Amrae 2014: How France’s cyber insurance market is changing

France’s cyber insurance market continues to lag behind the US, but that is changing fast according to AXA Corporate Solutions.

In a roundtable discussion before the start of this year’s Amrae conference yesterday, the insurer’s top cyber leads – Gisèle Ducrot head of R&D and François-Xavier Overstake, COO at AXA MATRIX Risk Consultants; and Irène Plichon, cyber product manager AXA Corporate Solutions – looked at how the French cyber insurance market is evolving.

How has the French cyber risk market developed over the past five years?

PLICHON: The cyber risk insurance market is relatively new in France compared to the US and the UK. The first cyber risk solutions to enter the French market were from Northern American insurers. These insurers imported adapted products from the US market; a market experienced in cyber insurance.

In addition, the laws and regulation that govern data protection and data privacy are much more advanced in the US than in Europe – we are somewhat behind. Nevertheless, new European laws on data and cyber are big incentives for businesses to buy insurance, and a big incentive for insurers to develop new solutions.

PLICHON: The majority of insurance products in France only cover malicious acts and liability. But that is now changing and some insurers are now offering first party coverage. We too offer first party coverage in our Cyber Sphere solutions. In addition to covering malicious acts, it also protects against business interruption, human errors and malfunction.

DUCROT: However, the difficulty is that cyber risks are so broad and new cyber and IT-related risks surface every day.

OVERSTAKE: What we’ve seen in France is that it is not easy for a risk manager to have data and information on losses arising from a cyber attack. But a risk map would help risk and insurance managers to quantify the impact of an attack, error or malfunction.

You said earlier that new cyber risks surface everyday, what are you doing to ensure that you are one step ahead?

DUCROT: We are working with Cassidian CyberSecurity, a subsidiary of Airbus Defense & Space that specialises in cyber security. Cassidian CyberSecurity provides a ‘technical watch service’, which tracks new attacks and new hacking approaches.

PLICHON: We’re also working with brokers to ensure that we keep ahead of the game. Additionally, we will be taking every opportunity at the Amrae conference to have one-on-one discussions with risk managers to gauge how they perceive cyber risks and to get feedback from them on whether the current insurance solutions meets their needs.

How are risk managers dealing with the growing threat of a cyber attack?

OVERSTAKE: French businesses are facing the same level of risk as companies in the US and the UK. What has increased is awareness among risk managers – they are taking cyber risk more seriously, and there is more willingness among businesses to buy cyber protection.

PLICHON: Until now, cyber risk was considered simply as a technical risk, and was a threat that IT specialists would predominately deal with. There was no real co-operation between the risk manager, the IT department and security officers.

For risk managers who are now looking into cyber risk, the first step would be to develop a risk map that outlines both the technical and business risks. This should help determine how an attack will affect business activity and revenue for instance.

Another important point that businesses must consider is that cyber risk is not only an IT or physical threat, an attack could be down to human errors, or system malfunction for example. A risk map should also take into account these elements.

DUCROT: Our feeling is that until now, a risk manager’s priority has been predominately focused on preventing traditional and more tangible risks. However, both the growing number of high-profile cyber attacks and changes to EU regulation presents two strong incentives for businesses to focus more on preventing cyber risk.

You mentioned that there has been no real co-operation between the risk manager and IT specialists in the past, what about board engagement? Are risk managers able to get the attention of board members when it comes to cyber attacks?

PLICHON: In times of economic difficulty, the board has some difficult financial decisions to make, particularly around where invest money: should more be spent on insurance or on risk prevention? It is also a decision that the risk manager and IT department might be presented with. That is why risk mapping is such an important first step because it will help both the IT and risk departments to make a strong case for investment in cyber risk solutions. A risk map will help identify what the cyber risks are, what impact an attack will have on the business.

Assessing cyber risk is not only a question of exposure, it’s also a question of information assets and we have to help the risk manager build a clear map that outlines the company’s information and data assets.