The development of the cyber risk
Cybercrime has been steadily increasing for several years, with rates of increase in recorded offences ranging from 10% to 20% from one year to the next. Companies, whatever their size, sector or geographical location, are nowadays facing this new large-scale systemic cyber risk.
In the US, Jerome Powell, US Federal Reserve Chairman, considers cyberattacks on businesses to be the biggest risk to the US economy today. In France, the observation is the same, even more so since the Covid-19 crisis. Cybercriminals have indeed taken advantage of this, with a 400% increase in phishing attacks between March 2020 and February 2021 and a fourfold increase in the number of ransomware attacks between 2019 and 2020.
No more is cyber criminality exclusive to hackers, but has widened to States, terrorists and even white-collar crime. It is not unusual in a process of acquisition to face cyberattacks organised by a competitor or even a partner to weaken the target and lower the price.
Besides consequences that threaten business continuity and financial viability, companies also face liability towards their clients for sensitive data breaches.
While cybersecurity is a threat to businesses, it is also an opportunity for insurers to develop a promising market. In France, this sector represents a turnover of €13 billion and is growing rapidly. It generates €6.1 billion in value and employs 67,000 people. The global cybersecurity market is expected to be worth $150 billion by 2023 worldwide.
Despite the development of cyberattacks and a highly structured and regulated insurance market in France, the French cyber risk insurance market remains a niche market, mainly driven by large companies.
Indeed, the recognised market players in the cyber insurance market have historically and essentially come from the United States and Great Britain.
Insurers are now offering cyber risk insurance in specific cyber risk policies rather than traditional policies.
The cyber risk coverage
Cyber risk can be defined as an operational risk to the confidentiality, integrity, or availability of data and information systems.
Cyber risk covers both malicious acts and unintentional incidents. There are several forms of cyberattacks: phishing, ransomware, denial of service or access attacks, sabotage and espionage.
The coverage of cyber risk by insurers raises several questions.
In the context of strong development of ransomware, the insurability of ransomware payment remained uncertain in France until recently. The payment of the ransom by the insurer is not authorised all around the world, due to the risk of violating anti-money laundering rules and antiterrorist financing reporting obligations (AML/ATF).
For a while, French law did not explicitly prohibit the insurance of cybercrime ransom, however most of the practitioners considered it a breach of AML/ATF regulation.
Since law n°2023-22 dated 24 January 2023, the reimbursement of ransom by the insurer is authorised provided that the victim files a criminal complaint with French authorities within 72 hours. This provision will enter into force as of 24 April 2023.
The law specifies that “In parallel, and in order to break the business model of cybercriminals, the clauses on ransom reimbursement by insurance against cyberattacks will be better regulated and ransom payments will have to be reported to the security forces or to the judicial authority, so that the competent services have the necessary information to pursue the perpetrators. Thus, an insurance clause to cover such a risk could only be implemented if the security forces or the judicial authority have been informed by a complaint.”
“It is not unusual in a process of acquisition to face cyberattacks organised by a competitor or even a partner to weaken the target and lower the price.”
It should be noted that a decree issued on 13 December 2022, which entered into force on 1 January 2023, stipulates that “property damage and pecuniary losses resulting from attacks on information and communication systems” are now expressly covered by the insurance code.
As a comparison, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a policy that prohibits the payment of cyber ransom by insurers.
Disregarding the acceptability or not of such payment, a pragmatic consideration is that unfortunately most of the time the ransom costs less than the resulting damages to the company.
Finally, it is important that every company is aware that cyber risk can jeopardise its business activity. Some protection exists, amongst which is insurance (understanding insurers require serious and solid audits and protection measures before granting guarantees).
Our teams in Baro Alto provide advisory work on prevention and insurance covers, we actively work with a network of professionals to assess the risk exposure of the company for its activity and towards its clients and third parties. We audit, advise on insurance, and assist our clients in cyber criminality and its consequences.