Protecting Against Cyber Attacks
As cyber attacks on businesses intensify, the French Treasury has brought together insurance companies, government departments, business representatives and academic experts, including researchers from Sorbonne University, to draft a report. Its objective: to develop cyber risk insurance in order to strengthen the resilience of the French economic fabric. Olivier Lopez, director of ISUP, participated in the work.
Can you explain to us what cyber risk is?
Olivier Lopez: Cyber risk is a very broad topic. It covers all the incidents that can occur when information systems are diverted from their primary use, whether unintentionally, like the fire at the OVH data center in Strasbourg a few years ago, or intentionally, like the hacking driven by cyber criminal groups or states.
What are the main risks in cybersecurity?
O.L: In the field of cyber insurance, it is mainly companies that are concerned for the moment. There can be several types of cybersecurity risks: first of all, the loss of business if, for example, machines and equipment no longer function. This was the case with the production lines of the Renault factories that were blocked due to a massive hacking during the Wannacry attack. Attacks can also block information systems, customer files, order history or delivery data. Imagine an online retail site hacked and unavailable during Black Friday or the holiday season...
There may even be physical risks. We saw this with the cyber attack on the Düsseldorf hospital in Germany in 2020. The hospital was blocked, they could not operate on any more patients, one of them had to be transferred urgently to another infrastructure and unfortunately died during the transfer. Closer to home, the hospital in Corbeil-Essonnes was targeted by hackers who demanded a ransom to unlock the systems, with the additional threat of disclosing patient data.
Another risk is that of a complete shutdown of society if there is a massive cyber attack on institutions such as train stations or nuclear power plants. This is called a cyber hurricane. These different disaster scenarios are studied by the National Defense, but they must also be addressed by all risk management players, including insurers and actuaries.
Finally, companies targeted by attacks can also suffer damage to their reputation in the event of leaked offensive emails, for example.
Sorbonne University has participated in the working group on cyber insurance set up by the French Treasury. In what way are we legitimate on this subject?
O.L: With ISUP, Sorbonne University provides advanced training in actuarial science, for example, in the field of risk quantification. This is mainly in insurance and finance, but we also aim to respond to all of society's risks and contribute to their management. We deliver 130 to 140 diplomas per year in the field, half of them in continuing education, which makes us a privileged contact in the field.
We also have, since 2017, a research project that is quite unique in Europe on all issues of cyber insurance, in partnership with ENSAE and the Risk Foundation. In this capacity, Sorbonne University was included in the panel of experts who contributed to the report of the Treasury's General Directorate. With our colleagues from the Institute of Actuaries, which represents the actuarial profession in France, we sought to transmit our scientific and methodological approach to these issues in the analysis of this cyber risk. We are very pleased to have been able to contribute to the work of the financial administration, which is consistent with our role of producing research that is intended to be of public interest.
What is the objective of the report written by the Treasury?
O.L: It is important to know that the cyber insurance market has not yet found its convergence, its mode of operation, at least that is my analysis as a researcher. Cyber risk is still relatively uninsured. Companies have difficulty understanding this risk and it is difficult for insurance professionals to estimate its impact.
This report should help anticipate the risks but also provide a response in terms of financial protection and compensation.
The work of the Treasury Department is very ambitious and, in my opinion, extremely positive if we want France to play a key role in the development of this new insurance segment. The objective of the report is to promote the development of the cyber risk insurance market to strengthen the resilience of our economy, and we feel that it can be the first step that can lead to making Paris a global center of expertise in this area.
What actions will follow from this?
O.L: A number of recommendations have been made. In addition to clarifying the legal framework for cyber risk insurance, in my field of expertise, I would highlight the need to better anticipate and quantify the risks. If we want to analyze and model them, we need data. There is a lot of thinking about how to structure this data in order to better measure cyber risk.
I am also convinced that our scientific approach can play an important role in the development of innovative insurance products and the emergence of best practices. In the case of ransomware, for example, it cannot be repeated often enough that it is absolutely necessary to avoid paying this ransom. Our initial work in this area shows that this is not only a moral imperative, but that not paying is in most cases the right thing to do, both individually and collectively. This is one more element to convince people to adopt the right behaviors.
Find the full report on the French Treasury website. (in French)