A bright future for cyber insurance?

5 February 2016 is a date that will be long remembered by the IT manager of Hollywood Presbyterian Medical Center. For this was when the Los Angeles hospital suffered a massive cyber attack in the form of a malicious software program that contaminated the entire IT system. The hackers demanded a ransom of nearly $17,000 in exchange for providing a digital antidote. After around ten days of major malfunctions, the hospital decided to give in to the hackers' demands.

Enterprises are even less aware of the danger

Just a few years ago, this doomsday scenario of a "ransomware" attack was still the stuff of blockbuster science-fiction films. However, it has become a very unpleasant reality for many firms today. According to a study by Hartford Steam Boiler (a subsidiary of Munich Ré), 9 out of 10 American firms suffered at least one hacking incident in 2015! The survey also reveals a 21% rise in cyber attacks in relation to 2014.
In France, another study1 revealed that only 17% of company directors consider themselves vulnerable to the risk of cyber crime. While this figure rises to 29% in companies with turnover exceeding one million euros, it drops to just 14% in companies making less than €200,000 in turnover. Nevertheless, 62% of them acknowledge that this type of risk will rise over the next two years.

1 Ifop/PwC study "Le marché de la cyber-assurance: la Révolution commence maintenant" (The Cyber Insurance Market: the Revolution Starts Now), September 2015.

A difficult insurance model to define

During the Grand Insurance Forum held last May, several speakers concurred in their description of a developing market and shared observations of increasing customer demand. But the challenge is to design a product that must be heterogeneous and complex by nature, due to the diversity of risks and the costs at stake. The difficulty lies in evaluating all of the costs linked to acts of piracy or IT fraud for an enterprise. The sole cost of notifying people or enterprises about data loss (or fraud) can vary between €20 and €200 per data item. This sum rises fast when millions of data items are concerned!
The corporate cyber insurance market remains fairly small. These limitations relate to the nature of the risk itself. For a start, there is the level of technical sophistication: cyber attack techniques will always be one step ahead. Connected objects are increasingly common and technology is developing every day. The effects are difficult to quantify. Although the hardware component (IT systems) is known and therefore easy to insure, the scope of the intangible consequences is hard to define.
Another problem is that these risks cross national borders, and insurance policies must therefore cover entire industrial Groups or service providers, regardless of the where the loss occurs, which may involve several (or many) countries with different regulations. Actuaries also highlight the lack of information about the risk history, which limits knowledge of the frequency and severity of the risk. In short, this is a hot topic among insurers and reinsurers.

French individuals are moderately worried

According to the 2015 edition of the European Risk Observatory by Crédit Agricole Assurances on the main causes of concern in terms of insurance, risks relating IT piracy (18% of responses) came in far behind those relating to health (66%), theft and assault (34%) or driving (40%). For British people, on the other hand, this type of risk was the third-biggest cause of concern (30% of responses).
When asked about this issue in further detail, secure access to bank accounts and payment methods, protection against identity theft and protection of personal data belonging to children and family members were the biggest concerns for French people. Nevertheless, only 44% had considered taking out cyber insurance2.

2 Ifop/PwC study “Le marché de la cyber-assurance : la Révolution commence maintenant”, September 2015.