Partner Emmanuèle Lutfalla and Associates Deborah Azerraf and Alice Decramer examine cyber risk and its insurability from a French law perspective, in Insurance Day.
This article was published in Insurance Day, 5 December 2019, and can be found here.
The French Insurance Federation (Fédération Française de l’Assurance or FFA) recently published the second edition of its risks barometer’s results for the French insurance and reinsurance sector in 2019.
The report examines 23 emerging risks, which have been divided into six categories: economic, environmental, social, technological, political and regulatory.
Accordingly, at a horizon of one-year, cyber risk, social tensions and inequalities, as well as a global financial crisis tops the rankings. At a horizon of five years, cyber risk remains on top of the list, followed by global warming and a global financial crisis.
Although risk is insurance’s “raison d’être”, not all risks are insurable. This fundamental question of insurability has been theorised since the eighties.
Insurability assessment revolves around a three-dimensional analysis of risk: actuarial, market and societal. The actuarial aspect usually raises the greatest number of difficulties with regards to emerging risks, due to the complexity in analysing the randomness of such risks. They also provide a lot of opportunities for the insurance market, which has to face emerging demands and develop new products.
Cyber risk is a perfect illustration of the challenges raised by emerging risks.
1. Cyber threat, a major emerging risk for businesses
The current market, whether observed from a business or consumers’ point of view is characterised by global digitalisation and growing dependence on computing systems.
The development of the Internet of Things (IoT) and massive recourse to the Cloud have led to a considerable increase in cyber risk.
In 2017, the number of connected objects used globally was estimated to 8,4 billion[i] and 52% of the French population owned at least one connected object, in addition to their smartphone[ii]. It is estimated that by 2020, every French person will carry with them an average of three connected objects. Today, the connected objects market is estimated to be worth nearly 10 billion euros, just in France. According to consulting firm McKinsey & Company, the global market for connected objects could be valued at nearly 11 000 billion dollars in 2025[iii]. Moreover, 87% of businesses store data via the Cloud[iv]. An attack against a Cloud provider is presented as one of the most likely scenarios by Lloyd’s last report on cyber risks. The study evaluates ensuing losses from 15 to 121 billion dollars, with an estimated average of 53 billion, of which only 17% would be insured[v].
What does cyber risk really mean?
This article will adopt the wider understanding of “cyber risk”, meaning any risk of breach of intangible origin, to the availability, confidentiality, integrity or traceability of a physical or legal person’s computing system[vi]. This definition encompasses cyber-attacks as well as operating errors which lead to an information system failure. On this issue, a study led by audit firm Deloitte revealed that “63% of security incidents originate from an active member of staff. Indeed, a business’ highly secure IT system can quickly be harmed by an employee’s ill-intentioned action or mistake”[vii]. Moreover, in 2018, only 20% of companies did not suffer a cyber-attack[viii], and yet only very few of them have mapped out the risks.
Cyber risk was made glaringly obvious in 2017, during the WannaCry and NotPetya attacks, of which the estimated several billion-dollar cost is yet to be fully assessed.
As a reminder, the Wannacry attack was revealed on 12th May 2017. A ransomware infected 360,000 electronic devices in 180 countries[ix]. The attack spread via companies’ intranets. The entire data of thousands of businesses’ computers was encrypted, forcing companies to pay a ransom (up to 300 euros) in order to recover access to the data, unless a recent backup save had been made. The total ransoms amounted to an average of 100,000 dollars. However, the most significant cost suffered was that caused by business interruption due to computer systems being inaccessible.
In France, for instance, the attack led to the closure of the Renault de Sandouville factory, and in the UK, it significantly disrupted hospital activities, with many surgeries postponed. The economic impact of this attack is significant and should cost several billions of dollars[x].
On 27th June in the same year, the NotPetya attack made headlines. This attack encrypted infected devices’ files, making them inoperable by deleting each computer’s launching programme. Consequently, computers could not restart[xi]. The case of the Société Saint-Gobain gained particular media attention, as the company suffered the most drastic loss of profit, estimated to nearly 80 million euros[xii]. On this occasion, Mondelez brought proceedings against its insurer, who had refused its guarantee as it considered the attack was an act of war[xiii].
These attacks were highly publicised and led to an increase in the number of insurance policy subscriptions: 50% of IT system safety officers who were interviewed as part of the CESIN barometer research said that their company took out cyber insurance in 2019, against 40% in 2017 and 26% in 2016.
In addition, since GDPR came into force on 25th May 2018, all personal data breaches must be notified to the CNIL (Commission nationale de l’informatique et des libertés) within 72 hours and the individuals affected must be individually notified. Such obligations carry heavy fines which can represent up to 4% of global turnover (with a 16-million-euro cap)[xiv].
The Club des Experts de la Sécurité de l’Information et du Numérique or CESIN (NB: a French non-profit organisation which fosters knowledge exchange, experience sharing and cooperation between information and digital security professionals) noted that GDPR’s entry into force had triggered a jolt in corporate governance, with one in two company’s governance being overhauled[xv]. This can be explained by the cost of data breaches, which is estimated at 8 billion dollars between 2017 and 2022[xvi].
The proliferation of large-scale cyber-attacks, the extent of consequential losses and a tighter regulatory framework have acted as a serious wake-up call for businesses. According to estimates, the volume of cyber insurance premiums could double by 2020 and reach up to 20 billion dollars in 2025[xvii].
2. The difficult insurability issue of cyber risk
The US cyber insurance market has experienced extensive and effortless growth since the beginning of the 2000s. This is due to regulatory change which requires notification of any personal data breach (California Data Breach Act 2003). This piece of legislation was introduced following a cyber incident in the Californian state, which led to the data disclosure of over 200 000 civil servants.
Today, the global market of cyber insurance is estimated to be worth between 3 and 3.5 billion dollars, with the US making up 85 to 90% of the market against less than 10% for Europe[xviii]. These facts question whether GDPR is the keystone for the growth of Europe’s cyber-market.
The feeble growth of the cyber-market in Europe raises a real question concerning the insurability of such risk. As stated above, a risk must meet certain criteria in order to be considered insurable. Cyber-risk, like many other emerging risks lies at the edges of insurability.
An analysis of complex risk
Insurers evaluate a risk on an actuarial basis: i.e. through analysing a series of past events. With regards to cyber risk, this evaluation method is inadequate for two reasons. Firstly, cyber-risk’s novel nature restricts the amount of available data. Secondly, companies tend to be reluctant in sharing “cyber damages” data. Such reluctance leads to an imbalance of data between insured parties and insurers and prevents insurers from accurately assessing insurance premium value with regards to an insured party’s activities. This situation fosters the anti-selection phenomenon, causing in turn a lack of diversification for insurers’ portfolios.
Collecting data on cyber incidents is made all the more difficult by the absence of a methodical standardisation to assess which incidents should be taken into consideration and which should not. Moreover, an organisation which is dedicated to collecting data and building a database that will be accessible to all market players has yet to be created.
There has always been a close correlation between consequential losses upon the occurrence of a risk, an insurer’s ability to cover them, and premium values. Insurance premiums enable insurers to have indemnity capacity and losses incurred upon the occurrence of a risk must be inferior to such capacity.
When it comes to cyber risk, it is very difficult for insurers to assess the value of losses and thus to maintain a positive correlation. To this day, consequential losses upon cyber incidents are inferior to other claims such as natural disasters.
Nonetheless, the mega-attacks scenarios, as envisaged by Lloyd’s of London, reflect the uncontrollable nature of losses which a global cyber incident could cause. On this matter, Swiss Re considered that “Some cyber risks, especially those related to extreme catastrophic loss events such as a disruption to critical infrastructure or networks, may be uninsurable.”[xix]
With the ever-increasing digitalisation, network interconnections, globalisation and the proliferation of electronic devices in mind, could today’s “catastrophe scenarios” simply be tomorrow’s norm?
A potentially systemic risk
The principle of mutual benefit drives the insurance industry. This principle is based on the law of large numbers and enables insurers to have an order of magnitude of indemnity claims. However, this theory is only applicable if risks are interlinked. Cyber risk on the other hand, is highly impacted by network interconnections and market actors’ interdependence. For instance, the NotPeya virus spread through one accounting software update in Ukraine, and reached the UK, Norway, the Netherlands and France in five hours. Similarly, viruses also take advantage of certain operating systems’ dominance. The failure of one Microsoft Windows operating system (due to security updates not being made), enabled the WannaCry attack to spread.
This interconnection is a major issue for insurers, who have to go beyond the insured party’s risk analysis and take into consideration actors who are part of the insured party’s sector as a whole. As a consequence, insured parties no longer depend solely on their own level of prevention, but also rely the standard of care upheld by actors of a similar business chain (business partners, customers…). Some experts believe that the notion of “interdependent security”, developed for terrorism could be transposed to cyber risk[xx].
Additionally, it is desirable that the issue of ransom and administrative sanctions’ insurability be clarified.
Whilst all these elements do not lead to the conclusion that cyber risk in uninsurable, they contribute to making cyber risk insurance policies more difficult to use. With this in mind, the urge to offer appropriate insurance solutions becomes increasingly evident.
[i] Gartner, « Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016 », février 2017 : https://www.gartner.com/en/newsroom/pressreleases/2017-02-07-gartnersays-8-billion-connectedthings-will-be-in-use-in-2017-up-31-percent-from-2016
[ii] État de la menace liée au numérique en 2018, Rapport n° 2, Délégation ministérielle aux industries de sécurité et à la lutte contre les cybermenaces, mai 2018.
[iii] McKinsey Global Institute, « By 2025, Internet of things applications could have $11 trillion impact »: https://www.mckinsey.com/mgi/overview/in-the-news/by-2025-internet-of-things-applications-could-have-11-trillion-impact.
[iv] Baromètre annuel du CESIN – Analyse exclusive de la cybersécurité des grandes entreprises françaises, OpinionWay, 4è édition, janvier 2019.
[v] Extreme cyber-attack could cost as much as Superstrom Sandy, Lloyd’s, 17 juillet 2017, article disponible via https://www.lloyds.com/news-and-risk-insight/press-releases/2017/07/cyber-attack-report.
[vi] L’assurance des risques cyber, comment tirer le meilleur parti de l’assurance dans un context de numérisation intensive ? Gaspard Ferey, Nicolas Grorod, Simon Leguil, Mémoire de fin de formation du Corps des mines, 2017.
[vii] Les grandse tendances dans la cybersécurité, Communiqué de Presse, Deloitee, 18 janvier 2018, article disponible via https://www2.deloitte.com/fr/fr/pages/presse/2018/grandestendances-cybersecurite.html.
[viii] Voir note 6
[ix] El impacto economic de Wannacry, Publications Deloitte disponible via https://www2.deloitte.com/es/es/pages/governance-risk-and-compliance/articles/impacto-economico-wannacry.html.
[x] Wannacry, une cyberattaque au ransomware sans precedent, Atlas Magazine, L’actualité de l’assurance dans le monde, juin 2017,disponible via https://www.atlas-mag.net/article/wannacry-une-cyber-attaquesans-precedent.
[xi] Voir note 4
[xii] Communiqué de presse de Saint-Gobain du 27 juillet 2017 sur les résultats du 1er septembre 2017, disponible via https://www.saint-gobain.com/sites/sgcom.master/files/cp_vf_resultats_s1_2017_t.pdf
[xiii] Cyber attaque NotPetya : l’assureur Zurich attaqué en justice par le groupe Mondelez, Aurélie Abadie, L’artus de l’assurance, 14 janvier 2019, disponible via https://www.argusdelassurance.com/tech/cyber-attaque-notpetya-zurichattaque-en-justice-par-legroupe-mondelez.140269
[xiv] Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données.
[xv] La cybersécurité des grandes entreprises françaises : le baromètre, du CESIN, Yves Grandmontagne, disponible via https://itsocial.fr/enjeux/securite-dsi/cybersecurite/cybersecurite-grandesentreprises-francaisesbarometre_cesin/
[xvi] Cyber-risques, la menace fantôme, Décideurs, Guide annuaire 2018.
[xvii] Le marché de la cyberassurance promis à une croissance rapide, Laurent Thevenin, Les Echos, 20 septembre 2018, disponible sur https://www.lesechos.fr/finance-marches/banqueassurances/le-marche-de-lacyberassurance-promis-a-unecroissance-rapide-139597
[xviii] Commission Cyber Risk Tome 1 : Assurer le risque Cyber, Le club des juristes, janvier 2018.
[xix] Cyber : getting to grips with a complex risk, Swiss Re Institute, p. 38, 2017.
[xx] Voir note 20