Delivering Digitalisation: The Reassurance of Cyber Insurance
11 May 2022
Louis Chan, Nicholas Fu, Simeon Woo
One of the few certainties in the business world is that nothing stays the same. The opportunities offered by technology are continuing to evolve as entrepreneurs look to move beyond the challenges posed by the global pandemic, which, since its outset, has led to an unprecedented growth in digital lifestyles – and the creation of a whole new Pandora’s box of risks.
Widespread social distancing and lockdowns have seen crimes such as theft, burglary, fraud and robbery move from offline to online, with phishing, botnet and malware (including ransomware) dominating the evolving landscape of cyberthreats.
It is estimated that more than 60% of organisations globally experienced at least one form of cyber attack last year, with on average 30,000 websites being hacked every day, a company falling victim to a cyber attack every 39 seconds and around 300,000 new pieces of malware being created daily. Complicating matters further is the evolving sophistication of cyber attack methods, with more than one-third of cyber attack methods never having been seen before.
Different mitigation strategies, such as zero-trust cloud networks, virtual private networks (VPNs) and Wi-Fi Protected Access 2 and 3 (WPA2 and WPA3), have been widely adopted to enhance data encryption and cyber resilience, as a way of countering different cyber risks.
Cyber insurance is also becoming an increasingly popular option for businesses looking to respond to a variety of cyber risk exposures not covered under conventional insurance policies. To understand more about the cyber insurance market in Hong Kong and how its growth will affect Hong Kong companies’ cyber resilience, Louis Chan, Principal Economist (Global Research) at HKTDC, talked to Ida Yau, Executive Director of Grandwood Insurance Brokers Limited.
Chan: Cyber Insurance is relatively new for many businesses in Hong Kong, especially SMEs. How high is the penetration rate in Hong Kong? Who are the major buyers?
Yau: While the number of cyber insurance enquiries is certainly increasing, the take-up rate still lags behind many of the leading Western markets. International companies and large firms have already started to incorporate cyber insurance as part of their risk management plans in such a way that their vendors and business partners, both upstream and downstream, are increasingly regarding cyber insurance as one of their business essentials. Smaller companies with basic cyber security systems in place are also becoming more open to cyber insurance, compared to start-ups or micro companies with a minimal or even no cyber security system in place, which are less welcomed by insurers as higher-risk enrollees. SMEs looking for cyber risk coverage with a reasonable premium would be better off implementing at least a basic cyber security system before reaching out to an insurer for a cyber insurance policy.
Having said that, we haven’t seen any particular industry concentration in terms of cyber insurance take-up rates. To protect against adverse selection, however, it is not uncommon for insurers to avoid insuring sectors that are deemed to be exposed to high cyber risks. For instance, companies in data processing and payment gateway businesses usually find it more difficult to obtain cyber insurance coverage as insurers tend to see it as too risky to offer them an insurance policy.
Chan: What is the general application and underwriting process for cyber insurance policies? How would an insurance company evaluate the potential cyber risks of a prospective client?
Yau: The application process is similar to (but more comprehensive than) other insurance policies. The client is often required to complete a questionnaire relating to their cyber security infrastructure and any protocols they may already have in place. With regard to the most common cyber incidents, such as ransomware attacks, the insurer would require a client to fill in a separate ransomware questionnaire in order to evaluate how well the client is protecting itself from such attacks, as well as to ascertain whether the client has any business continuity plan contingent on a ransomware-triggered cyber security breach.
Chan: How long is the average underwriting process? Does it usually involve a risk engineer? How high are the premiums and the excess or deductible? Does a cyber insurance policy end automatically after a claim?
Yau: Depending on how detailed and reliable the cyber risk information the client can provide, the underwriting process can take about a month or longer. In tandem with the increasing number of cyber attacks and claims in recent years, more insurers now require a risk engineering call between the client and the insurer’s risk engineer as part of the underwriting process.
Premiums and deductibles vary with the size and exposure of the client. Subject to underwriting and actual policy terms, a premium could be as low as several thousand Hong Kong dollars per million limit and up to HK$10,000 or more. The cyber insurance market in Hong Kong is still in its infancy. We will see how the premium, which has been trending upwards in recent years, evolves as the local business community becomes more open to cyber insurance and more insurers enter the market.
Chan: How often do cyber insurance claims occur? What are the major cyber insurance claims?
Yau: Ransomware attacks, which account for 10% of all cyber breaches and doubled in frequency in 2021, are by far the most common cyber threat, followed by data breaches. According to the 2021 Ransomware Study by the global market intelligence firm, International Data Corporation (IDC), approximately 37% of global organisations experienced some type of ransomware attack in 2021. While all businesses can be a victim of some form of ransomware, Sophos, a worldwide leader in next-generation cybersecurity, has found that education, retail, professional and legal services, government, IT, manufacturing, energy and utilities infrastructure, healthcare and financial services sectors are more vulnerable than others.
Many insurers have confirmed that most of their losses from cyber insurance policies are caused by ransomware attacks. Because of this, they have tightened their ransomware attack coverage – for example, by imposing co-insurance clauses or requiring their clients to complete separate ransomware questionnaires for better risk assessment.
Not every ransomware victim pays a ransom. Ransomware claims resulting in a ransom payment shrank from 44% in Q3 2020 to just 12% by Q3 2021. However, instead of attacking a single victim, supply chain attacks can extend the blast radius. A prime example of a 2021 ransomware attack concerns the US-based software provider Kaseya, which paralysed at least 1,500 of the company’s managed service providers (MSP), including 800 Coop supermarkets in Sweden, with the attackers demanding a ransom of US$70 million.
Malicious attackers today employ an ever-evolving set of tactics. They often add a distributed denial of service (DDoS) attack by exfiltrating the sensitive data to separate locations and threaten to sell or leak them among other authentication information unless the victim returns to the negotiation table or a ransom is paid in exchange for a decryption key.
Data breaches are the most common cyber risk incidents after ransomware attacks. Hacking and phishing remain the major data breaches, increasing significantly as the global pandemic has pushed people and businesses towards conducting their shopping, work, study, play and exercise from home. Even when most employees and organisations are becoming more aware of the potential risks of email phishing and clicking on suspicious-looking links, hacking and phishing attacks can still enable malicious actors to steal user names and passwords, credit card credentials and all types of personal information, from financial to health. While cybersecurity incidents are still growing at an alarming rate, human errors remain by far the weakest link, accounting for about 95% of cybersecurity breaches worldwide.
In Hong Kong, cloud storage accounted for more than two-thirds of downloaded malware in 2021. The trend was expected to persist in 2022 according to GovCERT.HK, a governmental computer emergency response team dedicated to coordinating information and cyber security incidents for the HKSAR Government.
Chan: In additional to financial claims, are there any value-added services included in a cyber insurance policy? How does cyber insurance differ from other property and causality insurance products? Are cyber insurance policies often bundled with other insurance products?
Yau: Cyber insurance always comes with a number of services provided by forensic service providers or IT consultants. Therefore, it is very different from other general insurance products where insurers will pay only if there is a litigation or a claim under the policy. In the case of a data breach event, most if not all, insurers will engage their IT consultants and panels of cybersecurity experts to help the insured diagnose their cyber security system and fix the bugs and loopholes to prevent future cyber breaches. In other words, when a company takes out a cyber insurance policy, it not only secures financial compensation in the event of a claim, but also professional services that help to fix their cybersecurity issues when there is a breach.
In the past, we have seen insurers trying to bundle cyber insurance with other insurance products such as office or investment management insurance. However, given the difference in nature and the increasingly frequent cyber insurance claims, most insurers nowadays prefer separate underwriting.
Chan: Technology is changing the world at an astonishing pace. New types of online businesses like cryptocurrencies and NFTs can become fashionable out of nowhere. How can a cyber insurance policy help ensure that the insured party has sufficient coverage over all its cybersecurity risk? How do you see these trends affecting the popularity of cyber insurance? What would be your advice to new-to-the-field companies?
Yau: Cyber insurance provides covers when there is loss arising out of cyber security breaches. This includes any claims made against the company and its personnel in the event of cyber breaches. Legal costs incurred by any regulatory investigation will also be covered. In the event of cyber breaches, identifying loopholes in the cybersecurity systems and restoring data systems are the highest concerns for companies, especially those heavily relying on technology and the internet. Cyber insurance can connect the insured with IT consultants and other service providers to remedy the situation after a cyber breach, while providing financial coverage for related revenue loss to allow the insured to get back to business as soon as possible.
In view of the increasing number of claims related to ransomware and cybercrime, insurers are becoming more conservative when providing coverage for new, emerging businesses. Cyber risks related to cryptocurrencies and NFTs are usually related to cybercrime such as scams and fraud. This is a new area for insurers. Given the uniqueness and its difficulties in identifying ownership, traditional insurers tend to decline cover. Even if insurers can provide cover, they will only provide sublimits under the policy. However, new emerging insurer(s) now consider such risks in line with the increasing demand.
It is therefore very important for companies facing increased cyber risks to put in place sufficient cybersecurity measures and related business continuity or contingency plans to safeguard their businesses. The cyber insurer will ask a lot of questions during the underwriting process in order to assess how exposed a company is with respect to cyber risks. Companies could view the underwriting process as a self-assessment procedure resembling a regular check-up to examine the health and effectiveness of their cyber security systems and business contingency plans.
Cyber risk education for employees is also of utmost importance, as many cyber breaches are caused by untrained or careless employees clicking on a phishing hyperlink, browsing a suspicious website or falling victim to a scam email. Regular software and system updates and testing are also highly recommended.
Businesses should never think that they are immune to cyber attacks. The saying “prevention is better than cure” applies to the cyber world. When you are attacked, the impact and consequences can be significant, both in terms of loss and insurance premiums post-claims. If a company’s clients or business partners make cyber claims prior to any cyber insurance coverage being taken out, this company would find it much harder to secure coverage afterwards. Not only do they have to get themselves claims-fixed in the first place, the prospective underwriters would also ask for a higher premium and conduct more thorough risk screening.
By way of example, we have seen more companies requiring their business partners to take out cyber insurance. It is not uncommon that during the underwriting process, the insurers discover vulnerabilities in their clients’ cyber security systems which the insured were totally unaware of. Often, it was only due to luck that such vulnerabilities had not caused any major loss, and could now be brought under control thanks to this timely cyber risk screening. The underwriting process can be a good opportunity for a company to thoroughly review their cyber security risks and address any issues. As anyone can fall victim to cyber attacks, all companies, big or small, should view cyber risks as one of the most important risks and one that requires regular scrutiny.
Chan: The direct loss and defence and cost containment (DCC) ratio of standalone cyber insurance policies in the US stood at around 70% in 2020, while many key market players posted a loss ratio of more than 100%. How do you see the future of cyber insurance, in terms of both popularity and profitability, in Hong Kong?
Yau: Cyber insurance will only become more popular, given the rising consumer and business digital engagement and reliance on technology. The key barrier insurers face in entering the cyber insurance market is the challenge of writing policies at an affordable rate while anticipating an increase in cyber claims. Insurers do see the demand for cyber insurance. However, given the back-up ecosystem involved (e.g. connection with lawyers, services providers and reporting systems), prospective players will have to ensure profitability as a prerequisite of their new business activity in a developing market. With regard to those who are already offering cyber insurance policies, we believe they will continue to do so in the long run.
In addition, insurers will be more confident about entering the cyber insurance market with more reliable historical data on claims, payments, coverages and premiums for better value-at-risk (VAR) assessments. Hopefully, the popularity and profitability of cyber insurance will grow steadily enough to lure more market players in Asia in the near future. Companies will then have a wider selection of insurers and cyber insurance products.
From a broader perspective, a better cyber risk assessment and management policy reinforces a company’s corporate governance system and therefore its overall environmental, social and governance (ESG) strategy. And not surprisingly, the better a company’s ESG performance, the lower the probability of it experiencing incidents and claims. In other words, ESG gains could help a company get better terms in its various insurance programmes, including but not limited to a suite of financial lines insurance solutions involving potential liabilities of companies, managers and professionals in today’s increasingly litigious and restive business world.
- Hong Kong
- Hong Kong