Asia under-insured against cyber threats: study

Singapore

A REPORT by insurance market specialist Lloyd's and risk modelling platform Cyence has found that even though losses from cyber attacks can potentially be as large as those caused by major hurricanes, Asia continues to be under-insured and economically vulnerable to such attacks.

The study, which looked at the global cost of cyber attacks on businesses, was released on Monday(July 17).

It modelled two hypothetical scenarios - a malicious hack that takes down a cloud service provider and the failure of an operating system run by a large number of computers and businesses around the world.

Estimated losses for the cloud service disruption scenario ranged from US$4.6 billion for a large event to US$53 billion in an extreme case, while that in the mass software vulnerability scenario ranged between US$9.7 billion and US$28.7 billion.

Despite such large potential numbers, only between 14 and 17 per cent of such losses were insured in the cloud service disruption case study, while coverage for that of the other scenario was just 7 per cent.

The report also found that a single cyber event has the catastrophe potential to increase industry loss ratios - proportion of claims compared with premium income - by 19 per cent and 250 per cent for large and extreme loss events, respectively.

In Singapore, cybercrime is the second most prevalent economic crime, according to a study by PwC, which said that 43 per cent of companies here have been affected at an estimated cost to Singapore of more than S$1.25 billion annually.

The cost of cybercrime to the global economy was projected to be over US$450 billion in 2016 and is expected to grow to US$3 trillion by 2020, Lloyd's said.

Asia, one of the fastest-growing markets for cyber insurance, is estimated to be valued at US$50 million today and this region is expected to grow10-fold by 2025 to US$500 million.

Kent Chaplin, chief executive of Lloyd's Asia-Pacific, said Asia is still slow to take up cyber insurance compared to the United States, even though there is greater awareness and demand.

"The market is still young, and many businesses do not recognise the role that insurance can play in mitigating economic losses from cyber attacks in areas such as incident response, business interruption and loss of business," he said.

While recent malware attacks have highlighted the urgency for companies to mitigate against cyber risks, litigation and regulation are also factors that contribute to the slow take-up of cyber insurance.

"For example, Asia does not require mandatory notification as in the US, while Europe will be implementing its General Data Protection Regulation (GDPR) mandating companies to report cyber attacks," Mr Chaplin said. "In addition, the more litigious climate in the US, where class action suits can be filed against companies whose data have been breached, has driven the growth in cyber insurance demand."

That said, Singapore has taken a step forward in proposing a new cyber security bill which requires organisations within critical information infrastructure sectors to report their cyber breaches.

"This transparency brings the potential of sharing more information around cyber events, which will enable insurers to better price the risk and offer protection, as well as drive demand for cyber insurance," Mr Chaplin added.