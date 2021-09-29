Will the national gendarmerie become the epicenter of the fight against cybercrime risks weighing on businesses in France? This Tuesday evening, at the military headquarters, its ComCyberGend division, active since August 2021, signed a partnership with the French Insurance Federation (FFA) and the National Federation of Unions of General Insurance Agents (Agéa) to fight against this exploding threat.

” With 7,000 cyber-gendarmes and 12,000 general agents closest to the field, this partnership will have an interesting strike force to provide information, disseminate preventive measures and explain to companies the barrier gestures in terms of cybersecurity ”, underlines Pascal Chapelon, president of Agea.

This agreement has two objectives: to raise awareness among companies, which are still too poor in the face of this threat, and to speed up the training of general agents on this “new” risk in order to allow the development of a cyber insurance market, for the time being, always emerging.

However, according to AXA’s latest barometer of future risks, cyber risk is back in second place of concerns (first place in the United States) both with a panel of 3,500 experts, but also with public opinion. (nearly 20,000 people questioned).

“It’s a fundamental trend. The confinement has accentuated the digitization of the economy, and therefore the cyber risk ”, notes Frédéric de Courtois, Deputy CEO of AXA, on the occasion of the presentation of the barometer.

With regard to cyber risk, the insurance equation remains complicated to resolve with a growing risk (which may even become systemic) and still largely insufficient coverage, given both a still-nascent business demand and a offer at acceptable prices always limited. In fact, the cyber risk market is structurally in deficit and therefore in need of capacity.

“So demand has to increase for the supply to be sufficient. Or that the supply is sufficient to arouse demand … There is an urgent need to get out of this vicious circle ”, for its part, summed up the association. for Enterprise Risk and Insurance Management (AMRAE), in a study published in May 2021.

0.0026% of SMEs covered

The figures shed light on this reality: “Lethal cyber attacks remain the main risk” for companies, with a score of 4/5 for the probability of occurrence and 4.3 / 5 for the impact, notes the 2021 report from the French Insurance Federation (FFA).

In France, the National Gendarmerie opened 101,000 procedures in 2020 because of ransomware attacks – one of the components of cyberattacks, an increase of 21% in one year. In 2021, it anticipates more than 120,000 complaints. 46% of the victims are SMEs, 21% VSEs, 14% administrations, 9% large companies and 7% individuals.

However, faced with these threats, only 8% of the 5,762 French mid-sized companies (between 50 million and 1.5 billion euros in turnover) have taken out an insurance contract to cover themselves against this risk.

The finding is alarming for SMEs: only … 0.0026% (362 of 140,000 companies) are currently covered by a cyber guarantee. Only large groups have become aware of the danger: 87% of them have specific insurance.

On the insurer side, the results are hardly more optimistic: according to a study by Agea, out of the twelve insurers with a network of general agents and having an activity in the business risk (P&C), only eight ‘among them offer cyber products. Five networks of general agents have a solution specific to the catalog and the other three networks offer a delegated solution.

A combined ratio that explodes

This tension in the market is reflected in the combined ratio (claims on premiums). While the premium volume increased by 49% in 2020 (to 130 million euros), the amount of compensation paid was multiplied by 3 (to 217 million euros in 2020), i.e. a combined ratio which rose from 84% in 2019 to 167% in 2020.

“Given the ratios, it will not be able to continue like this: either the contributions will increase, or the insurers will establish ceilings and reinforce the exclusions”, predicts a general agent of Axa France, who has taken out three contracts in his agency. ” However, the need to protect companies is more than ever crucial ”, explains Marc Bothorel, cybersecurity expert at CPME.

In fact, the cyber insurance market has all the characteristics of the emerging market, in particular a critical lack of data on coverage rates and claims. ” Any new risk requires an acclimatization time. Insurers like to have a little perspective. This allows future pricing to be established. It is not a question of taking out a contract with premiums which, tomorrow, will be unsaleable. It is above all a matter of offering a premium that will balance the risks “, recognizes Pascal Chapelon, from l’Agéa.

As a result, premiums and deductibles increase and guarantees decrease. “The market must find its balance and it will find it. Insurers are ultimately better prepared for cyber risk than they were for pandemic risk ”, reassures Frédéric de Courtois.

Strengthening of subscription conditions

Faced with faulty pooling and still limited data, insurers are looking for a solution to find a viable economic model. “If the cyber risk is not strictly speaking non-modelable, it is difficult to quantify and model, not only because of this endogenous character but also, more fundamentally, because of the lack of data and its very evolutionary nature, which limits our ability to evaluate it prospectively to from the sole observation of past claims ”, told us Denis Kessler, chairman of the reinsurer Scor.

For Marc Bothorel, “ one of the important themes today is to define a rating common to insurance companies calibrating the insurability of customers. We have to create a common base ”.

The latter also calls for a reassessment and strengthening of subscription conditions. ” Today, some companies’ questionnaires are very light: we only ask if there is an antivirus, a firewall, a data storage system. Not to mention that some leaders are not acculturated to these digital issues. Reinforcing the real audit is an avenue to be explored ”.

According to an internal document consulted by The gallery, only eight questions are asked by the insurer of a company with a turnover of less than 50 million euros, such as, for example, the one asking if “lData backups are tested once a year or if connection to the information system is possible remotely ”. The audit therefore appears to be very brief.





Prevention, a key condition

Because, the key element, as for any insurance market, remains the prevention and the behavior of companies in the face of cyber threats. This also refers to the actual training of insurers, especially distribution networks. “Better understanding the risks is already the beginning of the solution, to anticipate and control them”, summarizes Frédéric de Courtois.

This is the whole point of this partnership between experts from the gendarmerie, insurers and insurance distributors. As part of this agreement, insurers and gendarmes undertake to raise general agents’ awareness of cyber risk and thus enable them to better disseminate basic prevention advice to their clients, VSEs and SMEs. attacks.

“Prevention will always play an essential role in making it possible to offer insurance at acceptable prices”, insists Frédéric de Courtois, pointing out the impact of technical vehicle inspections on automobile insurance or that of fire-fighting systems.

Call for public-private partnerships

If the systemic nature of the cyber risk (general failure of several thousand companies) has not (yet) been observed to date, insurers take the threat seriously. Threats have already emerged, such as the computer attack against the operator of the Colonial Pipeline in the United States.

“We believe that it is possible that an attack could block everything and we do not yet know how to estimate such a risk”, Frédéric de Courtois advances. But, specifies the leader of AXA, “In this hypothesis, the only solution is through a public-private partnership”, like what is done in France on natural disasters, “The best system in the world”.

The recent overhaul of the crop insurance system is also based on a public-private partnership, with state intervention when the level of risk reaches such a level that could compromise the solvency of insurers. Hence the need, not only to increase this type of partnerships on systemic risks, but also, “To imagine new methods of international cooperation”, adds Frédéric de Courtois.

The cyber ransom debate

It also remains to define the scope of contract coverage. The controversy over business interruption contracts during the pandemic is still remembered. The trend today is to “remove” cyber risk coverage from the general conditions of contracts in order to better define the risk, and therefore to better organize the cyber insurance market. It is also a growing demand from regulators.

In the scope of coverage, there is the question of paying cyber ransoms, “A complex subject”, recognizes Frédéric de Courtois. Last May, the National Information Systems Security Agency (Anssi) accused certain insurers of encouraging cyber attacks by sometimes taking over the payment of ransoms. According to the Agea, in 2021, five insurance companies offered to pay the sums requested by hackers to unlock company data. Axa, which de facto offered this guarantee in its cyber contracts, backed down last May.

A contract signed in early 2021 with a major local insurer, which was obtained The gallery, thus specifies the compensation conditions for a construction company with a turnover of 10 million. The contract, since amended, covers up to 750,000 euros the damages related to a cyber attack (for an annual premium of 1,400 euros), with much more limited coverage in the event of ransom (375,000 euros).

For LREM deputy Valeria Faure-Muntian, “The payment of ransoms creates a call for air and encourages crime”. Opinion shared by Marc Bothorel, CPME: “The companies that pay the ransoms appear as creditworthy by the hackers with a real risk of a new attack”.

Compulsory insurance?

A general agent comes back to the basics of the profession: “It is the victim that an insurer must compensate, and not the person who realizes the damage”. But the whole industry does not seem to be on the same page. ” Suddenly saying ‘we don’t pay’ is not the right solution. I rather defend a stricter framework of the guarantee ”, slice Pascal Chapelon. ” If we don’t do it, foreign companies will not hesitate to offer it to our French customers ”, he adds.

According to several experts, given the systemic risk posed by cyber attacks on companies, an obligation to subscribe to a contract could even become an obligation, including for very small businesses. An avenue that would be seriously studied by Bercy, which launched a consultation on cyber insurance led by the Treasury department. The subject is even on the table in the proposal for a European directive NIS 2, currently under discussion, which aims to strengthen the digital security of companies.

” It is irrelevant – for a question of cash flow or bandwidth – for very small businesses, », Believes Marc Bothorel. ” Let companies take care of themselves! “.