LUCY - Light upon cyber assurance

EDITION 2023 LU CY Light Upon CYber insurance

Light Upon CYber insurance / © Amrae - 2 - Amrae publishes the 3rd edition of Lucy, a study of the insurance coverage of cyber risk in France. THE MARKET IS BECOMING MORE MATURE BUT REMAINS VOLATILE The years follow one another and are not alike on the cyber insurance front. In 2021, the 1st edition of the Lucy (LUmière sur la CYberassurance) study raised the question of the insurability of cyber risk: after a heavily loss-making 2020, insurers then seemed to want to withdraw from the market. They finally decided to thoroughly review their portfolios and tighten underwriting conditions by increasing premium rates, raising deductibles and reducing capacity. This decision, taken in 2021 in the large company segment, will then be extended to the entire market: to the Mid-cap company segment in 2022 and - we can already bet on it - to the medium-sized, small and micro company segment in 2023-2024. These forecasts can be taken seriously: because of its methodology and the historical depth of its four years of data, Lucy has proven its robustness. To the point of becoming a reference in the cyber risk market: regularly quoted by the various actors of the cyber risk community, it has become a key element in the dialogue between risk managers, brokers and insurers. A study led by Philippe Cotelle, Board Member of Amrae and chairman of the Cyber Commission, vice-president of Ferma and Risk Manager of Airbus Defence & Space

Light Upon CYber insurance / © Amrae - 3 - KEY FIGURES 22.3% A historically low loss ratio (LOSS RATIO)... ... which mainly reflects the results of large companies l Large companies: 16% l Mid-cap companies: 51% l Medium-sized companies: 100% The market continues to be driven by large companies, which alone account for 83% of the total volume of premiums paid for cyber coverage. +25% After a decline in 2021, the number of insured companies has returned to growth l Large companies: +17% l Mid-cap companies: +12% l Medium-sized companies: +53% €35million The amount of available capacity is increasing again in the large corporate segment only. l €35M for large companies (+12.7% compared to 2021) l €6M for Mid-cap companies (-8%) l €2.3M for medium-sized companies (-13%) 2.70% Premium rate growth slows in 2022 Evolution of the premium rate for large companies l 2019: 0.93% l 2020: 1.03% l 2021: 2.02% l 2022: 2.70%

The cyber insurance market still exists... Cyber insurance rates have reached new heights but still do not sufficiently value the “diamonds” of prevention. With the benefit of a few years’ hindsight, insurers now have a better understanding of cyber risk, but this is still limited to a partial statistical analysis of the loss experience. Indeed, without a global study, insurers only have a fragmented view of this risk. Still too weak from a technical point of view, the insurers’ analysis does not sufficiently take into account the increasing efforts of companies in terms of prevention and the results obtained - the number of successful attacks is decreasing and so are the extent of their consequences. While we can be pleased to see a small revival in underwriting by insurers in certain segments in 2022, market conditions remain difficult. Increasingly high deductibles, still reduced capacities, more stable but still high prices, increasingly limited guarantees and, finally, an insurance offer that is not open to all. Indeed, to access them, companies must be imaginative and try to comply with standards not yet defined by the insurance market and variable by player. Although the growth of the cyber insurance market has resumed, it is still insufficient. The volume of premiums collected in France, all policyholders included, remains low and corresponds to the equivalent of a single major claim. EDITORIAL OLIVER WILD Chairman of Amrae Risk and Insurance Director of Veolia EDITO LUmière sur la CYberassurance / © Amrae - 4 -

- 5 - LUmière sur la CYberassurance / © Amrae Small and medium-sized companies are following the lead of large ones, despite a near-exit of their share of the market for this insurance following the sudden increase in premiums in 2020. Is this a choice of investment orientation, in a tense post-covid economic context, or a simple rejection of a somewhat crazy market? Overall, companies are investing in identifying their exposure, protection and prevention actions, with a significant increase in their cybersecurity budget, to deal with the legacy of a race to digitalization with prevention in second place. However, there are some limitations that can hinder these efforts: a highly competitive market for talent and expertise to strengthen cyber security teams and the lack of clearly defined and shared quality and prevention standards, for example. In this context, innovation is one of the keys to the solution. In addition to forums and conferences, companies are getting organized and coming together to share their practices and develop strengthened risk management systems that enable them to reassure themselves or create shared confidence outside the traditional market. Capitalizing on collective intelligence has always been a focus of Amrae’s work. This 3rd edition of the LUCY study is a perfect illustration: initiated by risk managers, carried out with brokers, shared with the community, it contributes to moving the lines in the right direction, in France, but also beyond our borders. I hope you enjoy reading it.

Light Upon CYber insurance / © Amrae - 6 - Four years of data produced by business risk brokers The 3rd edition of the Lucy Study builds on a four-year history of objective, comprehensive and robust data. OBJECTIVE because they are produced by the best observers of corporate risk: specialized brokers. This year, 10 brokers and one professional organization responded to the questionnaire designed in a collaborative manner by Amrae. Seven of them were present at the first edition of Lucy: AON, Diot-Siaci, Filhet Allard, Marsh, Verlingue, Verspieren, WTW. They were joined by SMABTP in 2022, Dattak and Howden in 2023. In addition to these brokers, Planète CSCA, the insurance brokers’ union, provides a better view of the small and medium-sized business segment. GLOBAL because these brokers cover companies of all sizes and in all sectors of activity throughout France. 9,672 insurance policies were analyzed: l 281 large company policies (more than €1.5 billion in sales), i.e. 94% of the 300 large companies listed by INSEE; l 591 Mid-cap company policies (between €50 million and €1.5 billion in revenues), i.e. 10% of the 5,900 TPEs listed by INSEE; l 492 medium-sized company policies (between €10 and €50 million in sales), i.e. 3.2% of the 153,000 medium-sized companies listed by INSEE; l 624 small business policies (between 2 and 10 M€ in turnover) and 7,684 microbusiness policies (less than 2 M€ in turnover), i.e. 0.2% of the 3.9 million small and micro-businesses listed by Insee. Almost representative of the large company market, the study is also very representative of the Mid-cap company segment. Over the years, the vision of medium-sized companies has as well become clearer and more representative. On the other hand, the study still lacks precision on the segment of small and micro companies. The number of insured companies - and therefore analyzed - is not yet sufficient in relation to the number of companies listed by INSEE. Moreover, SMEs can take out cyber coverage directly with their insurer, via a general agent or within the framework of a multi-risk Pro policy: this data is therefore not available to the brokers who are partners in the Lucy study and is not, de facto, collected within the framework of the study. METHODOLOGY

Light Upon CYber insurance / © Amrae - 7 - Large companies represent only 3% of the panel analyzed, but their contributions represent 83% of the volume of premiums collected in 2022. On the other hand, small and micro companies are certainly numerous (82% of the panel) but their economic contribution to the cyber insurance market remains marginal (1.9% of the global volume of premiums in the Lucy study). Therefore, despite its limitations in the small and micro business segment, the Lucy study can be considered an accurate reflection of the cyber insurance market. However, for the sake of consistency, we have decided to focus certain analyses on the 1,363 companies (large, Mid-cap and medium-sized) with revenues of more than €10 million: their contributions represent almost all (more than 98%) of the volume of premiums collected in 2022 as identified by the study. REPRESENTATIVE because this study is not a simple survey. It is based on the aggregation of the portfolios of the main corporate risk intermediaries: the data analyzed are neither estimates nor projections, but the actual amount of contributions paid by companies and claims compensated by insurers. This makes it possible to study cyber risk from two angles: l cyber risk coverage: number of companies having taken out insurance, amount of the gross premium, guarantees and level of coverage taken out; l compensated claims: number of claims, amount of compensation, triggering event ROBUST because the data collected perfectly reflected market trends. They have thus made it possible to anticipate market movements: “After very poor underwriting results in the intermediate market in 2021, we thought that insurers would take corrective measures similar to those taken in 2020 in the large corporate market, explains Philippe Cotelle. This is indeed what happened in 2022 with a sharp increase in premium rates (+54%) and a reduction in capacity (-8%).” The Lucy study has quickly become a tool for dialogue and negotiation between the actors of the cyber risk community: risk managers, insurers and brokers. Its analyses are regularly used by French and European public authorities and regulators, notably Anssi (the French national agency for information systems security), the French Ministry of the Economy, Finance and Industrial and Digital Sovereignty, and Eiopa (the European insurance regulatory authority).

Light Upon CYber insurance / © Amrae - 8 - Today and tomorrow The four-year history of the Lucy study not only allows us to understand the market but also to anticipate its evolution. This is precisely what we propose to do in three chapters: 1. The state of the cyber insurance market in 2022 2. A look back at four years of maturation of the cyber insurance market 3. Outlook for 2023 and 2024 11 major players in enterprise risk 9,672 cyber insurance policies 177 claims compensated MAIN TERMS USED l Premium: amount of the gross premium paid by the company. For the year 2022, this corresponds to the investment between January 1, 2022 and December 31, 2022. l Claims: number of claims and amount of compensation reported between January 1 and December 31, 2022. The declarations for the years 2019, 2020 and 2021 could be re-evaluated afterwards in case of changes. A COMMITMENT TO CONFIDENTIALITY The Lucy study is only possible because of Amrae’s absolute commitment to confidentiality with brokers, their clients and their insurance and reinsurance partners. All data has been anonymized and consolidated at the level of each broker’s portfolio, then re-consolidated globally. Data collection and processing were carried out by Amrae in the strictest confidence. A draft of the results was shared with all contributors prior to official publication. The study is free of charge and accessible to all.

Light Upon CYber insurance / © Amrae - 9 - 1. THE STATE OF THE MARKET IN 2022 The market is regaining room to maneuver Driven by large companies, the cyber insurance market is back in positive territory in 2022. With overall premium volume up 72% (or €315 million) and a historically low claims experience (€70.80 million, down 57% from 2021), insurers are regaining room for maneuver thanks to a claims/premium ratio of 22.3%. As a result, premium rates are stabilizing and the amount of available capacity is increasing again. At least in the large enterprise segment, which clearly sets the tone for the market. The French cyber insurance market 350 300 250 200 150 100 50 - 180 160 140 120 100 80 60 40 20 - 87 73 2019 2020 2021 2022 130 217 183 316 71 84% 167% 89% 22% €M % n Premiums n Claims l Loss ratio 164

Light Upon CYber insurance / © Amrae - 10 - Large companies Historically low loss ratio... In 2022, large companies paid nearly €267 million in premiums for their cyber coverage, an average premium of €950,000 for each of the 281 covered companies identified in the Lucy study. Over the same period, only 47 claims were compensated for a total of €43 million (an average of €900,000 per claim). This resulted in a historically low loss ratio of 16.2%. This result needs to be put into a market dynamic. In 2020, the claims/premiums ratio literally exploded to 190%: that year, insurers paid out €201.50 million in claims while collecting only €105.90 million in premiums. Between 2019 and 2022, the LOSS RATIO of large companies has thus gone through all extremes: from 190% in 2020 to 16% in 2022. Smoothed out over four years, large companies’ results are more “normal”: with nearly €600M in premiums collected for €365M in claims paid, insurers have a claims-to-premium ratio of 61%. Large Companies: four years of loss ratio 350 300 250 200 150 100 50 - 200 160 120 80 40 - 73 32 2019 2020 2021 2022 106 202 89 267 43 190% 58% 16% €M % n Premium n Disaster l Loss ratio 152 43%

Light Upon CYber insurance / © Amrae - 11 - ... thanks to a sharp drop in the number of claims While premium volume for large companies increased steadily between 2019 and 2022, claims experience more erratic movements, with an all-time peak in 2020 and a very sharp decline in 2022. The peak in 2020 is partly linked to an increase in frequency, with 86 claims indemnified in 2020, compared to 73 the previous year. But it is mainly due to the intensity of these claims: four of them totaled €131 million in compensation (an average of nearly €33 million per claim). In addition to these four XXL claims, 6 XL claims were compensated for a total of €49.40 million (or €8.20 million per claim). We can therefore say that the year 2022 was rather quiet with only one XXL claim (€15M) and four claims totaling €9.40M in compensation (for an average of €2.30M each). Is it just luck? Or have the investments made by companies in prevention and protection paid off? Probably a bit of both. Indeed, the French National Agency for Information Systems Security (Anssi) believes that the cyber threat has not changed in 2022: “Despite the war in Ukraine, the trends identified in 2021 have been confirmed in 2022 with the threat maintained at a high level.” But companies are probably a little better prepared to deal with them, as Mylène Jarossay, CISO of LVMH Group and president of Cesin (Club des experts de la sécurité de l’information et du numérique) explains in page 17.

Light Upon CYber insurance / © Amrae - 12 - Large companies: distribution of claims by size XXL €10-40M 0 0 2019 2020 XXL €10-40M XL €3-10M 4 16.6 XL €3-10M M & L €0.3-3M 7 11.5 M & L €0.3-3M XS & S €0-0.3M 140 105 70 35 - 3.7 XS & S €0-0.3M 62 63 4.31 13 16.55 6 49.38 4 131.27 n Number n Amount of claims 2021 2022 XL €3-10M 11.7 4 M & L €0,3-3M 14.1 16 80 60 40 20 - 0.8 XS & S €0-0.3M 33 XS & S €0-0.3M 20 0.1 M & L €0,3-3M 22 18.7 XL €3-10M 4 9.4 XXL €10-40M 1 15 XXL €10-40M 4 62.1 reduction of frequency reduction of severity

Light Upon CYber insurance / © Amrae - 13 - Mid-cap companies The market is regaining room to maneuver After a 44% increase in 2020 and a 20% increase in 2021, the rate of growth in the number of Mid-cap companies insured against cyber risk has slowed slightly to 12% in 2022. The 591 Mid-cap companies covered by a cyber policy represent 10% of the national workforce of companies with revenues of between €50 million and €1.5 billion. They paid a total of €38.20 million in insurance premiums for cyber coverage: a total volume that is up 58% compared to 2021. The average premium is therefore nearly €65,000 per company in this segment. Thanks to a very contained loss experience (€19.40 million in claims), the Mid-cap market has returned to profitability with an LOSS RATIO of 50.7% in 2022. This is a relief for insurers after a year 2021 marked by an LOSS RATIO of 260%: that year, the €24.20 million in premiums collected were far from covering the €63.10 million in claims paid. These losses were reminiscent of the painful year of 2019, when the LOSS RATIO of the Mid-cap market reached a record high of 480%. The amount of compensation paid out had then been nearly 5 times higher than the amount of premiums collected. It must be said that the cyber insurance market was still very young. We will see in chapter II how this market has matured since then. Mid-cap companies: falling claims experience improves S/P 85% 261% 51% 70 60 50 40 30 20 10 - 300 200 100 - 2020 2021 2022 €M % n Premium n Disaster l Loss ratio 15 13 24 63 38 19

Light Upon CYber insurance / © Amrae - 14 - Claims: a decrease in frequency and intensity Mid-cap companies did not experience any very large claims in 2022, in contrast to 2021: two claims at more than €10M and five claims compensated between €3M and €10M, whose total cost reached €53M, had then largely contributed to the deterioration of the LOSS RATIO. While the intensity of claims is lower, the frequency of claims has also decreased: the total number of claims has dropped from 110 in 2021 to 72 in 2022, for an average compensation of €266,000 per claim. Mid-cap companies: distribution of claims 2019 2020 XL €3-10M 23 3 M & L €0.3-3M 0.8 XS & S €0-0.3M XS & S €0-0.3M 67 4.77 M & L €0.3-3M 7 5.76 XL €3-10M 1 4.5 XXL €10-40M 0 0 XXL €10-40M 0 0 100 80 60 40 20 - 56 16 17.5 reduction of frequency n Number n Amount of claims 2021 2022 XL €3-10M 24.6 5 M & L €0.3-3M 7.3 10 2.4 XS & S €0-0.3M 93 XS & S €0-0.3M 62 1.1 M & L €0.3-3M 9 8.8 XL €3-10M 2 9.5 XXL €10-40M 0 0 XXL €10-40M 2 28.8 100 80 60 40 20 - reduction of severity

Light Upon CYber insurance / © Amrae - 15 - Medium-sized companies Degradation of the Loss Ratio Largely positive since 2019, the results of medium-sized companies deteriorated in 2022 to reach the symbolic threshold of 100% LOSS RATIO. This deterioration is mainly due to the explosion of claims, the cost of which almost doubled between 2021 (€2.40M) and 2022 (€4.50M). The growth in the number of insured companies (+53% in 2022) combined with the growth in the overall volume of premiums (+84%) has not been able to absorb this drift in the claims experience. We can therefore expect to see insurers cleaning up their portfolio by tightening the conditions of access to cyber insurance, as they have already done in the large corporate market in 2020 and in the Mid-cap corporate market in 2021. This has allowed them, in both cases, to return to positive results. The average premium for the 492 insured companies is just under €9,200, up 27% from 2021. Medium-sized companies: claims deteriorate in S/P 36% 100% 7 6 5 4 3 2 1 - 120 90 60 30 - 2020 2021 2022 €M % n Premium n Disaster l Loss ratio 5 2 2 1 5 5 45%

Light Upon CYber insurance / © Amrae - 16 - High-intensity losses in relation to their size In 2022, only 10 claims were indemnified in the medium-sized segment. But they cost insurers more than €4.50 million: the average cost of each of these claims (€450,000) is almost twice as high as the average cost of claims paid over the same period in the SMB segment (€266,000 in 2022).

Light Upon CYber insurance / © Amrae - 17 - The Lucy study shows a particularly sharp drop in claims for large and Mid-cap companies. Has the cyber threat decreased? The 8th edition of the Cesin Barometer1 shows a steady decline in the number of companies that have experienced at least one significant attack: from 71% in 2020, it has dropped to 54% in 2021 and 45% in 2022. But that doesn’t mean the threat is decreasing. In fact, it is defense that is improving: many attacks are blocked or contained before they produce significant damage, and that is what the barometer seeks to measure. Companies have invested to strengthen their capabilities: they have an average of 14.9 security solutions, the core of which is very often (in 81% of cases) the combination of EDR (Endpoint Detection Response) and MFA (multi-factor authentication). Are SMEs in the same boat? No. Unfortunately, these companies are still in trouble. The investments required to secure an information system cannot be strictly proportional to the size of a company. There is a minimum threshold of defenses below which it is risky to go. It is necessary, for example, to have a minimum of cyber resources with a professional in charge of the subject. Which elements seem to you the most threatening in the short and medium term? We need to be alert to so-called “supply chain” cyberattacks, such as Solarwinds in 2020 or C3X recently. This voice over IP telephony solution is installed on a few hundred thousand workstations worldwide. At the beginning of 2023, C3X realized that its latest version had been compromised by malware, which, through a rebound effect, infected a large number of customers. The risk is that this software will be considered legitimate by enterprise customers: if a EDR alerts on suspicious behavior, it may fall under the radar because the enterprise will think it is a false positive, not questioning the integrity of a widely distributed software. On the corporate side, it is difficult to detect and counter these attacks. Because of their multiplier effect on all customers of a product, they can cause significant damage. It is to be hoped that they do not increase significantly. More than the war in Ukraine? This war has produced many cyber events, but rather regional, without any real international escalation. But a resumption of attacks cannot be excluded. The conflict is still there and both sides have developed very sophisticated cyber skills. “The number of attacks does not seem to have decreased, but it is likely that the defenders have made progress!” MYLÈNE JAROSSAY CISO of LVMH Group and President of Cesin (Club of Information and Digital Security Experts) INTERVIEW 1.ème édition of the CESIN annual barometer

Light Upon CYber insurance / © Amrae - 18 - 2. FOUR-YEAR REVIEW OF CYBER RISK COVERAGE Cyber insurance is spreading to all strata of the economy “The results of the third edition of the Lucy study show a growing maturity of the cyber insurance market, explains Philippe Cotelle, board member of Amrae and chairman of its cyber commission, vice-president of Ferma and Risk Manager of Airbus Defence & Space. The experience gained in the large enterprise market is gradually spreading to Mid-cap companies, before infusing the small business segment.” This experience curve can be seen clearly in the diagram below: the movement starts with large companies, spreads one year later to medium-sized companies and then, the following year, to Mid-cap companies. The strong underwriting of large companies is reflected in the claims experience n Evolution of insured companies compared to previous year (%) n Loss Ratio (Claims/Premium) (%) Large companies Mid-cap companies Medium-sized companies 25 20 15 10 5 - -5 2022 2021 2020 21% 17% -4% % 60 50 40 30 20 10 - -10 2022 2021 2020 16% 53% -11% % 25 20 15 10 5 - 2022 2021 2020 12% 20% % 200 150 100 50 - 2022 2021 2020 190% 16% 58% % 100 80 60 40 20 - 2022 2021 2020 45% 100% 36% % 300 250 200 150 100 50 - 2022 2021 2020 85% 51% 261% % the following year same phenomenon for Mid Cap companies the following year same phenomenon for Medium sized companies

Light Upon CYber insurance / © Amrae - 19 - Large companies: 2020, the year of change In 2020, the number of large companies covered by cyber insurance increased by 21%. The loss experience then exploded from €31M in 2019 to €205.10M in 2020. Faced with a very deteriorated loss ratio (190%), insurers reacted by increasing premium rates and lowering the level of available capacity. The premium rate for large companies has thus increased from 0.93% in 2019 to 2.70% in 2022. It has thus increased threefold. “This upward movement stopped during 2022, observes Philippe Cotelle. Premium rates would have begun to stabilize or even decline during the second half of the year.” To mitigate the very sharp increase in premium rates, insurers and companies have used the lever of the deductible, the average amount of which has also risen sharply: from €4 million in 2021 to €6.40 million in 2022. At the same time, available capacities fell in 2021 (from €41 million to €31.20 million). It has returned to growth in 2022, but at €35.20 million, it has not yet returned to the level of 2019 (when it was €38 million). The year 2020 was therefore a tipping point for the large corporate market: the very sharp deterioration in LOSS RATIO led to a very vigorous reaction by insurers, who cleaned up their portfolios by tightening underwriting conditions. This correction seems to have allowed the market to find its balance. However, this balance remains dependent on the loss ratio: let’s not forget that the volume of premiums collected on the large corporate market (€267 million in 2022) is lower than the cost of a very large attack... Although still precarious, this balance gives insurers appetite, who are returning to the cyber risk market, and confidence to companies: the coverage rate of large companies has risen sharply in 2022. Today, according to the Lucy study, 281 out of 287 large groups are insured: their coverage rate reaches 98%.

Light Upon CYber insurance / © Amrae - 20 - Large companies: tightening of underwriting requirements in 2021 2020 2021 2022 % n Evolution of the average premium rate n Evolution of the average subscribed capacity 11% 8% 33% 13% -24% 97% 100 75 50 25 - -25 THE PRICE OF A CYBER INSURANCE This average cost is calculated from the results of the cyber study. It is only indicative: the actual amount of contributions depends not only on the size of a company but also on its activity, its exposure to cyber risk, its investments in prevention, its claims history… l Large companies (over €1.5 billion in sales): €950,000 annual premium for a capacity of €35 million with a €6.50 million deductible. l Mid-cap companies (€50M to €1.5Bn in sales): €65,000 annual premium for a capacity of €6M with a €450,000 deductible. l Medium-sized companies (10 to 50 M€ of turnover): 9 100 € of annual premium for a capacity of 2.30 M€ with a deductible of 48 000 €.

Light Upon CYber insurance / © Amrae - 21 - Mid-cap companies: everything changes in 2021 The correction movement in 2020 in the large business market took place a year later in the mid-market segment. In 2020, the number of Mid-cap companies covered increased by 43%. This improvement in the coverage rate was reflected the following year in a deterioration of the risk: the loss ratio exploded from €12.70M in 2020 to €63.10M in 2021. The loss ratio then slipped from 85% in 2020 to 260% in 2021. The reaction of insurers was swift: premium rates were increased (from 0.45% in 2020 to 0.70% in 2021), deductibles were raised (from €227,000 in 2021) and the level of available capacity was lowered (from €7.50 million in 2020 to €6.50 million in 2021). This is the price at which the market returns to equilibrium, with an LOSS RATIO of 50.7% in 2022. It has thus regained the confidence of insurers and should make companies more attractive. To date, only 10% of Mid-cap companies are covered by cyber insurance. The number of companies covered has only slightly increased (+12%) in 2022: considering the potential of this market, we cannot really talk about growth. We will probably have to wait until 2023 or 2024 to see a real increase in the rate of coverage for small and medium-sized companies. Mid-cap companies: changes in the conditions of subscription 2020 2021 2022 % n Evolution of the average premium rate n Evolution of the average subscribed capacity 38% -7% 54% -8% -13% 56% 60 45 30 15 - -15

Light Upon CYber insurance / © Amrae - 22 - Medium-sized companies: the time has come For medium-sized companies, the big shift is still to come: in 2022, the number of companies covered increased by 53%, deteriorating the quality of the risk. The LOSS RATIO ratio has reached the symbolic threshold of 100%, with €4.50 million in claims paid for €4.50 million in premiums collected. We can therefore expect a less severe correction than in the Mid-cap market. However, the level of available capacity (€2.30 million) is likely to be squeezed and the premium rate increased (0.40% in 2022). Unless the increase in deductibles, already implemented in 2022 (their average amount has risen from €32,200 to €47,300), continues to cushion the blow. Medium-sized companies: changes in underwriting conditions n Evolution of the average premium rate n Evolution of the average subscribed capacity % 60 40 20 - -20 -40 -60 2020 2021 2022 45% -54% -1% 7% 13% 22%

Light Upon CYber insurance / © Amrae - 23 - 3. PROSPECTS FOR 2023 AND 2024 Towards a new market balance Large and Mid-cap companies appear to have found a market equilibrium: premium rates are expected to stabilize and available capacity to increase in 2023 and 2024. On the other hand, medium-sized firms as well as small and micro firms are expected to undergo the market adjustment that larger firms have experienced. It is already underway for medium-sized firms and is expected to occur in 2024 for smaller firms. Increased pooling to reduce volatility The balance found in the large company and Mid-cap market is largely linked to the decline in claims. Is it cyclical or structural? Have the prevention and protection measures taken by companies really borne fruit? Will the war in Ukraine cause the number of attacks to explode? It is still too early to answer... But one certainty remains: cyber risk remains volatile. In 2017, the NotPetya malware attacks cost Merck Laboratories $620M, FedEx $300M, Maersk $300M, and SaintGobain $250M respectively. The cumulative cost of these four losses represents nearly five times the overall volume of premiums collected in 2022 by insurers in the French market (€315.7M). “This amount is still too low to absorb very large claims, comments Philippe Cotelle. This volatility is perceived by insurers as a risk factor. This is why Lloyds’ of London announced in August 2022 that it would no longer cover losses resulting from statesponsored cyber attacks. “For the moment, this position is not being followed by French reinsurers and insurers, observes Philippe Cotelle. But it shows a certain nervousness about cyber risk, the future of which remains difficult to decipher.” A massive increase in the number of insured companies, and therefore in the volume of premiums collected, would allow better absorption of extreme losses. From this point of view, the results for the year 2022 - very positive for insurers - are a good signal: “Insurers are regaining their appetite for cyber risk”, Philippe Cotelle is pleased to say.

Light Upon CYber insurance / © Amrae - 24 - Tailor the underwriting process to the size of the company Increasing the coverage rate of companies certainly requires a sustainable market balance. But it also depends on simplifying underwriting procedures. Or, at the very least, adapting the underwriting questionnaire to the size of the company: SMEs are simply not equipped to answer a questionnaire of several dozen pages. In June 2021, the French Treasury Department set up a working group to develop an insurance offer for cyber risks. This group has clearly identified the simplification of underwriting procedures as an important issue.

Light Upon CYber insurance / © Amrae - 25 - WHAT TO REMEMBER l The cyber insurance market has returned to positive territory. This risk, which seemed uninsurable not long ago, has again attracted insurers in 2022. l After falling sharply in 2020 and 2021, the level of underwritten capacity has returned to growth. It has not yet returned to the 2019 level, but this should not be long in coming given the renewed interest of insurers in cyber risk. l After three years of increases, premium rates appeared to stall at the end of 2022, prompting companies to insure up to their exposure. l SMEs are following the same learning curve as large companies and smid sized companies. Cyber insurance is gradually penetrating all strata of our economy. l The cyber insurance market seems to have found a form of balance. The increase in the rate of coverage for companies and the decrease in the number of claims are positive signals, which should accelerate the growth of the market. l But this balance is still fragile: the total volume of premiums collected in France for cyber coverage is equivalent to the cost of a very large cyber loss. A large-scale attack would be enough to call this balance into question. l The war in Ukraine has not resulted in an increase in the number of cyber attacks in France. But nothing says that this will still be the case in the months or years to come. l Another element of uncertainty in the claims experience is that artificial intelligence could increase the frequency and intensity of cyber attacks. l Insurers remain cautious about a still volatile risk. As a sign of this caution, Lloyd’s of London has decided to modify its coverage of cyber warfare. l These new underwriting requirements could reduce companies’ appetite for cyber insurance. l To improve the attractiveness of cyber coverage, insurers should simplify the underwriting process and adapt it to the size of the company.

Light Upon CYber insurance / © Amrae - 26 - APPENDIX The cyber insurance market at a glance Number of companies insured Change from 2021 Volume of premiums collected in 2022 Change from 2021 Premium rate (in % of covered revenues) Change compared to 2021 Number of claims compensated Evolution compared to 2021 Volume of compensation paid in 2022 Evolution compared to 2021 Loss ratio Average deductible in 2022 Evolution compared to 2021 Average capacity in 2022 Evolution compared to 2021 Large companies (>€1.5bn in sales) 281 +17% €266,978,513 +76% 2.70% +33.27% 47 -18% €43,153,262 -51% 16% €6,443,876 +61% €35,230,285 +12,7% Mid-cap companies (€50M to €1.500M) 591 +12% €38,178,541 +58% 1.07% +54.07% 73 -34% €19,419,283 -69% 51% €436,030 +91% €6,017,885 -8% Medium-sized companies (€10M to €50M) 492 +53% €4,508,378 +84% 0.40% +21.78% 30 +15% €4,509,888 +405% 100% €47,269 +47% €2,301,632 -1,3% Small companies (€2M to €10M) 624 +24% €2,150,050 -36% 0,57 % -12.74% 10 -97% €1,401,200 -87% 65% €8,721 +14% €599,895 -41% Micro-companies (less than €2M) 7,684 Not significant €3,888,890 +208 % 0.16% -50.72% 17 +143% €2,336,200 +6,158% 60% €307,028 -65% 35,230,285 +12,7% TOTAL 9,672 Not significant €315,704,371 +72% Not significant 177 -66% 71 -57% 22% Not significant Not significant

36 boulevard Sébastopol - 75004 Paris France Tel.: 01 42 89 33 16 - Press contact: SEITOSEI - Olivier Coppermann - 06 07 25 04 48