Reinsurance Tutorials #7 - Season 3
Hi everybody 👋
Today, and for the seventh Reinsurance Tutorials video of the season, we will talk about "At the Heart of the Cyber Crisis: The Need to Restructure ?"
This subject will be addressed by CCR Re experts Emmanuelle Huguet and Madeline Jauvat.
Let’s start! ⏬
[Emmanuelle Huguet] : Hello, I am Emmanuelle, Advisory Actuary at CCR Re.
[Madeline Jauvat] : Hello, I am Madeline, Reinsurance Legal Advisor at CCR Re.
At the heart of the cyber Crisis, the insurance market needs to restructure. Let's see.
How is the Cyber risk apprehended by companies today?
[Emmanuelle] : The answer is definitely yes. This risk, different from the others, is probably not fully insurable.
In the real world, insurance has been able to industrialize its models to cover almost all risks. Concerning the digital world, the specificities of cyber risk, changing and potentially systemic, given the strong dependence of the economic system on digital technology and situations conducive to attacks, make it a risk that doesn’t lend itself well to industrialization. This risk is young in Europe and therefore there is no reliable statistical database. The victims range from individuals to multinational corporations, with widely varying types of risk and capacities. Insurers must therefore think about new models and differentiated offers by type of player and by type of risk.
[Madeline]: Another major difficulty is that silent covers raise concerns because of the potential degree of exposure to cyber risk in portfolios. Without clarification that cyber risk was not excluded from the scope, it was considered silently covered in many contracts.
2 contract drafting techniques are used to address silent cover:
First, define the scope of coverage of the contract in an exhaustive way, so that no cyber coverage can be claimed if not specified. Named perils' cover, as opposed to 'all but' cover, is preferred.
Otherwise, it is possible to exclude cyber risk coverage in general. Cyber exclusions have multiplied since 2019 to update old standards:
- The list of excluded types of threats’ have grown: the definition of computer systems and data and the kind of damage have been detailed to include as many assumptions as possible.
- A regime has been defined for each type of damage: the distinction between accidental and malicious damages has been improved.
These new clauses show a real analysis of the cyber risk in order to avoid silent cover. In addition to these absolute cyber exclusions also exist numerous limited cyber exclusions that can cover some part of the cyber risk, if necessary.
What actions have been identified to strengthen the Cyber risk insurability?
[Emmanuelle] : The challenge for insurers and reinsurers is to perfectly control their cumulative commitments, and for intermediaries and companies to put all the means in place in terms of prevention.
The investment of all parties will make it possible to clearly identify what is insurable in order to avoid the risk of a cyber pandemic. To get involved in the subject, the Directorate General of the Treasury launched a major national consultation in 2022.
Resilience to cyber risk is a major sovereignty issue.
In the same way as to limit the spread of Covid, basic digital barrier actions are essential for companies wishing to protect themselves against cyber threats. And working on it from the inside remains the key to this prevention. The stakes in terms of training and awareness are therefore considerable.
[Madeline] : From a regulatory point of view, the sector is being introduced in the insurance code. This demonstrates the desire to have better visibility of cyber risk by dissociating it from other risks and to promote a better cyber insurance offer.
French authorities have shown their interest in Ransomware Cyber Insurance since 2020, when hospitals and companies were massively ransomed.
Public debate has shown diverging opinions:
- A company will often have more interest in paying the ransom: business interruption caused by the ransomware will often inflict more damage than the amount of ransom to be paid.
- Paying a ransom is always counterproductive: financial means given to hackers allow them to continue attacking - which will progressively make the fight against cyber-attacks more and more complex and force the attacked companies to pay more ransom.
Against the general opinion, the French Government proposed a law at the end of 2022 to legalize the insurability of ransomware:
- Not to put French insurers at a disadvantage compared to their European competitors.
- To build on insurers’ requirements to improve IT security measures of companies taking out this type of contract.
The initial text was broadened before its adoption in early 2023 to allow all insurance reimbursements following a breach of an automated data processing system, subject to a report filed by the victim of the attack within 72 hours of the victim's knowledge of the attack.
When will we start thinking about a Cyber risk regime?
[Emmanuelle] : As the financial capacity of insurers and reinsurers is not sufficient to deal with a systemic cyber disaster, government intervention therefore seems justified.
The public-private partnership for the management of extreme risks would make it possible to define an effective sharing of responsibilities, in the same way as for natural disasters, thus contributing to anticipation and resilience.
But the particularity of Cyber risk, both in terms of the triggering event, the history and dynamics of the risk, and the need for insurance, will require adapting the methods of risk management and intervention by the public authorities.
[Madeline] : Thanks a lot for listening to us.
[Emmanuelle + Madeline] : Good Bye.
Bye for now 👋
📺 More episodes are coming... Subscribe now to receive them by email! 📥
