As Europe’s public and private cybersecurity ecosystem , the threat of cyber attacks continues to rise: in 2024, for the third year running, cyber incidents dominated the global risk barometer published by insurer Allianz.
Despite the omnipresence of cyber risks, a surprisingly large number of European companies remain uninsured against them. As of 2022, some 57% of Luxembourg SMEs had no cyber coverage at all (versus an EU average of 69%), while a fifth--21%--didn’t even know whether they were covered (versus an EU average of 15%). These numbers come from a European Insurance and Occupational Pensions Authority (EIOPA) survey called “Flash Eurobarometer: SME insurance trends.”
“Given the dangers and attacks, cyber insurance is making more and more sense,” says , managing director of the Luxembourg Association of Insurance and Reinsurance (Aca). However, he points to a number of limitations: “On the one hand, companies don’t always show much interest in this type of cover. Secondly, cyber risks are difficult to insure: the cost of damage can be extremely high, and not necessarily estimable.”
Lack of data
In Luxembourg, the main companies serving large corporates in cyber insurance include AIG, Chubb and CNA Hardy; for the SME segment, it’s Foyer and Hiscox.
There is a lack of data on the state of the market from both Aca and the Insurance Commission (CAA). Valérie Scheepers, a member of the CAA’s management committee, explains: “We collect data corresponding to the lines of activity in the law, but cyber is not one of them. It falls into different categories: general civil liability, property damage and various financial losses.”
Even so, the supervisory authority says it regularly discusses the subject with the industry. “Feedback from the field points to a shrinking market, tighter underwriting conditions, lower limits and higher prices,” notes Scheepers.
In recent years, the rise in cyber losses has prompted the sector to limit its exposure. Some companies have jumped on the cyber insurance bandwagon for commercial gain, without any statistics or prior experience, and have been overwhelmed by claims. They have drastically adjusted their offers, increasing premiums and deductibles and adding exclusions while limiting the sums insured.
This is reassuring for regulators, even though, says Scheepers, “we have not observed this trend specifically in our own market.” In 2021, the CAA conducted a survey on cyber risk. The result: “At the time, claims seemed to be under control. All operators were moving to affirmative risk cover, clearly and explicitly specifying the types of risk covered. We noticed a greater degree of vigilance. We were in a post-covid context, where there was a lot of talk about cyber risk because of teleworking.”
On the horizon
And today? Like the European regulator, the CAA plans to collect new data on cyber risk. “With the war in Ukraine, the level of vigilance has gone up another notch,” says Scheepers. In France, the Autorité de contrôle prudentiel et de résolution (ACPR) believes that its call to “clarify the coverage of cyber risk in contracts” has been heard by insurers. “Most of the uncertainties linked to these coverages seem to be in the process of being overcome,” the ACPR noted at the beginning of March.
“In France, the market is doing better,” confirms Christophe Delcamp, director of property and casualty insurance at France Assureurs. He says that premium income rose by 53% between 2021 and 2022, to €327m. “According to our members, this dynamic has continued into 2023. And reinsurers are reporting increased confidence in cyber insurance. We are even seeing the development of cyber cat bonds on the catastrophe bond market.”
The entry of new insurers in the market… has intensified competition.
In Europe too, the horizon has brightened, according to insurance broker Marsh (which has the largest market share in the world). “The entry of new insurers in the market, combined with an improvement in the quality of risks among policyholders, has intensified competition,” says Gamze Konyar, head of cyber Europe at Marsh Specialty. “As a result, the market has seen an increase in capacity, a decrease in premiums and the removal of coverage restrictions.”
Remaining challenges
The EIOPA says it has not carried out any specific analysis, to date, regarding the evolution of player capacity and market prices in cyber insurance. That said, in its 2022 report on consumer trends, several national supervisors identify protection gaps in this insurance segment. In other words, some cyber losses are not insured.
Another indication that the market remains tense is the warning issued by Zurich, one of Europe’s largest insurance companies. In an interview with the Financial Times at the end of 2022, CEO Mario Greco stated that cyber attacks would become “uninsurable” as the disruption caused by hacking continues to grow. He said that there is a limit to what the private sector can absorb in terms of underwriting all the losses caused by cyber attacks.
Alongside this issue, the level of premiums and the number of providers represent the main challenges for cyber insurance. On this, , CEO of the Luxembourg House of Cybersecurity (LHC), comments: “We need to make the necessary effort to address these challenges at national and international level. I hope that over the next few years we will be able to find models that work. In particular, we need to focus on data. To create a virtuous circle, we need to improve our knowledge of cyber attacks and exchange this information.”
In Luxembourg, Steichen deplores the fact that the cyber insurance on offer is still too limited: “We see it as an important lever for strengthening the economy’s level of cyber security. It’s something that can be much more supportive than regulation. The fact that the insurer is taking a risk itself means that it will be putting in place effective mechanisms to help businesses strengthen their cyber security.”
This article in Paperjam. It has been translated and edited for Delano.