When asked what some cyber vulnerabilities in APAC were of heightened concern, Munich Re head of cyber Asia Chris Baker was quick to highlight to Asia Insurance Review that there are estimates which forecast cost of supply chain attacks perhaps more than doubling globally, and have an impact to the economy of more than $100bn in the next few years.
“As a reinsurer, we are noticing the increased risk from digital bottlenecks and market concentration in some parts of the supply chain,” said Mr Baker.
“Critical providers, such as cloud providers, with a high degree of global dominance, are prone to systemic vulnerabilities. The potential systemic risk is something for our industry to understand when considering accumulation, but also for insureds to consider under their own risk management.”
Cyber vulnerabilities in supply chains
Mr Baker pointed out that in APAC, cyber vulnerabilities in supply chains “are increasingly under scrutiny due to the region’s pivotal role in global manufacturing and logistics”.
“What is still very difficult to assess in cyber security hygiene is the lack of visibility across the full supplier network. Many companies in APAC will lack the visibility into their tier-2 or tier-3 suppliers, who may not have the same cyber security controls as themselves,” he said.
Thus, to mitigate cyber risks in APAC supply chains, he suggested organisations “adopt a proactive, multi-layered approach that includes robust third-party risk management, improved supply chain visibility, standardised cyber security requirements across vendors and enhanced cross-border data governance”.
Regulations to strengthen cyber resilience
According to Mr Baker, regulations help to drive cyber security standards, strengthen cyber resilience and even potentially support cyber insurance demand.
He said, “An effective way to increase insurance take up is through breach notification obligations and potential fines for improper cyber security standards and breaches.”
Capacity in Asia
Speaking for his company, Mr Baker said significant and sustainable capacity are provided to cyber clients in Asia, due to a company-wide belief that robust and clear insurance protection should be an essential component of every organisation’s general risk management framework.
He said, “We are committed to the market and willing to increase our book as long as prices and terms and conditions are risk adequate. We invested early and heavily into our regional cyber expertise, such as by having in-market cyber underwriters in the relevant markets in Asia.”
The company also maintains that dedicated local cyber underwriting expertise is the best way to support and partner with clients and thus works closely with them to bring experience into bespoke, tailored solutions for each client in each market.
“The Munich Re strategy is to facilitate a sustainable and profitable cyber insurance market together with our clients and brokers,” he said.
“Part of the solution is to provide consistent coverage for defined exposure, while acknowledging that there are limits of insurability such as infrastructure failure and cyber war.”
Trends in cyber risk
Mr Baker said ransomware attacks remain the top cyber risk, and made sure to noted that it was a misnomer to think only large multinationals are at risk, saying, “All digital companies are at risk.”
He also cited APAC as the region with the highest proportion of ransomware claims, as manufacturing is a leading industry in the region.
Additionally, he noted the extreme activity by cybercriminals in the region, calling the impact severe, as “not only is the downtime after a ransom attack increasing from 16 days on average in 2024, compared to 12 days in 2023, but so are the costs per attack”.
“Given the large gap between the rising number of attacks in APAC and the still low number of insured parties, we see a critical need for strengthening insurance protection. The risk of becoming a victim affects both large companies and small- and medium-sized enterprises (SMEs),” he said.
Quoting Munich Re’s claims data, he also pointed out that SMEs accounted for a significant proportion of ransomware losses. Although the attacks are less severe in terms of damage value, he noted that they occurred more frequently, with a higher number of successful attacks, as well.
He said, “With the number of uninsured still very high, we see the insurance industry as not only part of the post loss indemnification, but also to help raise awareness, increase cyber security and protect organisations of all sizes from the huge disruption of a ransomware attack.”
More sophisticated cyber attacks
In response to a question on how the increasing adoption of AI is impacting the sophistication of cyberattacks, Mr Baker said, “AI is a double-edged sword for the cyber insurance industry.
On one side it provides excellent legitimate business use, such as cyber security, but on the other, more devious hand, it also acts an enabler for cyber attackers.”
For instance, he said while insurers use AI with a focus on data analysis and predictive models, cybercriminals could leverage it for testing and learning.
He then highlighted a worrying trend, pointing out that over 70% of advanced persistent threats in 2024 already incorporated AI techniques.
“AI allows attackers to largely automate zero-day exploits and malware programming. Awareness and training remain a vital defence for the human element of cyber security vulnerabilities,” he said.
According to a 2023 study by the International Data Corporation, 59.6% of enterprises in APAC fell victim to ransomware attacks. The report also noted that businesses in the region face a complex cyber threat landscape, with cybercriminals deploying advanced tactics like double extortion.
Moreover, he pointed out that SMEs face unique challenges in cyber security, with limited budgets for advanced tools and insufficient in-house expertise to fend off attacks, making them attractive targets for cybercriminals.
Despite all this, he believes AI is here to stay, saying, “Current use cases focus on automating claims and risk assessment, and even using AI to support dynamic risk assessment and better risk understanding.”
He said, “We are only at the beginning of this business transformation, and its further benefits are yet to fully unfold.”
Adapting risk models
When asked how his company is adapting its risk models and offerings to account for AI-driven risks and opportunities in APAC, Mr Baker said, “From a risk accumulation perspective, Munich Re’s cyber actuaries and accumulation experts continue to closely monitor the impact of AI.”
He also made sure to note that this also applied to the influence of AI on claims development.
“Since AI enhanced cyberattacks can especially increase the frequency of claims, this may impact events usually covered by cyber insurance, like business interruption, data breach liability, data restoration or effects of ransomware attacks,” he said.
“On the other side, AI can also help better cyber security and early detection of attacks.”
While losses from AI driven cyberattacks are typically covered in cyber policies, the implications of other risks associated with the adaptation of AI, such as model manipulation, data poisoning, liability arising from hallucinations or wrong output as well as IP infringement, may also be covered by explicit innovative coverages, he said.
Assessing and pricing risk
To assess and price supply chain cyber risks for clients in APAC, Mr Baker noted that members of his company’s cyber team are close to clients in local markets, which enables them to react quickly in a bespoke way for each client and per market, depending on the particular risk associated with the opportunity.
“Within APAC we see this in-market knowhow as a critical topic due to the multinational and complex nature of supply chains in the region,” he said.
“Through transparency we look to understand the interdependencies of operations and systems.” A