Is this the end of insurance contracts that cover companies against cyberattacks? The market is in bad shape. Insurers are losing money and businesses are finding it increasingly difficult to insure themselves.
Things are heating up with the approach of the meetings of the Association for the management of risks and business insurance (Amrae), which take place from February 2 to 4 in Deauville. While renewals of insurance contracts for companies are even tighter than a year ago, and while waiting for Bercy's action plan on cyber risk insurance, the subject of coverage of risks related to cyberattacks is a bone of contention between risk managers and insurers.
Cyber insurance no longer responds
A small survey carried out in December by Amrae among around a hundred companies, including 70% of large accounts, indicates that it is on cyber coverage that the greatest difficulties of renewal are concentrated (price increases, new limits , or even no pure and simple renewal) on 1 January. "Some insurers don't even answer the phone anymore...", laments Philippe Cotelle, administrator of Amrae, co-chairman of its cyber commission, and risk manager of Airbus Defense & Space. In its 2022 forecast for cybersecurity, the publisher of solutions BeyondTrust feared "a tsunami of cancellations of cyber insurance". A credible prediction?
We are not far from it, if we listen to Oliver Wild, the president of Amrae, who declares in CIO-Online that "the cyberinsurance market will perhaps no longer exist next year", describing "empty contracts of their substance".
Concretely, the situation looks like this: premiums are exploding (more than double in sectors such as logistics and industry), deductibles are increasing, the risks accepted by insurers are reduced, and guarantees are decreasing. Or, the offer is simply no longer offered. "The number one problem is capacity. Faced with a long-term risk, financial exposure to cyber risk is constantly growing, the market provides a short-term response, which varies by one year or even two. month to month", explains Philippe Cotelle.
How did we get here ?
The capacity problem, ie the insurer's maximum financial commitment, has several causes. On the one hand, the poor technical results of the branch. The volume of claims compensation has tripled between 2019 and 2020, bringing the claims/premiums ratio to 167% against 84% a year earlier. In other words, cyber has not been profitable for insurers, who have reimbursed more than the premiums collected. According to Amrae, this inflation is due to four very large claims (10 to 40 million euros each) declared by large companies, representing only 1% of claims compensated in 2020.
On the other hand, there are not enough customers to pool the risk, because very few companies are insured. In 2020 according to Amrae, 87% of large companies (>1.5 billion euros in turnover) were covered, but only 8% of ETIs, 0.0026% of SMEs between 10 and 15 million euros of turnover (an underestimated figure because of the sample, but nevertheless ridiculous), and 1% of municipalities with more than 5000 inhabitants. In 2020, this represented 135 million euros in premiums according to France Assureurs, i.e. only 0.225% of all non-life insurance premiums.
This creates a vicious circle. "The loss experience increases in amounts, which scares insurers. To respond to a problem of frequency, they can easily play on the deductible. On the other hand, for a problem of intensity, they reduce the capacity per risk, which is counter productive". The offer is not attractive enough, so there are fewer customers, so less pooling, so less capacity... It's the cat biting its own tail.
Double paradox
Insurers and reinsurers are all the more cautious because they have poor control over this risk, which is recent compared to others, and for which they have less data. This is why France Assureurs (formerly the French Insurance Federation) favors the areas of development that are prevention, data sharing, and the removal of regulatory vagueness, on the reimbursement of ransoms, in particular. Axa and Generali have already indicated that they no longer support ransom payments, which are strongly discouraged but not prohibited by law.