The future of cyber insurance in the face of ransom payments

For a growing number of companies and public entities, the question arises of whether or not to pay the ransoms demanded in the event of cyberattacks. The law could legalize this practice and the government is betting on the development of the cyber insurance market. Wrong?

According to the orientation and programming bill of the Ministry of the Interior, the LOPMIwhich was deemed partially non-compliant by the Constitutional Council on January 19, companies will be able to pay the ransoms demanded in the event of cyberattacks, most often based on ransomware, on the sole condition of filing a complaint within 72 hours following knowledge of the offence.

This measure has undoubtedly been the most discussed of this bill. Especially since it goes against the recommendations of ANSSI, which recalls in its annual report that the payment of a ransom ” does not guarantee obtaining a means of decryption, induces cybercriminals to continue their activities and therefore maintains this fraudulent system. »

One of the intentions behind this controversial measure is to facilitate the task of investigators by allowing them to be informed and above all to be quickly informed in order to carry out an effective investigation.

In addition, this measure is accompanied in the LOPMI by tougher sanctions against cyber-crooks.

According to the government, it is a question of going in the direction of better information of the police and justice and of framing the clauses of reimbursement of cyber-ransoms by insurance companies. The government has jointly put forward a report carried out by the general direction of the treasury in collaboration with professionals of the sector entitled “ The development of cyber risk insurance “. Its title illustrates its content.

A real fake good idea ?

The measure could turn out to be a false good idea. We first easily imagine the incentive side on the hacker side since these ransoms will be “supported”.
As for coercive measures, they will have a little trouble applying to hackers located in countries like Russia, North Korea, China…
Finally, all insurers are far from sharing the government’s optimism on the development of the cyber insurance market.

One report published in June 2022 by AMRAE, an association representing the sector, drew up a less than optimistic conclusion. Based on premiums and reimbursements for the cyber insurance market, the report underlined that the year 2021 had seen the balance regained between premiums and reimbursements after a year 2020 with a strong deficit. The amounts reimbursed had reached more than 216 million in 2020 against 73 million euros the previous year. This return was due not to the drop in cyberattacks but to much more expensive premiums and to payment conditions that have become more demanding.

As a counterpart to these new conditions, the number of companies having taken out cyber insurance has decreased. In concrete terms, practically only large companies opted for this type of insurance. Of the €185 million in premiums paid for cyber cover in 2021, 82% comes from large companies. While their number has increased in recent years, it has increased from 251 to 240 between 2020 and 2021. At the same time, medium-sized companies, and even SMEs, are increasingly attracting cyber-crooks. A trend confirmed by the figures in the report. However, this typology of companies will certainly have difficulty keeping up with substantial increases in cyber insurance.


AFNOR publishes a new free guide around cyber-resilience with numerous testimonials and best practices


Cyber-resilience: a new AFNOR guide available for free consultation

Cyber-insurance at risk?

Because the profitability found for cyber-insurers in 2021 actually hides huge disparities. While the Claims/Premiums ratio is 58% for large companies, it is 261% for ETIs and 325% for SMEs. In other words, cyber-insurers seem to have found a balanced formula for large companies but will have to considerably increase the premiums and further tighten the conditions for ETIs and SMEs.

In its report, AMRAE thus expected tempestuous renewals at the end of the year but nevertheless hoped for more transparent negotiations: the 2nd edition of the LUCY study, conducted by AMRAE with specialist insurance brokers company, in fact claims to offer an objective and exhaustive vision of the insurance offer, the loss ratio and the technical results.

But, even though the report points out that “ companies need to be protected against cyber risk, it is an essential lever for the resilience of the French economy “, some insurers question the viability of this market, at least for ETIs and SMEs.

Thus, according to our Swiss colleagues from Weather as of January 13the director of Zurich Insurance recently estimated that the pharaonic cost of damage caused by cyberattacks was becoming unbearable”.

Ironically, the insurer was itself affected by a major hack shortly after this speech. It remains to be seen whether they have paid and above all, whether they will be compensated…



The interest of cybersecurity insurance

Leave a Comment