Given the excitement around insurance in the cyber ecosystem, we decided to devote an article. It is clear that the scope of risks is increasing, so more and more companies will have to insure themselves, and the cyber insurance market will therefore be the object of a significant growth.
We will review some of these evolutions, marked by a decrease in the scope of risk coverage, an increase in rates and the lack of enthusiasm of the insured. We will then discuss the challenges.
Definition and observation
It is always important to clarify the vocabulary used, so let’s start with a definition of the term cyber insurance.
Cyber insurance is an insurance contract dedicated to computer risks.
It covers the financial risks due to the damage caused by a cyber-attack and provides legal and technical assistance.
According to the Anozr Way report, insurers are themselves victims of cyberattackers, accounting for 20% of ransomware in 2021, it is the most affected sector in France. Cybercriminals targeting rebound attacks, but we will see this in more detail in a future dedicated article.
What does the law say?
Paying for ransomware is not illegal in France, but all nations agree that in case of ransomware, it is strongly advised against paying. Payment would encourage hackers to continue their theft, and it does not ensure the recovery of lost data. On the other hand, companies affected by an attack have every interest in filing a complaint, thus reinforcing their resilience strategy (providing telemetry, knowledge of the attacker’s methodology, help in setting up remediation measures).
The similarities between nations end there, since depending on the country, and we will see specifically the case of France and the United States, the law differs in terms of cyber insurance and sanctions.
« One in six companies experienced an incident in 2020 in France, 65% paid the ransom. »
In France the cyber insurance market remains unstructured. There is no specific sanction or law in case of ransom payment. The report by the French Commission Supérieure du Numérique et des Postes (CSNP) reveals that France remains the country that pays the most ransom and is also the most targeted country within the European Union with 5% of global cyber-attacks.
Valéria Faure-Muntian’s parliamentary report, presented in October 2021, recommends:
- to define cyber risks
- harmonize definitions
- to implement a law prohibiting the payment of ransoms
- insurers not to cover or compensate for ransomware and to file a complaint in case of an attack.
This same report also addresses the assumption of administrative penalties by insurance companies (e.g., failure to respect personal data protection or regulatory compliance).
Only the OIVs (Operators of Vital Importance) have regulatory obligations in terms of detection, risk management, incident notification and audit. If all these obligations are not respected, these organizations risk sanctions.
Finally, cyber insurance is not mandatory currently.
The new European regulation adopted on data protection imposes more extensive security and total transparency, which requires individual notification to all customers included in the files concerned. This is in addition to the already stretched budget. In addition to the RGPD regulation, there is the NIS (Network and Information System Security) directive. It was adopted on July 6, 2016 and is applied equally in each country of the European Union. This directive a common security level to all member countries. It concerns, security governance, protection and defense of networks and IS, as well as business resilience.
In the United States
The cyber insurance market was born 20 years ago in the United States, while it is still in its infancy in France.
In the United States, the law is clear and strict, the OFAC (Office of Foreign Assets Control) sanctions, via civil indemnities, all the organizations that would help companies in the payment of ransoms, is understood in these organizations: insurance companies or financial institutions.
The 2022 Cyber Incident Reporting for Critical Infrastructure Act requires mandatory reporting of cyber incidents within 72 hours, within 24 hours of payment
16 critical infrastructure sectors are affected including assets, systems and networks considered critical to the United States.
The bill includes several provisions related to ransomware, and protection mechanisms.
Cyber insurance in crisis?
Evolution of insurance policies
While threat actors vary their attack methods, the risks continue to increase, as does the scope of the attack. This observation forces insurers to evolve their contracts. They are not hesitating to add cyber exclusions that limit their exposure to cyber risks, particularly ransomware. Indeed, some companies are starting to withdraw from cyber coverage. This is the case of Axa France, in May 2021, which decided to no longer cover ransomware paid by companies. Generali followed suit in February 2022. Others, such as Lloyd’s of London, have indicated that they will no longer cover cyber-attacks between nation states.
Let’s add that companies can turn against their insurers: this is the case of Merck & Co, which following the NotPetya attack in 2017, lost more than 1.4 Billion dollars. The multinational pharmaceutical company sued its insurers who refused to cover the impacts of this attack and won the case.
This kind of event makes insurers more hesitant. The effects of this reluctance are undeniable and are reflected in the guarantees.
The level of guarantees is not sufficiently satisfactory in the eyes of companies. The youth of the market means that there is a lack of longitudinal studies on the risk. This does not encourage cyber insurers to position themselves in this sector, and when they do, the level of requirement in terms of risk protection is very high. This same level of requirement is demanded from third party companies, in order to protect the entire supply chain. Thus, equipment configuration, multi-factor identification, backups, etc. have become mandatory.
Finally, the subscription (or renewal) procedure has become more cumbersome and must be anticipated, adding to an already strained budget. Recently, cyber-rating tools have been put in place for small and medium-sized companies with a turnover of less than 50 million euros. These companies will have to install an antivirus, an antimalware and a firewall, and apply a strict policy of patching and updates as well as backups at least every week.
Until now, businesses didn’t know what their insurance covered until they were faced with a cyber incident. Policyholders will now be more vigilant about the content of their policy, as they feel they are paying more to get little or no coverage. They see their premiums and deductibles increase without having the assurance of being well protected. The same is true for insurers who do not find themselves in a position to make their offer profitable. According to a survey conducted in December 2021 by Amrae, the loss ratio is 167% in 2020 against 84% in 2019.
This results in a market that is not very competitive, which does not favor lower prices. The forecasts are not optimistic, since according to a report by Cybersecurity Ventures, ransomware will cost more than 265 billion dollars per year by 2031.
Lack of enthusiasm among the insured
Large companies are more likely to insure themselves than small ones. According to the Amrae report, 87% of large companies were covered, only 8% of small and medium-sized companies, 0.0026% of SMEs and 1% of municipalities with more than 5,000 inhabitants. Not all organizations are able to insure themselves due to the increase in contract costs or cyber requirements. Smaller organizations that are not specialized in cyber security may have difficulty proving the effectiveness of their systems. They will have to outsource and that will incur additional costs they can’t afford. Insurance becomes a luxury.
The level of maturity in terms of security is very disparate from one structure to another. Cyber insurance offers are starting to adapt to the different structures, but this is still on the fringe. Once again, we are faced with a lack of supply and a weak demand. Nevertheless, some French nuggets are emerging and placing themselves on this market by offering cyber risk coverage for SMEs. This is the case of our partner Stoik which allows the largest number of SMEs to associate their cyber insurance with the highest level of cyber security. Thanks to its internal tools, Stoik helps to monitor risk exposure continuously.
In Germany, the average total cost of cyber damage amounts to 18,712 euros, which puts the country in first place in the international comparison (15,255 euros on average). As a result, investments in cybersecurity continue to rise: cyber insurance is becoming a prime protective measure. As a reminder, the share devoted to cybersecurity reaches a quarter of the total IT budget (24%).
Why buy cyber insurance?
Subscribing to a cyber insurance policy obliges companies to have a robust security policy, to perform regular audits, to have a clear and frequently updated risk map.
This vigilance allows them to protect themselves against certain vulnerabilities, but also to understand the level of maturity of their security policy (PSSI). They will have to implement corrective measures, formalized by procedures, and of course justify awareness campaigns with their staff.
These insurances encourage the implementation of prior measures, certifications: ISO standards, or SecNumCloud. Insurance companies will condition their compensation according to the measures taken by the insured, so a non-certified company will have to pay a more expensive insurance policy.
Insurance policies cover risks such as
- loss of personal data
- protection of intellectual property
- security incident
- the misappropriation of connected objects
- the costs of reconstituting destroyed data
- costs related to requests for expertise
- the company’s brand image
- claims from third parties
Note that not all insurances are equal, some do not cover the risks mentioned above, sometimes difficult to measure.
Finally, they do not only cover the technical aspect. Like the protection they provide in terms of guarantees in case of infringement of the RGPD rules, and the personal data of customers; they also provide assistance and advice in case of crisis.
Spain is one of the leading countries in this field; in fact, eighty-three percent of Spanish companies already use cyber insurance policies to help them recover from a ransomware attack.
What are the solutions?
We have no doubt that cyber insurance will evolve along with the threat in the years to come.
Among the solutions that could be put forward:
- Pooling risks within an organization by capitalizing to cover the risk.
- Helping with digitization for very small businesses
- Encourage reinvestment in security
- Clarify the contents of cyber coverage to facilitate the possibility to compare insurance offers and to subscribe to them. This will strengthen the trust that has been lost recently between policyholders and insurers.
- Define a European legislation for cyber insurance.
- To propose hybrid offers, to meet the needs of the market.
- Set up state aid through research tax credits to encourage investment in security and prevention.
- Encourage collaboration between the private and public sectors to pool their skills.
- Make cyber insurance mandatory. Of course, this solution is debated.
The insurer will have to master the extent of the threat and the risks. This work must be done in close collaboration with the companies.
Cyber insurance agencies require their clients to take responsibility and protect their own network, by reinforcing their security with effective prevention tools. A good cyber strategy relies on investing in protection tools. Companies should focus on using a holistic approach as is the case with TEHTRIS’ XDR technology, which detects threats across all systems, networks, and the cloud in a hyper-automated way. It blocks and neutralizes cybersecurity attacks in real time. Through its various modules, automation, and cyber threat knowledge base, it identifies suspicious behavior, malicious programs or IPs.
If you’re interested in exploring how TEHTRIS can help protect your organization from all kinds of malicious actors and save you from having to report claims to your insurer, contact us.