Did you know that only 0.14% of cyber-risks are covered in France?

Gabrielle Thomas
Jun 28, 2019 · 7 min read

“US launched a cyber-attack on Iran weapons systems” BBC revealed on Monday. What a vibrant topic! As a coincidence, the same evening, the Parisian Fintech & Insurtech community was gathering at Schoolab Saint-Lazare for the Paris Insurtech Meetup, dedicated to the very hot topic of the day: cyber insurance.


It was the 4th meetup of the Assurtech Paris community, co-organized by Charlotte (AXA), Joël (JinnBee), Henri (data scientist) and I (BlackFin Tech). And once again, the room was packed with a very enthusiastic audience, eager to learn and network.

As you may know, only 0.14% of cyber-risks are covered in France, said Christophe Delcamp (FFA), despite a risk estimated between 7 and 13 billion euros annually. To give you an idea of how underserved the market is, in France, premiums on the cyber-insurance market amount to (only) 80 million euros, whereas in the US, they are above 2.7 billion dollars. Wow. This untapped market is not very well understood though as of today by the stakeholders, as many reports say : people and SMEs aren’t awere of their cyber risks nor of the existing insurance products.

Starting from the famous formula π = E[N]E[X]; where π is the premium, N the number of claims; E[N] = “frequency”; X the cost of a claim; supposing that X and N are independent, we had the chance to get an overview of very concrete projects tackling cyber risks issues for SMEs in western Europe.

Part I: The specificity of Cyber Risk assessment and actuarial modelling

Olivier Lopez, professor at Sorbonne Université (SU) and director of Institut de Statistique de l’Université de Paris (ISUP) kicked off the meetup by presenting his Research project about Cyber insurance actuarial modeling (AXA research fund, Institut Louis Bachelier, SU-Ensae ParisTech).

According to Olivier Lopez, cyber-risk bears 3 characteristics:

  • It’s a recent and quickly evolving risk;

Adverse selection and moral hazards

The research points out that adverse selection is a real stake in cyber insurance. First of all, the information asymmetry is a real thing regarding this topic, as the SMEs may have hidden risks to be pointed out and an insuree may basically replace a “physical” protection by an insurance protection.

Moreover, it’s biased by reputational aspects that lead companies not to report cyberattacks; either because they are too small to have an impact, or because they are too big and could cause reputational damage. This specificity can have an impact on the premium pricing.

Finally, insured companies tend to change their behavior over time, because of regulatory and risk perception evolutions. This leads to a lack of accurate data related to cyberattacks and cyber risks to feed properly the actuarial modelling intents.

Lack of data & accuracy

As internal data is not sufficient to assess risks, it may be completed by external data for modelling purposes. The main bias here is that the growing number of cyberattacks can either be caused by both a greater exposure or a risk evolution — and in that kind of sense the real root cause is quite hard to determine.

A recent initiative has been set in the US, in order to raise awareness about cyber risks: the Privacy Rights Clearinghouse (PRC). The methodology takes the number of code lines hacked as indicator of cyberattacks’ severity.

Despite the widespread use of this methodology, Olivier Lopez’ team discovered that there is a huge bias within the data chosen, as it comes from official sources, media and non-profits’ declarations. Some sources were relevant but stopped transmitting such events when others only work on events above a certain level of claim valuation.

Source : Olivier Lopez

Two schemes of the severity analysis

1- In the first case, called central scenario of severity, the probability of happening as well as the gravity of its consequences can be deduced from:

  • the type of breach (as the most important factor);
Source : Olivier Lopez

For instance, the most widespread type of breach is either Payment Card Fraud, Unintended Disclosure, Physical Loss or Insider attack, with a 52% probability, when its consequences are the less important with an index of 1,600 (median). On the other hand, hacking or malware in specific types of organizations (sectors of education, healthcare, banking, insurance or government) have a 2% probability of happening, when its severity is far more important with a 29k index (median).

2- In the second case, concerning “extreme cases, the type of breach is still the most impacting factor for both severity and probability of happening, but then, the source and the type of organization are the 2nd more determining criteria to generate accurate actuarial modeling.

Source : Olivier Lopez

Actuarial modelling for cyber risks

Olivier Lopez developed two formulas to better assess the provisioning. Furthermore, He insisted on the necessity to:

  • pay attention to the quality of the data, and in particular to trace the way they were collected; and combine data sources if necessary;

Finally, He invited all the Meetupers to join his TaskForce Actuariat et Risques Contemporains (or ARC) gathering twice a month at La Sorbonne University in Jussieu, in order to keep discussing about these stakes. Ping him @ Olivier Lopez <olopez.clermont@gmail.com>;)

Part II: Panel discussion combining 3 cyber-insurance initiatives

After this cyber risk deep dive part, we got the chance to listen to a great trio of entrepreneurs and intrapreneur that are real pioneers into the cyber insurance market .


Thanks to this panel, we discovered and rediscovered real products dedicated to SMEs cyber risks protection:

  • François Brisson, Head Cyber Technology — Swiss Re Corporate Solutions, building a 360 product with OZON embedding both cybersecurity audit and various cyber solutions, within which insurance products with an accurate pricing;

They helped us understand why French companies are so poorly covered, and gave us some answers on hot questions such as:

    What risks are we talking about?
    Which companies are the most vulnerable today?
    How to quantify this risk?
    Are there any geographical differences?
    What are the main use cases, examples or stories ?

We had many interesting questions from the floor, regarding regulation, the best tech stacks to partly avoid cyber risks or current cyber war situations, the reasons why cyber insurance is still an untapped market... And as a matter of fact, according to the Insurance Journal, 71% of the market for cyber insurance belonged to just 10 writers in 2018. Come on, insurers and insurtechs entrepreneurs!


NB. Actually, it has been quite difficult to find true experts and insurtech founders on this market: I’d like to conclude by a big thank you to all the entrepreneurs, colleagues and friends that helped us to find some: Pierrick Piette, Jonathan from CNP, Julien Petit, Raphael from Luko protect, Emmanuel Djengue from RGAx, Alexandre from Eficiens, Mathieu from Axeleo, Florian Hervéou from French AssurTech , Julien, Maxime, Michele, Romain, Martin & Géraldine ;) etc.

NB2. If you miss it and want to be sure to get invited to the next one, join the meetup page, here!

Bibliography / to go further:

BlackFin Tech

Thoughts and ideas on all things fintech & insurtech.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store