Given the rise in cyber attacks, getting insurance against them is an increasingly relevant move for businesses. At the InCyber Forum (), this subject is central--along with the associated .
Foyer, a major insurer in Luxembourg, has agreed to lift the veil on this relatively young business. Without giving any figures, the group sees a positive market trend. “Even for victims of claims, contract renewals seem to be going smoothly, which testifies to insurers’ confidence in their current practices,” says Kris Van Roye, Foyer’s head of banks who is also in charge of cyber insurance.
Delano’s sister publication Paperjam sat down with Van Roye to learn more.
Paperjam: How is the cyber insurance market faring in Luxembourg?
Kris Van Roye: Quite well. Better, in any case, than two or three years ago, just after the health crisis. At that time, companies that didn’t have cyber coverage couldn’t find insurers willing to underwrite the risk. And those that did had to contend with sharp price rises, and sometimes even limitations on the amounts insured, when renewing their policies. Today, the situation has calmed down: it’s a little easier to find capacity and prices have stabilised.
Stabilised… at a high level?
Prices are higher than they were a few years ago, but I think they were much too low back then. It’s also true that insurers now analyse applications in more detail, particularly from the point of view of the safety measures planned, to give a capacity. And companies that don’t have measures in place can’t find what they’re looking for.
How do you explain this trend?
It’s a question of cycles. The market is dominated by major international players such as AIG, Allianz and Zurich. They are very active in the Anglo-Saxon countries, where the legislation is such that there are far more complaints and court cases than here. All it takes is a few major claims for these players to lose their appetite. As a result, they have lost quite a few premiums and customers. But now their appetite is returning, thanks to two factors. Firstly, claims experience is no longer considered bad enough to keep the floodgates closed. And secondly, customers are no longer buying blindly: they are aware of the existing risks and protection measures are improving.
What is the current demand for such insurance cover?
Let’s be clear: demand is nowhere near that for car or home insurance. But we have seen an increase in demand over the last few years. Customers are increasingly aware of the risk of cyber attacks. The press regularly reports on victims, both large and small. Cyber insurance is not yet a commodity, an everyday consumer product, but the demand is there--even if it doesn’t always lead to a conclusion. It’s fair to say that things are moving in the right direction.
What is driving demand?
In the risk barometers produced by insurance companies and brokers, we see that cyber is one of the top priorities for business leaders. Especially with the scheduled arrival of new European directives, which make the board of directors of each company personally responsible for the company’s data.
How much of Foyer’s revenue comes from cyber insurance?
We’re talking about less than 5%. That’s still marginal, both for Foyer and probably for other players in the market.
What is your target?
If, within five to ten years, Foyer manages to generate 10% of its revenues from cyber insurance, we will have done a good job. To do that, we need to double the number of subscriptions, which means tripling demand.
Is the market growing in Luxembourg?
Certainly, if we compare the current situation with that of five years ago. But it’s still a modest expansion: we’re not talking about a booming sector either.
Is it a growth sector for Foyer?
It’s too early to say. To talk about a growth sector, we need to look at its capacity to generate profits over a number of years. Cyber insurance is a fairly young market, only about 20 years old. Our product is less than 10 years old. When the insurance industry started to cover cyber risk, these products were very cheap and nobody was buying them. Little by little, sensitive sectors have been affected by cyber attacks or become aware of this risk, so demand has gone up.
Why isn’t there enough hindsight today?
Data collection is fairly recent. The number of companies insured is still fairly marginal compared with the total. And the claims history remains a black box, and although it’s certainly starting to open up--we know of a few cases--for every case reported there are probably eight or nine others that are not. The global database is therefore fairly weak and highly fragmented.
Too early to talk about a growth sector--but is it profitable?
Cyber insurance won’t make us rich. Today, we make money with our product, but all it would take is one major incident and we’d stop making money! It’s extremely volatile. On a global scale, we’re talking about a loss ratio of €2bn: to cover €2bn worth of damage in insurance premiums, even on a global scale… I don’t think that, overall, insurers are making any money from cyber today.
How many cyber insurance policies have you taken out to date?
That’s not a figure we want to share, and in any case it’s not very telling since we’ve only just started. We are continuing our commercial efforts with our inspectors to make our agents aware of the cyber risk. Our commitment says more than the number of policies we have. I often make comparisons with another somewhat unloved type of cover: operating loss. Today, I have the impression that less than 20% of commercial and industrial companies are insured against operating loss. And this has always been the case! When you consider how long it has taken us to reach this 20%, I think that cyber insurance will probably take less time. Provided that our awareness-raising efforts bears fruit.
Who are your typical customers?
Our target customers are Luxembourg companies and their interests abroad. This includes all kinds of SMEs and SMIs. For this segment, we have our own Foyer product. For large companies, we work with partners, notably reinsurers.
We have chosen not to cover ransom.
How do you classify your customers?
For SMEs, we have a standardised product with predefined acceptance criteria. As with any “convenience” underwriting approach, there is a pre-analysis on our part. We have categorised companies according to their risks--a trust company has more confidential data than a screw manufacturer, so the risk is different--and the type of business.
Generally speaking, what type of compensation do you offer?
The assistance component, immediate assistance (technical, legal, etc.) when you are attacked, is one of the most important. We also cover material damage: unblocking the system, recovery, etc. Finally, the third aspect concerns the civil liability that can arise from a cyber attack: you are responsible for customer data that ends up in the public domain.
What about ransoms? Do you pay them?
I know that some insurers do. For our part, in the Foyer product, we have chosen not to cover ransom, for the simple reason that paying a ransom doesn’t solve the customer’s problem in the vast majority of cases. We prefer to concentrate on the solution rather than paying a sum without any certainty that the situation will be resolved.
Are you open to discussions about ransom on a case-by-case basis?
That’s not planned. We make it clear to our customers that we will assist you and possibly negotiate with the criminals, but we will not pay any ransom. I think the choice we have made is a wise one.
How does Foyer plan to innovate and position itself in a market where cyber risks are evolving rapidly?
Our first priority is to support our customers by offering products and raising awareness. Cyber risk also exists in Luxembourg. People need to be aware that the operational and financial risks are x times greater than the cost of insurance. One day’s downtime for a company costs tens of thousands of euros, not to mention the fines and reputational damage. Our second task is to continue our efforts to collect data so that we can develop the Foyer product in line with needs and risks. To do this, we are relying heavily on artificial intelligence. We must never forget that we are always one step behind cybercriminals. In that sense, AI is a godsend because it can predict things that we haven’t yet thought of.
If we do nothing… cyber attacks may no longer be insurable.
At the end of 2022, Zurich CEO Mario Greco told the Financial Times that cyber attacks are becoming “uninsurable.” Is that also your view?
The role of big bosses is sometimes to sound the alarm. Today, in my view, cyber attacks are still insurable, but if we do nothing--if we don’t manage to increase protection and awareness--there is a risk that they will no longer be insurable because of widespread interconnectivity. If your smartphone is hacked, the virus could find its way into your bank, your health insurance company, MyGuichet.lu, etc.
Does the legal framework need to evolve to incorporate this issue of cyber insurance?
The legal framework is all very well, but in practice I don’t see what solutions we can expect from it. I’m very cautious about regulation. We’re already so regulated… and let’s not forget that victims have more rights than before under the GDPR.
By the end of 2024, we expect to see two new funding instruments for cyber security projects, one from Luxembourg (SME Packages Cyber Security), the other from Europe (SRI2 directive). By increasing the level of cyber security, will these instruments enable more businesses to have access to cyber insurance?
This kind of public initiative is very positive, especially for SMEs/SMIs that don’t necessarily have the resources of large companies. And it’s vital that businesses protect themselves much more than they do at present. On a European scale, any initiative of this type seems to me to be more relevant than different regulations in each country. But that won’t mean that 99% of businesses will have cyber insurance tomorrow either. That will take a long time.
This article in Paperjam. It has been translated and edited for Delano.