Asia: The complexity of cyber exposures

Understanding of cyber risks has moved on from data breaches, privacy issues and reputational damage to now include the larger risks of operational damage and business interruption leading to potentially catastrophic losses.

Cyber losses cost the global economy around $445bn (£291bn) a year, according to Allianz Global Corporate & Specialty.

While there is no breakdown for how much Asia contributes to the total, China is thought to have the second biggest exposure in the world with annual losses of around $60bn.

The crime costs India around $4bn a year, and adds up to $1.2bn and $980m in Singapore and Japan respectively.

Major threat
Mark Mitchell, AGCS regional CEO Asia, comments: "Cyber risk is now a major threat to businesses. Companies increasingly face new exposures, including first-and third-party damage, business interruption and regulatory consequences.

"In addition, the operating environment for many industries is changing dramatically as they become more digitally connected."

He warns that the frequency and sophistication of cyber attacks is continuing to increase, from spear phishing to denial of service attacks.

Companies are also facing growing challenges in managing their data.

Stella Tse, head of financial & professional liability for Asia at Marsh, says: "Organisations increasingly have to contend with blurred or disappearing cyber security perimeters as their data is exposed via new channels, for example social media, cloud computing, big data, and policies allowing employees to use their own devices.

"Data security breaches can have serious implications to companies' bottom lines, both in direct and indirect costs."

Tougher regulations
Businesses also face an increasingly tough regulatory environment with significant fines for companies that breach data protection laws.

Hong Kong, Australia and Singapore are all either currently looking at or already enforcing new laws on data protection.

These tougher regulations, as well as the growing risk, are expected to lead to increased take-up of cyber insurance in Asia.

Tse comments: "As the regulatory environment becomes increasingly stringent, and when contractual insurance requirements specifying cyber liability become more common, forward-thinking companies are taking proactive steps to explore and transfer cyber risks."

Mitchell claims businesses need to create a cyber security culture and adopt a ‘think-tank' approach to tackling risk.

He says: "Companies need to make decisions around which risks to avoid, accept, control or transfer.

"Cyber insurance is no replacement for robust IT security. But it creates a second line of defence to mitigate cyber incidents."

AGCS predicts global cyber cover premiums will soar from $2bn per annum today to $20bn in 10 years' time, as awareness of both the risks and the policies available to cover them increases.

Product update
Meanwhile, insurers are also having to constantly update their products in the light of the evolving risks.

Jason Kelly, head of Asia Pacific financial lines at AIG, says: "We are aware that the challenge for us as insurers is to keep our offering relevant.

"To this end, we undertake regular reviews of our coverage and work closely with our broker network in order to assess whether there is any need to amend our cover."

To underline its commitment, AIG has just appointed its first global head of cyber - Tracie Grella - its global head of professional liability.

Marsh's Tse points out that many multinational insurers are looking to aggressively develop and expand the existing spectrum of cyber insurance products, as global organisations turn to insurance to protect themselves from rising cyber threats.

She reflects: "This is particularly the case with first-party cyber coverage, designed to protect a client against the costs of rectifying cyber breaches.

"As the complexity of cyber crime continues to evolve and develop, we should see an increase in demand for tailor-made policies from organisations."

She adds that insurers are moving from providing protection for financial losses to cover for physical damage as well.

Tse notes: "Cyber attacks could cause physical damage by manipulating processes carried out by control systems. Their impact could extend to computer systems controlling technical processes, embedded systems, Supervisory Control and Data Acquisition systems and other industrial IT systems.

"This is a relatively new product, although not widely tested in Asia. Some incidents mentioned in the media are covered by the insurance policy and claims have been paid."

Scope of cover
Mitchell agrees that the scope of cyber insurance must evolve to provide broader and deeper coverage, addressing business interruption and closing the gaps between traditional policies and cyber ones.

The timing of attacks is important to note as many attacks can take years to plan so coverage needs to take this into account.

He points out that insurers also face challenges around pricing, untested wording, modelling and risk accommodation for the policies.

Kelly agrees: "While we do not have the same degree of actuarial data for cyber as we do for property or casualty, there are a number of insurers in the market that have been offering cyber risk solutions for in excess of 15 years and, in doing so, have accumulated some valuable data in terms of the origination of losses.

"This will obviously assist in the pricing and risk modelling. However, cyber risk is constantly evolving, which will have an impact on pricing and coverage.

"As insurers, we need to ensure that we keep abreast of developments in the cyber space to ensure that we meet these challenges."

But while cyber policies in Asia are developing to cover the new risks, companies themselves are often lagging behind in their understanding of the insurance.

Kelly says: "As is often the case with the introduction of a new product to the market, it takes time for brokers to articulate the value added to their customers.

"When we initially launched the product in Asia, uptake was relatively slow, however, as understanding of the product grows and losses start to come in and claims are assessed and paid, we have started to see an uptick in sales."

But he adds that while understanding is increasing, there is still a feeling that cyber risk is something that can be managed by the IT department.

Awareness is growing
Tse thinks companies' awareness of the risks is growing.

She says: "It is becoming common for principals requiring their contractors who would have access to customer data to buy cyber protection on top of professional liability cover.

"Cyber threats in the recent years have grown to the extent that their consequences can significantly impact a company's valuation or even survival. As a result, network security and data privacy are now boardroom governance concerns."

Tse adds that while organisations that hold personal information for their clients are usually among the first to be interested in cyber insurance, there is also growing interest in Asia from sectors such as financial services, professional services, retail, hospitality, technology and healthcare.

The demand is only going to grow - it is up to insurance professionals to articulate the benefits and provide cover which is user-friendly.