Asia’s cyber threat landscape is constantly evolving. Until recently, financial services firms, healthcare and manufacturing were the primary targets of cyberattacks. However, rapid digital adoption driven by the pandemic has increased the risk for organisations across all sectors, as cybercriminals become more sophisticated in targeting security loopholes.
This is exemplified by the rising number of cyber-attacks across the Asia-Pacific region. Most recently, in Japan, one of the country’s most popular dating app providers, experienced a server hack that exposed the data of over 1.7 million people, including images of driving licenses and passports that users submitted to verify their age. In Singapore alone, a total of 16,117 cybercrime cases were reported to the Cyber Security Agency of Singapore (CSA) last year, a stark increase of 79% from 2019.
While detrimental to a company’s reputation and operations, such attacks also put severe financial pressure on businesses ranging from loss of corporate and financial information, insurance claims from customers and third parties and the loss of customers and sales. As digitalisation and remote working continue to be the mainstay, shoring up cyber defences will become an increasing priority for organisations across the region.
Companies are caught at the crossroads
While cybersecurity has become top of mind for businesses on the back of large-scale attacks, they are not always fully prepared to defend against the threats themselves. Over half of APAC businesses are unsure if their cybersecurity defences are strong enough to counter the new strategies of hackers. Even so, their cyber spending remains low, constituting just 0.05% of annual revenue, according to the 2021 EY Global Information survey.
Alongside this, companies face mounting pressure from regulatory authorities on handling personal data and mitigating losses stemming from potential cyberattacks. While insurers and reinsurers have been raising awareness around cyber resilience and preparedness, low levels of cyber insurance protection among businesses persist. This insurance gap is particularly evident in the SME segment, which constitutes the backbone of many economies in the region.
See also: Conducting secure data movements in the cloud symphony
A majority of C-level executives are concerned about cyber threats, with high-tech Asian markets such as Japan and the industrialised parts of China showing higher concerns levels at 62% and 72% respectively, according to Munich Re’s Global Risk and Insurance Survey. However, respondents are generally unaware of the cyber insurance products and services that are available. Only one-third (34%) of respondents have been in contact with their insurers, and as many as a quarter of them were unaware of the opportunities offered by cyber solutions.
This underscores a critical need for the insurance industry to close the apparent intention-action gap by improving transparency around potential risk exposures and tailored coverage that offers risk mitigation solutions.
Decoding complex cyber risk issues
See also: 80% of AI projects are projected to fail. Here's how it doesn't have to be this way
Ransomware events and data breaches are increasingly prevalent within APAC, with the region experiencing 1.7 times higher-than-average encounter rates for ransomware attacks compared to the rest of the world, according to Microsoft’s Security Endpoint Threat Report 2019.
Due to the complexity of cyber risks, the way to cut through the noise is to define a clear risk appetite and shed light on risk scenarios and their respective policy coverage. This is especially important as traditional policies often contain hidden cyber exposures, which means that cyber risk is neither expressly covered nor excluded in these policies. We call this ‘silent cyber’, and many organisations are unaware of this.
For instance, a new report by S&P Global Ratings revealed that cyber insurance is typically bundled into existing property or liability insurance policies. As a result, this leads to the rise of silent cyber losses, whereby insurers incur losses from cyber-related claims on policies that were not intended to cover cyber risk. For organisations, ambiguity around cyber risk claims might result in them not receiving reimbursement for losses attributed to cyber-attacks.
To tackle this, the industry needs to shift towards including silent cyber risks as part of affirmative coverage, giving underwriters more possibilities to assess the risks and flexibility to accept specific identified risks without accepting an entire class or type of risk and allowing transactions to proceed.
Bidding farewell to traditional approaches
In recent years, we have witnessed new solutions being drafted that go far beyond traditional insurance approaches and comprise customised cyber coverage and services that protect against cyber threats and deal with the repercussions.
Some pre-incident services include network security, such as a firewall, backup of critical systems, anti-malware tools, employee security awareness measures, etc. Meanwhile, post-incident services include restoration of data and reputation, consultation in case of extortion and others.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
In the same Munich Re survey, most C-level executives believe there is strong value in insuring such pre- and post-incident services. Less than 10% of them believe they do not require any these additional services in addition to standalone financial coverage.
The inclusion in insurance covers of such consulting services geared to limiting losses is becoming increasingly important, particularly given the growing number of ransomware attacks. This will raise cyber security standards, make risks more insurable, and significantly raise cyber resilience across the entire sector from SME’s to large corporates. In addition, more flexible and tailored policies can offer bespoke coverage that responds to the unique cyber risks each company faces amidst a complex business environment involving various unknown factors.
More concerted efforts to rise above Asia’s cybersecurity challenge
To further align with the demands of an evolving cyber environment, there needs to be greater public-private partnership between governments and private insurers to share expertise and exchange best practices.
Such partnerships encourage the cross-sharing of information which would also help advance innovative processes and risk transfer approaches. Data-driven insights and solutions can further transform how companies view their cyber risks, improve data-driven underwriting, and steer their upcoming business strategies and priorities more accurately.
Rome was not built in a day, but there is certainly a need for more concerted efforts across governments, insurers and organisations to advocate for cyber awareness as an agenda, to truly tackle cyber threats head-on. Only then can we successfully rise above Asia’s cybersecurity challenge and shape more sustainable and resilient businesses.
Roland Eckl is the chief executive Asia Pacific - Japan, Korea, India, Southeast Asia at Munich Re
Photo: adragan / stock.adobe.com
