Did you know that only 0.14% of cyber-risks are covered in France?
“US launched a cyber-attack on Iran weapons systems” BBC revealed on Monday. What a vibrant topic! As a coincidence, the same evening, the Parisian Fintech & Insurtech community was gathering at Schoolab Saint-Lazare for the Paris Insurtech Meetup, dedicated to the very hot topic of the day: cyber insurance.
It was the 4th meetup of the Assurtech Paris community, co-organized by Charlotte (AXA), Joël (JinnBee), Henri (data scientist) and I (BlackFin Tech). And once again, the room was packed with a very enthusiastic audience, eager to learn and network.
As you may know, only 0.14% of cyber-risks are covered in France, said Christophe Delcamp (FFA), despite a risk estimated between 7 and 13 billion euros annually. To give you an idea of how underserved the market is, in France, premiums on the cyber-insurance market amount to (only) 80 million euros, whereas in the US, they are above 2.7 billion dollars. Wow. This untapped market is not very well understood though as of today by the stakeholders, as many reports say : people and SMEs aren’t awere of their cyber risks nor of the existing insurance products.
Starting from the famous formula π = E[N]E[X]; where π is the premium, N the number of claims; E[N] = “frequency”; X the cost of a claim; supposing that X and N are independent, we had the chance to get an overview of very concrete projects tackling cyber risks issues for SMEs in western Europe.
Part I: The specificity of Cyber Risk assessment and actuarial modelling
Olivier Lopez, professor at Sorbonne Université (SU) and director of Institut de Statistique de l’Université de Paris (ISUP) kicked off the meetup by presenting his Research project about Cyber insurance actuarial modeling (AXA research fund, Institut Louis Bachelier, SU-Ensae ParisTech).
According to Olivier Lopez, cyber-risk bears 3 characteristics:
- It’s a recent and quickly evolving risk;
- There’s a phenomenon called “Silent Cyber”, as counterparts’ claims can be part of usual policies and then already covered;
- There is a “risk of accumulation”, that means a potential concentration of events that could threaten the basic principle of mutualization.
Adverse selection and moral hazards
The research points out that adverse selection is a real stake in cyber insurance. First of all, the information asymmetry is a real thing regarding this topic, as the SMEs may have hidden risks to be pointed out and an insuree may basically replace a “physical” protection by an insurance protection.
Moreover, it’s biased by reputational aspects that lead companies not to report cyberattacks; either because they are too small to have an impact, or because they are too big and could cause reputational damage. This specificity can have an impact on the premium pricing.
Finally, insured companies tend to change their behavior over time, because of regulatory and risk perception evolutions. This leads to a lack of accurate data related to cyberattacks and cyber risks to feed properly the actuarial modelling intents.
Lack of data & accuracy
As internal data is not sufficient to assess risks, it may be completed by external data for modelling purposes. The main bias here is that the growing number of cyberattacks can either be caused by both a greater exposure or a risk evolution — and in that kind of sense the real root cause is quite hard to determine.
A recent initiative has been set in the US, in order to raise awareness about cyber risks: the Privacy Rights Clearinghouse (PRC). The methodology takes the number of code lines hacked as indicator of cyberattacks’ severity.
Despite the widespread use of this methodology, Olivier Lopez’ team discovered that there is a huge bias within the data chosen, as it comes from official sources, media and non-profits’ declarations. Some sources were relevant but stopped transmitting such events when others only work on events above a certain level of claim valuation.
Two schemes of the severity analysis
1- In the first case, called “central scenario” of severity, the probability of happening as well as the gravity of its consequences can be deduced from:
- the type of breach (as the most important factor);
- the data source;
- the type of organization .
For instance, the most widespread type of breach is either Payment Card Fraud, Unintended Disclosure, Physical Loss or Insider attack, with a 52% probability, when its consequences are the less important with an index of 1,600 (median). On the other hand, hacking or malware in specific types of organizations (sectors of education, healthcare, banking, insurance or government) have a 2% probability of happening, when its severity is far more important with a 29k index (median).
2- In the second case, concerning “extreme cases”, the type of breach is still the most impacting factor for both severity and probability of happening, but then, the source and the type of organization are the 2nd more determining criteria to generate accurate actuarial modeling.
Actuarial modelling for cyber risks
Olivier Lopez developed two formulas to better assess the provisioning. Furthermore, He insisted on the necessity to:
- pay attention to the quality of the data, and in particular to trace the way they were collected; and combine data sources if necessary;
- stabilize the nomenclature of cyber claims and collection process;
- develop risk monitoring tools.
Finally, He invited all the Meetupers to join his TaskForce Actuariat et Risques Contemporains (or ARC) gathering twice a month at La Sorbonne University in Jussieu, in order to keep discussing about these stakes. Ping him @ Olivier Lopez <email@example.com>;)
Part II: Panel discussion combining 3 cyber-insurance initiatives
After this cyber risk deep dive part, we got the chance to listen to a great trio of entrepreneurs and intrapreneur that are real pioneers into the cyber insurance market .
Thanks to this panel, we discovered and rediscovered real products dedicated to SMEs cyber risks protection:
- François Brisson, Head Cyber Technology — Swiss Re Corporate Solutions, building a 360 product with OZON embedding both cybersecurity audit and various cyber solutions, within which insurance products with an accurate pricing;
- Marc-Henri Boydron, Founder and CEO of CyberCover, building a specialized B2B broker focused on cyber risks for SMEs;
- Maxime Cartan, Founder and CEO of Citalid, who just announced a 1,2m€ fundraising, launching a product of SMEs Cyber risk assessment, dedicated to insurers.
They helped us understand why French companies are so poorly covered, and gave us some answers on hot questions such as:
- SMEs’ CYBER RISK
What risks are we talking about?
Which companies are the most vulnerable today?
How to quantify this risk?
Are there any geographical differences?
What are the main use cases, examples or stories ?
How to preach the risk and what are the associated difficulties?
Why is there so few cyber-insurers in France, and in Europe?
What are the market opportunities for insurers and cyber tech providers?How to distribute these products to SMEs?
We had many interesting questions from the floor, regarding regulation, the best tech stacks to partly avoid cyber risks or current cyber war situations, the reasons why cyber insurance is still an untapped market... And as a matter of fact, according to the Insurance Journal, 71% of the market for cyber insurance belonged to just 10 writers in 2018. Come on, insurers and insurtechs entrepreneurs!
NB. Actually, it has been quite difficult to find true experts and insurtech founders on this market: I’d like to conclude by a big thank you to all the entrepreneurs, colleagues and friends that helped us to find some: Pierrick Piette, Jonathan from CNP, Julien Petit, Raphael from Luko protect, Emmanuel Djengue from RGAx, Alexandre from Eficiens, Mathieu from Axeleo, Florian Hervéou from French AssurTech , Julien, Maxime, Michele, Romain, Martin & Géraldine ;) etc.
NB2. If you miss it and want to be sure to get invited to the next one, join the meetup page, here!
Bibliography / to go further: