Asia‘s cyber insurance shields are inadequate – study

Despite damage caused by a major cyber attack being comparable to a very strong typhoon, a report says that Asia remains underinsured and economically vulnerable to cyber-related threats.

The study, released on Monday by global insurance market Lloyd’s and risk modelling firm Cyence, modelled two hypothetical cyber-calamities: a targeted hacking incident that takes down a cloud service provider, and an operating system failure that affects millions of computers and businesses all over the world.

For the first cloud service disruption scenario, estimated losses were estimated to be between US$4.6 billion for a large event and US$53 billion in the most extreme case.  Meanwhile, losses for the operating system failure were projected to be between US$9.7 billion and US$28.7 billion.

In the face of staggering economic damage, only 14% to 17% of losses in the first scenario were insured, while the second scenario’s level was even lower at 7%.

The report also revealed that even a single cyber incident has the disastrous capability to increase insurance loss ratios, or proportion of claims to premium income, by around 19%, and it could even reach 250% in the worst cases.

Lloyd’s estimates that cybercrime costs the global economy over US$450 billion in 2016, and it is only expected to grow, reaching US$3 trillion in 2020. Asia is currently the fastest-growing market for cyber insurance, which is currently valued at US$50 million. It is expected to grow tenfold to US$500 million by 2025.

While awareness and demand for cyber cover are growing, Asia is still slower in taking up cyber insurance compared to more mature markets such as the US, according to Kent Chaplin, chief executive of Lloyd’s Asia Pacific

“The market is still young, and many businesses do not recognise the role that insurance can play in mitigating economic losses from cyber attacks in areas such as incident response, business interruption and loss of business,” he told the Business Times.

“For example, Asia does not require mandatory notification as in the US, while Europe will be implementing its General Data Protection Regulation (GDPR) mandating companies to report cyber attacks,” Chaplin elaborated. “In addition, the more litigious climate in the US, where class action suits can be filed against companies whose data have been breached, has driven the growth in cyber insurance demand.”

Singapore has taken a positive step by proposing a cyber security bill that mandates organisations dealing with critical information infrastructure to report any cyber breaches they encounter.

“This transparency brings the potential of sharing more information around cyber events, which will enable insurers to better price the risk and offer protection, as well as drive demand for cyber insurance,” said Chaplin.


Related stories:
How big could the next cyberattack be?
Health insurer Bupa struck by major data breach
Cyber insurance sales triple in 2016 for top insurers