyber, which is seen as a risk management matter first and insurance second. “This is more about the identification and management of the risk, and we are really collaborating in the cyber area,” explained Cotelle.

Cyber standards for the masses

Much of Cotelle’s work to date has been on trying to improve cyber risk management and transfer at larger corporations. But there is perhaps an even greater need for transparency, clarity and standardisation in this area for SMEs. They are really struggling to rise up to the cyber threat and secure adequate insurance coverage.

This is why it was positive news that Amrae has been invited by the DG Trésor (the French Treasury) reporting to the Ministry of Finance to join a working group to try to devise a set of common cyber security standards for SMEs.

Cotelle was part of an initiative led by the French Treasury last winter to explore how to develop cyber insurance offerings to help improve the resilience of the French economy.

He believes that a common set of cyber standards led by the government would be extremely positive.

Cotelle said that government-authorised and managed standards would coordinate enterprises of all sizes to properly assess their cyber exposure and preparedness, improve their defenses and, critically, help them secure adequate insurance coverage.

He firmly believes that a combination of a lack of awareness on the part of smaller companies and lack of transparency in the market is a problem.

Any effort on the part of the public authorities to bring greater clarity and consistency, ideally through a set of nationally recognised cyber standards, would be a big step forward, he said.

“Many smaller firms are finding it difficult to secure cyber insurance, and if there were recognised cyber standards then they would not be in this position,” said Cotelle.

The Amrae board member said the last study carried out by the French Ministry of Finance found something needs to be done to address the problem, especially with smaller firms that form the backbone of the French economy.

Cotelle said that, first of all, cyber awareness still has to be dramatically improved within the wider French economy. “There is still a belief within smaller firms that they are too small to be targeted and it’s not a major issue. This needs to change,” he said.

Second, the recent dramatic rise in specialist cyber defence services and software products is not really helping, he added.

“If I attend one of the big cyber conferences in France, there will be hundreds of stands of people with a host of different technical solutions. If I was the CEO of an SME, I would be very challenged to work out which I needed and would probably conclude that I needed none of them!” explained Cotelle.

For this reason, a common set of standards that are easy for smaller firms to understand and apply to their business are badly needed.

“There need to be pragmatic security standards that are designed for different-sized firms in different sectors. If, over time, a technical assessment of all firms could be designed, that would be a big help. Firms could use this to work out how they need to invest to get up to scratch and then this could be used to have more fruitful discussions with insurers that could then provide the coverage,” said Cotelle.

“I know the insurers are talking of the threat of systemic cyber risk and the need for public private partnerships and guarantees. But I think the priority should be on the risk management of companies. When you build a house, you don’t start with the roof!” said Cotelle.

The French risk and insurance management community is lucky to have an individual like Cotelle who is so enthusiastic about this critical topic, willing to share his expertise and drive projects such as LUCY and hopefully wider European efforts forwards.

Cotelle and his colleagues at Amrae are focused on working with each other and government, sharing their knowledge and expertise with the SMEs that need it the most. This is a positive trend and needs to be supported as fully as possible by the wider European risk and insurance management community.