If the increase in claims (a cheerful term used by insurance companies to designate the amount of damage suffered by an organization due to a cyber attack) has managed to be more or less contained in 2022, the study LUCY (Light on Cyberinsurance), published by the Association for Corporate Risk and Insurance Management (Amrae) in the spring, masks very different situations depending on the size of the companies.
Conducted since 2021 to better shed light on a market in full redefinition, the 2023 edition of LUCY covered 9,672 insurance policies: 281 for large companies, 591 for mid-sized companies (mid-sized companies, between 50 million and 1 billion turnover) , 492 medium-sized companies (between 10 and 50 million turnover), 624 SMEs (between 2 and 10 million turnover), and 7684 micro-enterprises (less than 2 million turnover).
If, unsurprisingly, large companies have become aware of and have significantly armed themselves against cyber risk, the situation is always more complex for mid-sized companies, and, even more so, SMEs and VSEs.
Large companies that are robust and confident in the face of cyber risk
“The S/P ratio reached a historically low rate of 16.2%”, for large companies, underlines LUCY. Which means, clearly, that claims reached 16.2% of the amount of premiums, and that insurance companies did not lose money on cyber risk coverage for large companies. The average cost of a cyber disaster for a large company is still 900,000 euros.
The situation also remains healthy for mid-sized companies, after two difficult years (2019 and 2021), where the amount of compensation paid had even exceeded the amount of premiums paid by almost 5 times, with an S/P ratio of 480%, in 2019, and 260%, in 2021.
The situation is more difficult for medium-sized businesses and SMEs. According to LUCY, “the results of medium-sized companies deteriorated in 2022 to reach the symbolic threshold of 100% S/P. This deterioration is essentially due to the explosion in claims, the cost of which has almost doubled between 2021 (€2.40 million) and 2022 (€4.50 million).” In addition, “the growth in the number of insured companies (+53% in 2022) associated with the growth in the overall volume of premiums (+84%) did not make it possible to absorb this drift”.
Logical consequence: “we can therefore expect to see insurers clean out their portfolios by tightening the conditions of access to cyber insurance, as they have already done in the large business markets in 2020 and in the corporate market. mid-sized in 2021.”
A costly risk…
Cyber risk coverage has a cost. LUCY 2023 provides some figures, for information only.
For large companies, cyber risk insurance amounts to an annual premium of €950,000 for a capacity of €35 million with a deductible of €6.50 million. It increases to €65,000 annual premium for a capacity of €6 million with a deductible of €450,000 for medium-sized companies, and €9,100 annual premium for a capacity of €2.30 million with an excess of €48,000, for medium-sized companies.
Deductibles whose amounts appear more than significant in the balance of a company’s finances, even if they are linked to a real lethal risk in the event of a cyber attack.
What about small businesses?
SMEs (less than 250 people, less than 250 million turnover), represented in 2018 according to INSEE 3.9 million companies (including micro-enterprises) and generated 43% of national added value. This figure was boosted after 2020 and nearly 1.07 million businesses were created in 2022.
However, these structures can be particularly fragile in the face of a cyberattack, and are dramatically absent from statistical radars… and from insurers’ offers.
Because the market is not perceived as interesting, or does not reach critical mass. A broker had thus confided, on condition of anonymity: “the loss of data, including confidential data, is sometimes included in RC (civil liability) insurance, but it is incomplete and it only very partially covers the damage, for the company as well as for its customers.
Even if certain insurers, such as Stoïk, or Dattak, are taking a position in this market segment, we are still in the early stages for SMEs, VSEs and other micro businesses.
Laudable initiatives (the Anssi and CPME guides) and self-diagnostic tools like those offered free of charge by the Ministry of Economy and Financeof the CCIor even the National Gendarmeriewith cybermalveillance.gouv.frallow managers of small structures or even communities to find their way around and fairly precisely assess their level of exposure to cyber risk.
But this is not enough. Philippe Cotelle, coordinator of the LUCY study, president of its Cyber commission at Amrae and Risk Manager at Airbus Defense & Space, readily recognizes this: “we need, for SMEs, a clear and effective reference framework so that they know where they stand regarding their cyber risk, and clear insurance policies, adapted to their expectations and their means to cover this risk.”
2023-09-13 18:22:04
#LUCY #study #mature #cyber #insurance #market #large #companies #LeMagIT
