How can we progress on cyber insurance?

What are the dangers facing companies and public institutions?

The most common type of attack reported by companies is ransomware. This is a type of malicious software that is introduced into an organisation's computer system and encrypts all the information it contains. The company's data is taken hostage and the victim has to pay the hacker a ransom to unlock the files.

Hackers may also seek to engage in espionage, steal data or hijack a computer process with the aim of monetising the information it contains. The larger and more important the target, the more flaws there are likely to be to exploit and the more valuable the information. So it is high time we did something about it...

Is cyber insurance a viable solution? 

In France, insurers have realised the importance of this threat and some of them are already offering their customers protection solutions. At Crédit Agricole Assurances, cyber protection insurance covers four clearly defined areas:

•    crisis management assistance in the event of a cyber attack (IT experts, lawyers, etc.),
•    compensation for losses incurred by the company (cost of notifying the data protection agency (CNIL), cyber fraud, etc.),
•    civil liability in case of damage caused to a third party (damages, defence costs, etc.),
•    and business interruption coverage in the event of a loss of gross margin following a cyber attack (optional cover).

But the realities of the French market are more complicated than that. In 2020, premiums paid to insurers amounted to €130 M (up 47% in one year), but the overall total paid out to victims was estimated at €217 M (up 300% in one year). With a loss ratio of 167%, insurers are losing money on cyber insurance, according to a survey conducted by AMRAE (Association for Risk Management and Corporate Insurance) (Etats du Marché & Perspectives 2022).

At the same time, the percentage of SME/SMIs insured remains very low, despite the massive increase in the risks to be covered. It is therefore important to raise awareness of these risks and develop their prevention.

Healthcare professionals are also increasingly aware of the challenges of protecting their patients' health data. For this reason, a "Cyber-risk" guarantee has been integrated into the Professional Multirisk offer of our company La Médicale sector since 2017.

The public authorities are calling for cooperation between the actors in cyber insurance

The authorities have been working with the ACPR (Prudential Supervision and Resolution Authority) to re-establish a balance in the sector for the long term. The National Assembly has therefore just published the report on a study led by the Member of the French Parliament Valéria Faure-Muntian, of which sets out some ways of improving the resilience of insurance in response to cyber risks.

This report contains around twenty proposals divided into three pillars: guaranteeing the legal framework, reinforcing the ecosystem and boosting the insurance offering.
 
The most notable proposals include: 

•    The idea of banning the payment of ransoms by companies, or at least providing a strict framework for their payment.
•    Training judges, prosecutors, police and gendarmes in cyber risks.
•    Annual awareness-raising measures for employees and the conduct of audits aided by public funding.
•    National harmonisation of the criteria for assessing cyber risks agreed by insurers.

These measures are intended to stem the flow of income to hackers from cyber attacks by laying the foundations for cooperation between all actors in the sector at national and then European level. 

To strengthen the ecosystem, the report recommends closer cooperation between the insurers involved in the cyber insurance segment and companies specialising in cybersecurity. Insurers are also described as a pivot between the public and private bodies involved, playing a key role in prevention, acculturation and awareness-raising.