Cyber insurance: silent guarantees still present, particularly in emerging markets

---

Publié le 15/04/2025 par Jérôme Goy

INSURANCE LAW

On 11 March 2024, the Prudential Control and Resolution Authority (ACPR) published a press release on implicit cover for cyber risk, in which it encourages insurers to continue their work of identifying and clarifying contracts (1). This is because (surprisingly?) there is little communication from insurers about the coverage provided by ‘old’ civil liability and property damage policies.

The reason for this lack of communication is easy to understand, because it is commercial. The cycle is in fact the same as in the 1990s for directors ‘and officers’ liability insurance: insurance companies aim to increase their revenue by multiplying the number of policies taken out by companies. To do this, they identify a risk that is covered ‘silently’, i.e. implicitly in law, by sub-limiting it to small amounts and then excluding it from pre-existing policies. The manoeuvre takes years, given the inertia of the market, but it works. Before 1990, almost no European company took out a third-party liability policy. Today, more than 61% of French managers claim to have taken out such an insurance policy (2). And yet, on average, the claims experience of these policies remains low (French law is not California law, and French executives are less exposed than their American counterparts). What’s more, more than 60% of the cost of civil liability claims is the cost of lawyers’ fees for executives who are sued but not convicted as often as in the land of Wall Street and the dreaded discovery procedure. This is the commercial technique used by American detergent manufacturers in Western Europe after the Second World War: in 1930, European laundry women made their own detergent, whereas in 2025, 99% of urban consumers buy their detergent from a multinational.

The same applies to cyber insurance policies. Cyber insurance was virtually non-existent in France until 2010 (3); the take-up rate among large businesses has risen to 90% by 2023 (4), and insurers are now aiming to attract small and medium-sized businesses, where the take-up rate is stagnating at under 3% (5). However, in 2024, 41% of managers were planning to take out cyber insurance (6).

While the issue of silent warranties is relatively well known in French law, certain contracts in other countries, still drafted on outdated bases and therefore broadly worded, could also include unsuspected warranties. This is the case in insurance markets less mature than the Anglo-Saxon and European ones, and thus in Africa, for example.

As defined by Professor Pierre-Grégoire Marly, this is “the situation in which policies that were not intended to cover an IT risk will end up covering it, due to the broad definition of the object of the cover and the absence of any applicable exclusion” (7). In other words, it is a lack of precision in the insurance contract that makes the application and scope of coverage open to interpretation. This is the logical consequence of drafting contracts as “all risks except”: failure to explicitly specify a type of insured peril implies that it is covered. While the issue of silent warranties is relatively well known in French law, certain contracts in other countries, still drafted on old bases and therefore broadly, could also include unsuspected warranties. This is the case in insurance markets less mature than the Anglo-Saxon and European ones, and thus in Africa, for example.

In French law, although the question of the application of silent warranties to cyber insurance has been widely discussed in the legal literature, judges have never yet been confronted with the issue explicitly (8). It is therefore appropriate to adopt an analogical approach. By definition, an “all risks except” insurance policy covers everything not expressly excluded by the parties. The difficulty lies in interpreting the contract at issue: if the contract of adhesion is to be interpreted against the party who proposed it (9), the judge must nevertheless respect the common will of the parties without distorting the contract (10). This difficulty has given rise to a wealth of case law on business interruption insurance (11 )(particularly in the wake of the Covid-19 pandemic). Several decisions have held that, in the case of an “all risks except” policy, losses are effectively covered (12). By way of illustration, the Angers Court of Appeal held that the business interruption policy covered the risk of the Covid-19 pandemic, stating that “the ‘all risks except’ insurance contract is a contract that covers all risks with the exception of those restrictively excluded”, adding that “by taking out an ‘all risks except’ contract (…) the insured intends to protect himself against risks that he has not necessarily anticipated” (13). This reasoning was subsequently approved by the Cour de cassation (14).

In short, if it is established that the guarantees of an “all risks except” insurance policy can be extended according to the interpretation made of it, by analogy, such an insurance policy is likely to cover cyber losses.

In areas of the world where insurance markets are sometimes emerging, such as Africa, certain insurance contracts are therefore likely to cover cyber losses without being “commercially” denominated as such. Subject to the differences between French and local law, these policies may cover certain damages linked to IT risks, such as the alteration of computer systems, or the insured’s liability in the event of a third-party data breach. Cyber risks are unique in that they affect both civil liability and property insurance policies.

 

In the event of uncertainty about the scope of cover, we recommend that companies:

• reject any new sub-limitation, definition, clarification or exclusion proposed by the insurer, however it is presented (“standard clause”, “market clause”, “imposed by our reinsurers” or other “administrative” reasons presenting the modification as anodyne… and inevitable);

• check whether cyber claims are expressly excluded from their current liability and property insurance contracts;

• reread contractual definitions carefully: the more precise a definition is, the more likely it is to be narrow;

• do not confuse IT risk coverage, which often covers material damage to hardware, with cyber coverage, which covers damage caused by viruses, the violation of personal data, etc. Coverage will only apply if the IT loss has caused material damage, and may cover the resulting operating losses;

• check that liability insurance does not include any specific exclusions. If it does, the policy is likely to cover the insured’s civil liability in the event of an IT or data breach harmful to third parties.