The war in Ukraine further reinforces the reluctance of insurers to cover companies against cyberattacks, warn experts. Worried about an upsurge in hacker attacks, insurance companies are being particularly cautious when granting new coverage. They are therefore preparing to add new exclusions to contracts.
“There is a lot of caution and nervousness on the part of insurers on the subject of cyber insurance,” notes Michel Josset, member of AMRAE, an association representing risk managers from large companies.
Faced with attacks that are sometimes very costly and confused by a risk of often criminal origin that they have difficulty in apprehending, they already had a tendency, before the war in Ukraine, to increase their prices on this niche market and to reduce their supply in cyber cover material.
Caution of insurers on cyber risks
“The insurance market was already very tense before the conflict and it is now considered an aggravating event”, confirms Guillaume Deschamps, specialist in this market at the business insurance broker WTW (formerly Gras Savoye) .
Several scenarios are on the table, such as attacks of Russian origin against Western companies or attacks by hackers targeting Western companies that have chosen to stay in Russia. Insurers fear being confronted with so-called “systemic” attacks, causing heavy losses in multiple companies.
“Cyber insurers think twice, even four times, before taking a position on a renewal or on a new business opportunity”, underlines Guillaume Deschamps. Worse, the conflict “even led some insurers to stop underwriting new cyber business”.
“In the current situation, we are looking even more carefully at any customer’s cyber insurance requests before making an offer, especially for highly exposed sectors like financial institutions and telecommunications,” said an AGCS spokesperson, the Allianz entity dedicated to large companies. But we continue to underwrite risks in these sectors globally. »
“We are in a moment of epidermal reaction, of panic from the insurers”, estimates for his part Mickaël Robart, specialist at the insurance broker Diot-Siaci. A questionable reaction, according to him, because “since the beginning of the conflict, we have not seen an increase or worsening of attacks directed against companies from member countries of NATO, the G7 or the EU. Only Ukraine is affected. »
Exclusions related to the conflict in Ukraine
“Insurers are asking for an exclusion of cyber events that would occur with our French customers and would have an origin in Russia or even Ukraine, underlines Mickaël Robart. Imagine that there is an intrusion into a group’s information system in Russia and that the ransomware contaminates information systems based elsewhere, the company would no longer be covered. I find this shocking and excessive. »
Insurers could also seek to remove ambiguities about their coverage in the event of a cyberattack attributable to a State. By default, they do not cover war damage. However, it is difficult to identify the perpetrators of cyberattacks, which can lead insurers to have to compensate a loss in spite of themselves.
In November, the Lloyd’s Market Association, which brings together market participants in London, published model cyberwarfare exclusion clauses. In France, a report recently proposed to clarify insurance law for the benefit of insurers.
One thing is certain: “for groups that were not insured in cyber, and who want to be today, it is an almost impossible mission”, warns Mickaël Robart.