Though the threat of cyber attacks is everywhere and the fear of cyber is growing rapidly, Asia’s cyber market is still immature, say industry experts.
By Chia Wan Fen
The growth of cyber insurance in Asia remains at a nascent stage, though there is a widespread and real fear of cyber threats and attacks and the possible paralysis it brings. Talk about cyber is rich and the fears of cyber attacks are real. But the actual buying of cyber protection is still low in Asia. Underwriting cyber is an intrusive process, and firms might object to the level of information required to purchase a typical policy.
These were some of key takeaways on cyber insurance at a roundtable among regional leaders in Asia involving AGCS, Allied World, DBS, MSIG, QBE and Sompo Canopius organised by Asia Insurance Review.
Mr Michael Garrison, Senior Vice-President of Asia Pacific, Allied World Global Markets, said that cyber is, at its core, a very viable insurance product. However, it is a rapidly evolving area with new threats emerging all the time and, as such, has the potential to generate sizeable losses if not managed carefully.
He noted that APAC in particular still does not have a sophisticated cyber market: “How many insureds in Asia will take seriously their exposure to cyber, if they’re not mandated legally to divulge when they’ve had a data breach?” But he is confident that once there is increased regulation on breach reporting, which is currently at different levels in countries around the region, there will be a greater need for cyber products and capacity will increase.
More talk than buy
Currently however, Asian companies are not walking the talk. “Despite growing awareness of the risks and several high profile cyber-attacks, there hasn’t been a lot of buying yet,” said Allianz Global Corporate & Specialty (AGCS) Regional CEO Mark Mitchell. Many clients are spending a fair amount of budget on improving security rather than insurance purchase at this point. Cyber’s time will come as there is already some momentum. “In the risk management community, when someone goes first, it’s typically copy-catting, so we’re going to see more buying activity,” he added.
Agreeing that there is still more discussion than action, QBE’s Managing Director for Asia Pacific, Mr Mark Lingafelter, noted that there are different levels of sophistication across the Asian market, with India as one positive example when it came to buyer’s understanding of the different elements of coverage.
But one segment in particular is found wanting. “The SMEs, the mid-sized corporates are not buying in Asia the way they are in the US. With no mandatory breach notification, there really is no push,” he said.
“Silent” exposures for insurers
MSIG Singapore CEO Michael Gourlay noted that there is actually “silent” cyber coverage in marine, property, D&O and other policies though people are not taking the trouble to recognise it.
There is also the fact that cyber risks and exposures are themselves still not fully understood such that insurers can take on more risk, given that exposures might be bigger than the entire capital of the industry. MSIG has been focusing on SMEs and personal buyers, as the limits are not as high. He estimated that “probably in five to 10 years, cyber will be a meaningful product class for all. It’s coming, but it won’t replace motor...maybe in the future it will be 10-15% of our portfolios.” he added.
Mr Garrison said a cyber-attack which results in actual physical damage, a fire or explosion for example, will be a “real test” for the industry, specifically property and marine coverage. What if several locations were affected by the same cyber intrusion?
On silent exposures, Mr Mitchell said that due to the accumulative and expansive nature of cyber risk, AGCS only offers its maximum capacity coverage of EUR100 million on a case by case basis. “This ensures we don’t over accumulate risks in the same segments in similar regions. Otherwise, we would be over-exposed as an insurer and that’s why it’s important to put a structured programme together, where you have several other insurers either via co-insurance or layers.”
Cyber education and regulation needs improvement
Mr Mitchell noted that underwriting cyber was also an intrusive process, as firms would object to the level of information required to purchase a typical policy. He recounted an anecdote of how one Silicon Valley company had objected to the standard underwriting questionnaire, which they said missed the critical questions. The questionnaire contained a large number questions whose answers were in the public domain, reflecting the need for insurers to better understand intricacies of cyber risks. Mr Garrison said he had heard of cases where IT staff had to be consulted for cyber submissions, further evidence that insurers need their own skilled cyber experts for this evolving class of business.
Lloyd’s Singapore Country Manager Angela Kelly said education on cyber exposure must be a “joint effort” and insurers should look to academic, technology and governments sectors for support. “It’s a complex risk, changing very dynamically and it does require special skills and specific investments too.”
She noted that there is still insufficient claims experience for modelling, but there have been improvements with projects like CyRiM, in which several insurers including Lloyd’s are partnering with Singapore’s Nanyang Technological University to conduct research on cyber risk.
She believed it is going to be a natural evolution, as “we see high profile cyber claims come through and build data around those.” Boards are demanding for protection to be in place not only because they want to be good corporate citizens to protect their consumers, but also because they recognise reputational risks if they don’t get it right in a serious event. “It’s probably going to be a stronger driver than demanding compulsory cyber cover,” she said, adding that data breach notification requirements would also help data collection.
Agreeing on the role of governments and regulations to awaken the need for cyber, QBE’s Mr Lingafelter said: “So many products are already available, but the take-up rates are just so low that it would require a change in regulatory requirements following a breach to trigger a step change in the size of the market in Asia.”
Mr Mark Newman, CEO of Sompo Canopius for APAC and MENA, said that regulation in the form of some audit requirement for companies to compile statistics would help. Otherwise the industry would constantly play catch-up, especially since it might take months before companies realise that they have been hacked.
Matching cyber products with exposures
While Mr Gourlay was of the view that price would be affected by third-party liabilities, which tended to be the “catchall”, Ms Kelly was more concerned with gaps in first-party exposures. Market capacity might still not be sufficient for a financial institution with a massive balance sheet. Thus, clear segmentation of clients’ needs is important.
Mr Benjamin Yeo, Managing Director of DBS Bank’s Financial Institutions Group, who hosted the Roundtable, noted that big companies would lead the way, as their buying would help more supply to come on stream, creating cost efficiencies and then triggering a virtuous circle which promotes more demand. However, he asked how long it would take for cyber to become “mainstream” and bought by all companies.
Looking at the US experience, Mr Garrison said that just five to eight years ago, cyber was still in the process of becoming mainstream. Even now he estimated the pricing and exposure would only be aligned in another two years. Based on the US example, he forecast that it would take about ten years for cyber insurance to become a mainstream product in Asia, although this may speed up depending how quickly companies wake up to the threat. Product differentiation would vary by country, depending on the requirements set by different regulators.
Cyber’s influence on reputation
Mr Mitchell cited an interesting conversation he had with a risk manager, who was willing to buy cyber, but was concerned that declaring an event under a cyber policy could trigger a claim that may impact company reputation. “So it’s a very complicated product. We add on things like Reputation Protect, to give clients comfort in case of an event. They declare it and there’s an impact to reputation, but we can also help the company manage it, not just indemnify their loss,” he said. This, however, could make the product even more complicated from clients’ perspective, so education is necessary.
On the flipside, research has shown that in the event of a product incident affecting reputation, an organisation that manages the crisis well could have an opportunity to strengthen the brand and generate more consumer confidence, said Ms Kelly. “For a product like cyber which is evolving, the pre- and post- loss services cannot be completely outsourced. There needs to be a strong partnership between the insured and those service providers,” she said. She added that risk managers would then be able to understand what is out there, and this would generate demand for such products among risk managers themselves, and they would have compelling stories to convince their boards for budgets.
Interested to find out what else was discussed at the roundtable? Check out our cover story in the July issue of Asia Insurance Review
, for the participants’ views on the Asian market, disruption, risk management in the region and their wish list for regulators. A