Bridging the Asian cyber cover gap
Companies are not buying sufficient cyber coverage in Asia, and much of what is advertised to buyers does not correspond to the threats most businesses face in our view.
In the early days of cyber insurance, companies bought coverage to give them protection against data breaches through policies that indemnified the costs related to the accidental or malicious release of customer data. This made sense in the USA (the largest market for cyber insurance), where a combination of data protection regulations, a litigious culture and the ability to insure certain fines and penalties made the value proposition self-evident. But, our experience outside the US paints a different picture. Most malicious cyber attacks today involve hackers typically attempting to extort money by disabling their target’s computer systems and rendering them unable to conduct their normal operations. First party cyber risks like these can affect all businesses, whereas exposure to data breaches are limited to certain industries or size of business.
Losses typically relate to business interruption and systems restoration, which can be costly – every organisation is in whole or in part reliant on the availability of their computer systems and the integrity of their data. Already we have seen car manufacturing plants shut down, ports temporarily closed, refinery operations halted, and hospital networks paralysed due to cyber extortion. Whilst attacks against Asian companies are not as well publicised, the same technologies exist both in the East and West.
Alongside the risk to IT systems, operational technology (including industrial control systems) are also at risk. The insurable cost of productivity and cash lost by the corporate victims of such crimes can be enormous. This is particularly relevant in Asia due to the large concentration of manufacturing and heavy industrial risks located throughout the territory. Asian manufacturers, for example, have less exposure to data breaches, but will have an absolute reliance on the uptime of their computer systems.
In Asia, too few companies are made aware of first-party cyber risks, and with the emphasis on liability risk which may not manifest, these companies are electing not to buy cover. Our claims data shows these types of attacks are gaining in both frequency and severity. It is incumbent upon the insurers in the region to offer coverage tailored to the specific exposures of their clients and underwritten by an insurer experienced both in the region and in cyber insurance to bridge the gap.