Interest from APAC companies in cyber insurance growing amidst constant cases and reports of security breaches
But getting a policy should only be a complementary component of a holistic risk management strategy
CYBER security has moved beyond the domain of chief information officers (CIOs) and IT departments and on to other parts of an organisation, alongside the growing acknowledgement that data breaches have serious financial consequences.
In Ponemon Institute’s 2013 Cost of Data Breach Study, the average cost of a data breach was found to be US$188 for each lost or stolen record. The findings also showed that the average financial impact to companies for one or more incidents was US$9.4 million.
Survey respondents estimate that the average potential financial risk of future incidents is estimated to be US$163 million. Most involved the loss of business confidential information.
In addition, the study found that protecting against the financial impact of cyber security risks rank as high as or higher than other insurable risks (natural disaster, fire, etc.) Of those that have experienced a security exploit, 76% think they are greater to or equal to a natural disaster, business interruption, fire, etc.
Also, 31% of companies in the study said they currently have a policy while 39% said their organisation plans to purchase a policy.
While insurance policies for cyber-threats have been available in markets such as Europe and the United States for many years, they remain a relatively new offering in Asia.
In response to growing demand in the region for policies specifically covering the domain of cyber security, in June AIG launched a comprehensive cyber insurance solution dubbed CyberEdge.
The company claims the product will provide a "unique and comprehensive cyber solution for cyber liabilities exposure" that current commercial insurance policies may not cover.
In an interview with Digital News Asia (DNA) on the sidelines of the recently concluded Cyber Security Malaysia – Awards, Conference and Exhibition (CSM-ACE) 2013, Ian Pollard, AIG vice president, Regional Professional Liabilities for Asia Pacific, reported that since its debut, market response has been positive.
“The response has been outstanding in terms of interest levels from the markets we have launched in which includes Malaysia, Singapore, Japan, Thailand and Australia.
“We’ve gone from a handful of countries to over 50 now and plan to introduce the product in Indonesia, China and Vietnam over the next 12 months,” he added.
Pollard (pic) claims that while there are other insurance companies offering similar policies, AIG offers the most extensive and comprehensive insurance policies, stretching from first party exposures and electronic data restoration to third party data liabilities, in the region.
The company’s product also covers media content, with any risk associated with defamation or intellectual property, and offers access to security expertise such as data crisis response and forensics teams to aid in evaluating breaches.
AIG also launched its CyberEdge Mobile App for the iPad this year, in response to demand for improved information on cyber risk and how to respond to it.
The app features the latest cyber news, real-time information on countrywide data breaches, a breach cost calculator, an events calendar and a glossary of common cyber terms.
Pollard also pointed to another AIG offering, which provides qualifying policyholders access to AutoShun(R), a third-party hardware device that sits between a customer's firewall and the external Internet.
Its installation is intended to help stop a cyber attack in real time by blocking inbound and outbound communication with known bad IP (Internet Protocol) addresses.
“Our products are constantly evolving, to meet the changes in technologies and environments. For example, PCI fines are a recent regulatory addition, not to mention any new triggers for network interruption such as cloud or system failures,” he added, referring to the Payment Card Industry global body.
When asked about the possibly of AIG overlapping with services already provided by the security industry via CyberEdge’s comprehensive policies, Pollard said that AIG was not a technology provider and has no aspirations to move into the space.
“We’re not looking to replace any of it, merely adding a layer of protection in addition to what security companies already do. Our CyberEdge offering is intended to be a part of a holistic risk management plan that organisations will have in addressing cyber security risks, playing a complementary role,” he added.
The Ponemon study also found that risk managers are most often responsible for the decision-making process when it comes to cyber insurance.
According to 40% of respondents, risk management is most responsible for evaluating and selecting the insurance provider followed by compliance (17%) and the chief information security officer (16%).
However, the report found that most influential in making the case for the purchase is business unit leaders, followed by risk managers. The chief information officer and chief information security officer seem to have very little influence, with IT security also having very little involvement in determining the adequacy of coverage.
Pollard noted that organisations do need to have formal risk management plans in place, with senior management and directors “fully on board,” and to also have in place a budget for cyber-risk which should be taken seriously in business continuity plans as much as natural disasters currently do.
“Organisations do need to take it seriously, especially given the fact that there are so many high profile cases around the world that demonstrate the threats and various cost to business.
“Traditionally, awareness in the region has been low but more and more are starting to see the need to do more,” he added.
According to CyberSecurity Malaysia, Malaysia is the sixth most vulnerable country in the world to cyber crime, in the form of malware attacks through the computer or smartphone. In the past five years, Malaysian companies have reportedly lost RM2.75 billion to cyber crimes, with the financial sector being hardest hit.
In a seperate interview with the media in June, AIG assistant vice president of financial lines Emily Poh said that total premium for cyber security insurance products, such as the company's CyberEdge offering, is expected to be US$2.5 million (RM7.72 million) for Asia Pacific this year.
Pollard shared that the company has already paid out its first claim in Asia, for a professional services firm that experienced a virus outbreak on its network.
He declined to name the firm but said that situation was serious enough to compel the firm to send staff home and rely on older technology such as fax machines.
“Due to the quick response on the part of the insured, we were able to contain the incident within the company’s networks. We sent in a forensic IT team to restore the data, and help put in place a remediation plan to improve future crisis responses.
“After the forensics team's evaluation , we paid out US$15,000 in addition to another payout of US$20,000 for the loss of revenue as the firm wasn’t doing business for five days,” he said.
Pollard said that moving forward; the common themes of cyber security were not going to change, with the increasing number of devices with data and access to the Internet.
“With cloud computing becoming a feature as well, organisations will need to incorporate efficiency changes. Insurance challenges for businesses, whether from external malicious threats or internal security breaches, are only going to continue to grow.
“And the cost to business, from a financial or legal perspective, will go up as well, [so] businesses need to do more to address that risk,” he said.
Pollard said there was a significant growth in the number of organisations in Asia Pacific wanting to buy cyber insurance due to the constant stream of news and publicity about data breaches and privacy.
“But we haven’t really seen the big global event or incident that will bring down a global organisation yet. Once that happens, then risk managers and management will really take a good and close look at cyber risks,” he added.
Don’t let complacency and bureaucracy jeopardise IT security
Companies unprepared for data privacy risks
Personal data protection law to be enforced by year-end?
Countdown officially begins for PDPA compliance
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.