Faced with cyber attacks, the world of insurance is wondering what to do. In a report published by AMRAE, the association shows that while large companies have mostly adopted insurance policies providing for this type of contingency, small and medium-sized enterprises are still sorely behind.
The Association pour le Management des Risques et des Assurances de l'Entreprise (AMRAE) published this week the first edition of its LUCY report, LUmière sur la Cyber assurance, the objective of which is to propose "an objective and exhaustive study on the cyber risk and its insurance coverage.”
To succeed in compiling the data necessary for the study, AMRAE turned to eight insurance brokers, who agreed to share anonym zed figures specifically on the level of companies' cyber coverage and on claims indemnified during the years 2019 and 2020.
One of the first lessons of the study is the strong disparity that exists in the face of cyber insurance between large companies, which have a turnover of over 1.5 billion euros, and the rest organizations (ETI, VSE / SME, local authorities). 87% of large companies say they have taken out an insurance policy covering cyber risk, compared to 8% of medium-sized companies.
Regarding VSEs / SMEs, the authors of the study remain cautious in recalling that their figures come from insurance brokers who are not the privileged interlocutors of this type of structure. The figures nevertheless suggest a rate of coverage that is too low: "in 2020, only 362 of the 140,000 SMEs with turnover between 10 and 15 million Euros have taken out cyber insurance with their broker". Finally, local authorities are still lagging behind, with 27 cyber insurance contracts taken out in 2020 for municipalities with more than 5,000 inhabitants and 48 for local authorities.
Four incidents tip the scales
The other aspect to which the report is concerned is that of the indemnification capacity associated with these insurance policies, generally well below the losses observed. "The average capacity subscribed by the 87% of large companies that have chosen to take out insurance remained stable in 2020, around 38 million Euros", thus indicates the report, which draws a similar observation on companies of intermediate sizes, with an average subscribed capacity of 8 million Euros. In both cases, AMRAE considers that this capacity is generally “too limited” in the face of the financial risks posed by cyber attacks today.
The report thus recalls in the preamble that the "amount of compensation paid has been multiplied by 3, from 73 million Euros in 2019 to 217 million Euros in 2020". An explosion in compensation which must be put into perspective according to the authors of the report: "this inflation is only due to four very high intensity claims (between 10 and 40 million Euros in compensation each) declared by large companies”. Without these four incidents, the amount of compensation paid would have been roughly the same as last year.
For cybercriminals adept at the ransomware technique, the year 2020 was indeed marked by attacks on high-level targets, with ransoms as a result. Sopra Steria, hit in September by ransomware, estimated the consequences of the attack at around 50 million Euros. And we are talking here about a good student who has successfully mastered his crisis management.
For insurers, there is therefore undeniably something to be done, but the task is proving to be delicate. AMRAE first of all underlines the need for companies, in particular mid-sized companies, very small and medium-sized enterprises, to be better aware of digital risk and to put in place better digital security strategies aimed at limiting "the numerous disasters low intensity ”which represent the bulk of claims.
The report also highlights the different dynamics between the large business market and that of mid-sized companies: if large accounts are "mostly protected by cyber insurance, but with a level of coverage lower than their real needs", they are struggling to find insurers able to cover larger claims caused by computer attacks. On the other hand, mid-sized companies benefit from a competitive market and a large supply, but are much less aware of risk and have less recourse to insurance. “There is therefore not a cyber insurance market, but two markets facing two radically different issues: a lack of supply from large companies, weak demand from mid-cap companies, SMEs and of public authorities. "