This piece is co-authored by Emmanuèle Lutfalla, partner, Signature Litigation Paris, and Louis Fer, associate, Signature Litigation Paris
In the wake of relentless technological advancement, the cyber threat has become a familiar and pressing challenge for the insurance sector. As underscored by France Assureurs’ 2025 Riskmap, cyber risk now ranks as the primary concern for insurers, surpassing even climate change. This prominent positioning is driven by a significant surge in the frequency and severity of attacks, exemplified by the recent assault on Jaguar in the UK, with estimated losses of €2 billion.
Perpetrators are increasingly innovative, developing new attack vectors and techniques, thereby complicating the risk landscape for all stakeholders, legislators, potential victims, and insurers. The motivations behind these attacks are diverse, ranging from financial gain to political or geopolitical objectives, while the targets are equally varied, encompassing multinational corporations, hospitals, state entities, and small businesses. The impacts are multifaceted and often irreversible, extending beyond direct crisis management costs to include the profound, lasting damage of data loss.
The Cyber Divide: Why SMEs Are the Weakest Link
A critical issue persists in the market’s uneven maturity. A stark disparity exists between large corporations and Small and Medium-sized Enterprises (SMEs) in both comprehending and transferring cyber risk. Despite facing a similar exposure to threats like ransomware, SMEs often demonstrate less mature security controls and tend to purchase lower insurance limits, or forgo coverage entirely. This protection gap stems from several factors: constrained budgets that deprioritise optional cyber insurance, a less developed risk management culture, and a lower perceived reputational risk due to their limited media profile. This collective vulnerability creates a dangerous “weakest link” effect in interconnected supply chains, where a breach at a small vendor can become the entry point for a much larger attack.
This disparity directly influences insurers’ underwriting practices and pricing models. The inherent difficulty in assessing this evolving risk impacts policy wording, claims handling, and premium calculations. In France, for instance, premium rates for large enterprises fell by 18% in 2024, a trend not always mirrored for smaller entities. Furthermore, the underwriting process itself can be a barrier. The complexity of security questionnaires places a significant administrative burden on SMEs without adequately assessing the company’s true risk exposure. The lack of standardisation means each insurer employs its own proprietary questionnaire, which can even vary for the same company. To effectively penetrate the SME market, insurers must streamline and rationalise this initial engagement process, perhaps by leveraging AI-driven risk scans to replace cumbersome forms.
II. Beyond the Payout: Building Digital Immunity Before and After the Attack
Faced with this landscape, the role of the insurer is transforming into a dual-phase partnership, operating both before and after an incident. The product is no longer a simple indemnity contract but a dynamic “resilience-as-a-service” model. This represents a fundamental paradigm shift from reactive compensation to proactive risk prevention and managed recovery, aiming to build a form of digital immunity within the client organisation.
Pre-Incident: The Security Sentinel
In the prevention phase, insurers should act as security sentinels. They meticulously benchmark security controls, run tabletop simulations to test incident response plans, approve preferred vendors, and stress-test recovery strategies. A key area of focus is the human element; since internal vulnerabilities are as often human as technical, comprehensive workforce training is paramount. Employees are essential actors in cyber defence, and policies must be paired with wide-reaching prevention programmes, including endpoint protection, robust patching, multi-factor authentication (MFA), and maintaining immutable offline backups.
Sophisticated underwriting must also evolve beyond questionnaires to map the insured’s full digital footprint. This involves analysing critical third-party dependencies (e.g., cloud services, Managed Service Providers), OT/IT interfaces in industrial settings, and concentration risks across supply chains. This proactive stance is in the insurer’s direct interest, as the economic loss from a cyber-attack is heavily influenced by the victim’s preparedness and response, thereby minimising the insurer’s ultimate exposure.
Post-Incident: The Conductor of the Recovery Orchestra
Following an attack, the insurer’s role shifts to that of a conductor, orchestrating a rapid and harmonious recovery. The value of a cyber policy is delivered through swift coverage decisions and a seamlessly coordinated breach response. This includes mobilising a pre-vetted ecosystem of experts: legal counsel specialising in data breaches, digital forensics teams, public relations firms, and specialists for regulator engagement and, where lawful, extortion handling. This integrated approach is crucial to mitigate operational “freeze” and guide the insured through the recovery process. The insurer’s network becomes the client’s most critical asset in the immediate aftermath, turning a chaotic event into a managed process.
III. The Regulatory Imperative: Reshaping the Market from the Outside
This evolution is not solely market-driven; it is being powerfully accelerated by a stringent regulatory push at the European level. Beyond the EU’s NIS 2 Directive, which aims to bolster the resilience of critical infrastructure, the recent 2024 Cyber Resilience Act imposes strict obligations on operators regarding risk management, vulnerability disclosure, and security transparency for products with digital elements. For financial entities, including insurers, specific cyber-resilience obligations demand an even higher standard: the dual capacity to resist cyber intrusions and ensure business continuity even during a security incident. This regulatory framework is fundamentally reshaping the value chain, compelling all players to adopt a more robust and resilient digital security posture.
The insurer’s role is thus evolving from a simple risk-bearer to a strategic partner in cyber resilience. This shift is crucial not only for the viability of the insurance market but also for building a collective defense against a systemic threat that shows no signs of receding. The future of cyber insurance lies not in pooling risk alone, but in actively engineering a more secure and resilient digital ecosystem for all.
Be the first to comment