a parliamentary report wants to ban the payment of cyber-ransoms

    While cyber attacks could become a systemic economic risk, threatening companies and public institutions, the cyber insurance market in France is struggling to structure itself. The equation is indeed complicated to solve. As risk increases, coverage is still insufficient and business demand too weak to create a truly economically viable cyber insurance market.

    For the time being, in France, insurers are losing money on this risk. While the premium volume increased by 49% in 2020 (to € 130 million), the amount of compensation paid was multiplied by 3 (to € 217 million in 2020), i.e. a combined ratio that rose from 84% in 2019 to 167% in 2020. In itself, this is nothing to worry about for an emerging market. But we have to find the conditions for it to find its balance quickly.

    A common framework to better take into account the risks

    To get out of this vicious circle, the deputy Valéria Faure-Muntian (LREM), co-chair of the “Insurance” study group at the National Assembly, outlines, in a parliamentary report, recommendations for “lift the brakes the development in France of a mature cyberinsurance market “. The objective has been defined: by structuring this insurance segment, the entire French digital ecosystem could become more robust thanks to better prevention.

    The first challenge is to clearly define the scope of contract coverage. The elected representative of the Loire thus advocates a common definition of cyber risk and cyber attack while the different insurance companies offer different terminologies.

    This better readability also requires the law, at least on two sensitive points, which are debated within insurers themselves: the payment of ransomware and the assumption of administrative fines by insurers.

    For Valéria Faure-Muntian, the prohibition on insurers from guaranteeing, covering or indemnifying the ransom should be enshrined in law. ” In 2020, Anssi saw a 225% increase in reports of ransomware attacks compared to 2019. These attacks, which are one of the main threats to companies, consist of “locking up” the data of ‘a company or an institution requiring, to release the information, the payment of a ransom usually in cryptocurrency.

    According to the Agea (national association of general agents), five French insurance companies agree to compensate the ransoms. The leader Axa, which offered this guarantee in its cyber contracts, however backed down last May. The ban defended by the member would aim to unify the risk repository between insurers.

    Coverage of administrative fines

    As for the risk linked to the payment of administrative fines, the elected representative defends the idea of ​​coverage by insurers. Since the implementation of the GDPR – aimed at protecting consumers’ personal data – companies are exposed to fines of up to 20 million euros or up to 4% of the turnover of the company. company in the event of a breach of the rules.

    The administrative authority, the CNIL, could thus hold responsible an entity that would have its data stolen. However, for the member, human error or a company’s security breach remains insurable. And it is based on an article of the insurance code: the insured’s liability remains technically insurable when it arises either from an unintentional fault or from an intentional fault committed by another person for which the insured may be held responsible “.

    By clarifying the way risk is taken into account here too, insurance players could adapt their products to better cover the consequences for communities and businesses.

    Beyond the French companies, the MEP also proposes to harmonize at European level the criteria for analyzing cyber-risks between insurers. An observation shared by the regulator in France, the ACPR. All this could lead to the creation of an insurance branch dedicated to cyber, proposes the elected representative.

    Strengthen prevention to limit risks

    Prevention is also a key element in the structuring of the market. The adage is well known in the world of insurance: without prevention, no insurance is possible. And the hearings carried out within the framework of this report show how many companies remain uninsurable, for lack of basic safety and prevention devices. Awareness must also come from the business world.

    A study conducted by Dell Technologies in the spring of 2021 shows that nine in ten companies believe it is necessary to guard against cyber attacks, but one in three still does not use an antivirus. And the budgets allocated to these threats remain derisory: they do not exceed 1,000 euros per year for six out of ten companies.

    The parliamentary report therefore recommends make employees of small and medium-sized enterprises aware of cyber risks at least once a year “ and of “create a cybersecurity prerequisite for communities, administrations and businesses”.

    Insurers are central pieces in pushing companies to protect themselves. “They play the role of a trusted third party vis-à-vis their policyholders and give them prevention tools to deal with the risks they face. exposed “, estimates Guillaume Poupard, the general director of Anssi, quoted in the report.”They also have an incentive power that pushes their policyholders to adhere to good cybersecurity practices, or even to perform regular audits to assess their level of maturity.

    The general agent is not a computer engineer

    But for this, the general agents present in the field must be trained in cyber issues. That is why the member proposes “to include knowledge of cyber-risk and the cyber insurance component in the training of distribution networks”.

    To grow the market, in fact,theThe penetration rate will not improve without special training for agents in charge of distribution, whether they are employee networks, general agents or insurance brokers “, continues the elected.

    But for several general agents contacted, it is not so simple. “UOnce we have asked the basic questions like the presence of a VPN or a remote data backup, what can we do? I am not a computer engineer. Cyber ​​risk prevention is not our core business. It is an expert skill “, alerts an Axa general agent.

    And to wonder: “The average age of general agents is high. However, you have to be comfortable with these technical and numerical questions to ask the right questions. In my opinion, there is a real generational problem”.

    Recover data

    Another obstacle mentioned in the report: improving the collection of information. It is a key element in the structuring of the market, as Denis Kessler, chairman of the reinsurer Scor, reminded us in our columns.

    “If the cyber risk is not strictly speaking non-modelable, it is difficult to quantify and model, not only because of this endogenous character but also, more fundamentally, because of the lack of data and its very evolutionary nature, which limits our ability to evaluate it prospectively to from the sole observation of past claims “.

    To retrieve more information, reporting malicious acts is crucial. The elected therefore proposes to “make the activation of insurance guarantees conditional on filing a complaint following a cyberattack”. But also of “promote the system to businesses and organizations” and of “create an anonymous collection of cyber attacks hitting businesses”.

    Indeed, many affected economic players do not communicate about these attacks, fearing a negative impact on their image or worrying their customers or suppliers.

    Make the market competitive

    Finally, the report believes that a French market will not really be able to emerge as long as insurance offers are still so concentrated in the hands of foreign players.

    The Recognized players in cyber insurance historically come mainly from the United States and Great Britain, such as AIG, CHUBB, AXIS, LibertyMutual, or The Hartford “, can we read. Gold, “a healthy market is an open and competitive market, it is these conditions that allow the favorable development of the offer for customers.”

    While global reinsurance capacities are declining, due to the increase in risks and their intensity (such as climate risk) which could cost insurers billions of euros, the capacities allocated by reinsurers to France and cyber risk are low, or even decreasing. The country and this insurance segment are not a priority for these “guarantors”.

    As a result, foreign players have easier access to these reinsurers and can therefore be more present on the French market.

    To make captive insurance in France more competitive, the Minister of the Economy, Bruno Le Maire, will soon table an amendment to the 2022 finance law in order to create a new tax system better suited to reinsurance captives in France. Enough to attract more financial capacity to support this emerging and strategic market for the defense of companies.