Following the many recent news on the subject, our columnist Michel Juvin offers an overview of cyber insurance, its mechanisms and its limits.
To contextualize current questions around the relevance of cyber insurance, it is useful to review how companies assess risks globally and how insurers position themselves accordingly.
As part of the annual gathering of the world’s major economic leaders, the WEF interviews Directors and proposes every year (since 2006) a list of risks to be taken into account. In 2022, Cyber risk is in the Technological chapter and is not mentioned in the risks for the next 10 years.
Looking through previous studies, cyber risk was only mentioned at the impact level, more strongly in the previous years 2017 to 2019; until indicated in 3e position in 2018.
Similarly, in the summary of risks identified for the next two years, major global companies highlight climate risks and position cyber risks in 7e position.
Although cyber risk haunts major world leaders (probably because they do not master this type of risk), the WEF report presents Cyber risk by country and is rated in 5e stance for France.
It should be noted that AXA, which offered a cyber insurance solution, ranks this risk second.
Statistics and first lessons from the deployment of cyber-insurance
So where are we really? Cyber-insurance has been deployed for several years in large French companies and we can draw up an initial assessment through the two studies by CESIN (the club of experts in information and digital security) and the AMRAE (the association for the management of risks and insurance companies).
With a community of more than 800 cybersecurity experts, the annual CESIN barometer (January 2022) presents a very representative picture of adoption and a first feedback from use cases!
Thus, with a representation of respondents of 54% of large companies, 38% of ETIs and 8% of SMEs, we see that adoption has been strong for the past two to three years, but that a significant proportion ( 45% this year) is not or no longer decided to make this choice.
Indeed, the following question on the use of cyber-insurance is particularly interesting since the experience was complicated or negative for nearly 85% of cases!
Finally, the filing of a complaint is not systematic, nearly 50% of the companies attacked have not filed a complaint.
For its part, AMRAE’s LUCY report highlights the first lessons of the adoption of cyber-insurance by companies. It questions brokers (and not companies) and offers the results on the basis of more than 2000 contracts subscribed.
With a ratio (claims to premiums) which has fallen from 167% to 88%, it is clear that this activity has become profitable for cyber-insurers in 2021.
However, in detail, we note that the premiums were much more profitable for cyber-insurers on ETIs and SMEs than for large companies: 82% of the total amount of premiums in amount was paid to large companies.
This finding has also led insurers to double premiums and to significantly increase deductibles in the event of an accident.
On the subject of insurance, a reminder of the concept of risk management is essential
In risk management, after their identification, it is necessary to reduce the risks so that they become “acceptable” for the company. Wrongly, some may speak of transferring the risk to a third party, but in the end, in the case of cybersecurity, there remains an important part of responsibility and image for the company.
It is therefore necessary to remember that cyber insurance is only financial cover for an accident and not the possibility of transferring a cyber risk.
At the ethical level, the mission of insurance is to cover a risk that cannot be foreseen (anticipated) or reduced or not covered by regulations. For example, you cross an intersection under cover of a green light for you, and you are knocked down. It is normal for the insurance of the third party (who caused the accident) to compensate you, but is it acceptable for someone who does not follow the regulations to also be covered for their equipment?
By applying the same principle, if you are aware of your company’s vulnerabilities and you do not apply any protection, it therefore seems normal that no insurance covers you, even financially.
In other words, if the company does not analyze its cyber risks and does not reduce its identified vulnerabilities (no action plan, no end of project deadlines, no traceability and checks on the progress of risk reduction action plans, etc.) effectively, it is not desirable for cyber-insurance to financially cover the losses suffered.
The limits of cyber insurance
Remember that beyond simple financial cover, insurance does not correct the risk upstream (origin of the cause) and therefore despite good intentions, an insurance company external to the company cannot offer action plan to reduce or avoid the risk.
Additionally, cyber insurance does not cover loss of intellectual property and damage to corporate reputation. In fact, since these risks cannot be precisely estimated, cyber-insurance excludes these risks or only offers financial compensation which will be estimated globally by the contracting party.
Finally, we note that the deductibles have been greatly increased; questionnaires submitted by insurers are increasingly inquisitive and often poorly protected during exchanges with insurers). Sometimes, not having the expertise in-house, insurance companies and brokers sponsor a consulting company (which you have not chosen) and which comes to audit your environment and gives you actions to take which are obviously not those that you have otherwise identified; but which are those which relate to the risks contained in the precise clauses of the insurance. The use of cyber risk rating agencies, which is increasingly common, is similarly highly imperfect compared to the reality on the ground in a company.
These practices increase even more the reactions of rejection of this type of external expenditure vis-à-vis insurance companies, which are often chosen by a financial department, itself too little involved in the management of cyber risks.
Where are we: the latest official positions
Since ANSSI’s previous publications urging companies never to pay the ransoms demanded by external cyber-gangs, a new publication from the Ministry of Finance (Treasury Department) in September 2022 suggests that companies resort to filing a complaint with French gendarmes from the C3N to obtain financial compensation via their cyber-insurance.
As journalist Valérie Marchive points out in a recent article on ransomware, the objective of this new position is to allow the flow of declared crypto-currencies to be traced and to attempt to correlate the information collected to identify via Interpol and/or Europol the cybercriminal organizations.
Indeed, the Chainalysis website offers, for example, police forces to follow the flow of crypto-currencies and trace the actors regardless of their country of origin; important work of the police force and some success stories are noted in the article. But cyber gangs know how to launder ill-gotten cryptocurrencies as I explained in one of my previous columns.
A concern is obviously the risk of encouraging cyber-gangs by financing the crime (which is also unethical and prohibited in particular in the United States: fines are imposed on companies that pay the ransoms). However, this proposal intends to give a chance for companies that risk going out of business following a cyber-attack, to recover their rights of access to data and to formalize the financial flows resulting from ransom demands through police services; and possibly negotiating a ransom.
But beyond the undoubtedly laudable intention: how to analyze that since this last announcement from Bercy, there has been an upsurge in attack (+26 in the single month of September)? Do hackers have more reason to expect to be paid?
Cyber insurance: what choice should be made today?
It is necessary to start at the beginning: namely to identify its vulnerabilities and above all to do everything possible to reduce them. With these recent publications, which shed light on cyber-attacks, it has become essential for IT departments to be focused on risk reduction. ; under the control of the teams of the Risk Department and the Cybersecurity Director.
The use of cyber insurance may not be the right choice for large companies because investments in these external companies amputate the budget of the teams in charge of risk reduction. Moreover, given the profitability objectives of cyber-insurers, they can only play a very secondary role, compared to what each cyber expert of large companies must know how to do, and without being a distraction from important questions to which cyber insurance cannot provide an answer, by nature.
For small and medium-sized companies, the situation is more complex because they often do not have the resources to face a cyber-attack and the consequences can be effectively lethal as we have seen in many cases. However, it is interesting to note that some large companies set up insurance captives to protect their small subcontractor companies who share strategic data and interests. The idea is, on the one hand, to analyze the risks globally and reduce the most significant risks at the scale of their ecosystem, and, on the other hand, to bring a little more cyber-maturity to these companies that do not have sufficient resources to undertake these actions. Unfortunately, today, apart from a company like Cybervadis, there are not many third-party players on the market in France who offer this risk analysis of subcontracting which will standardize the risks at group level.
It will therefore be understood that cyber insurance is not the panacea that some business leaders may imagine, nor with the latest government announcements. The approach and understanding of cyber risk by insurance players, despite what some lobbies say, is by nature different from that which a company that wants to protect itself must take advantage of.
 Page 100-117 of the report
 Mapping, risk analysis, network segmentation, tested recovery plan, vulnerability test regularly via a platform like www.yeswehack.com, etc.