As we previously saw, cyber risk is by nature complex and dynamic. There are number of difficulties in analyzing this risk, slowing down its transfer to the insurance industry. In this article, we will focus on two of these difficulties: the lack of reliable statistical data, and the legal uncertainty surrounding the insurability of certain risks.
Lack of reliable statistical data
In a risk analysis logic, the modeling of the financial consequences resulting from the occurrence of an event under an uncertain assumption is based on the use of statistical data, which by their nature must have a high degree of reliability for the modeling to be valid.
However, with regard to cyber risk, insurance companies are faced with a lack of reliable statistical data, which prevents the production of accurate models in this area. More specifically, this lack of reliable data is linked to several factors:
- The very nature of the cyber threat, which is dynamic, protean and constantly evolving. Because of these characteristics, statistical models are limited over time, requiring constant adaptation by insurers.
- The difficulty of quantifying the frequency of cyber incidents, either because some of the security incidents have not been detected directly, or because some of the victim organizations choose not to report the security breach.
- The lack of a single, harmonized industry-wide methodology.
The legal vagueness surrounding the insurability of certain risks
The regulatory changes brought about by EU law have led to increased accountability of organizations, which may be held liable in the event of a security incident. In this sense, the European legal framework recognizes a certain authority for national supervisory authorities. These authorities have the power to impose sanctions and can therefore impose administrative fines on offending organizations. In this context, the very nature of the sanctions imposed by these supervisory authorities raises the question of their insurability.
In France, it is now accepted that criminal sanctions can never be assumed by the insurer. This uninsurability of criminal sanctions is justified by Articles 121-1 of the Criminal Code and 6 of the Civil Code. More specifically, the purpose of criminal sanctions is to punish the wrongful behavior of a person or organization due to a disturbance of public order. So any insurance contract that provides for criminal penalties to be covered would be considered to be contrary to article 6 of the Civil Code.
The answer is, however, not that clear regarding administrative sanctions, especially those imposed by independent administrative authorities. These authorities are in principle responsible for participating in the regulation of certain sectors of activity and ensuring compliance with the rules governing that sector. Thus, in principle, it could be considered that the sanctions imposed in the event of failure to comply are intrinsically law enforcement and could therefore not be covered as such by insurance companies.
In fact, it is necessary to question the nature of the administrative sanction. Indeed, the insurability of these sanctions depends on the existence of an intentional fault from the insured. In this case, regarding Article L. 113-1 of the Insurance Code, the insurer is not liable for losses and damages resulting from an intentional fault of the insured. More specifically, intentional fault removes the random nature of the loss. However, since randomness is a central element of the contractual relationship between the insured and the insurance company, the administrative sanction cannot be covered by the insurer. Moreover, the general terms and conditions of insurance policies generally make this distinction by making the payment of administrative fines conditional on the absence of intentional fault on the part of the insured.
Posted from my blog with SteemPress : http://blog.economie-numerique.net/2020/08/28/how-cyber-risks-are-managed-by-insurance-companies-2-2/