With web and digital security such hot issues at the moment, there seems likely to be increasing demand for insurance companies to provide coverage to major enterprises who want to cover themselves against digital threats. Gerry Chng, partner in Ernst & Young (risk advisory services) talks about what’s available in Asia Pacific relating to insurance against cyber risk.
What is ‘cyber insurance’ and how does it work?
Cyber insurance is specifically designed to cover potential losses resulting from cyber security breaches. This allows companies to hedge their cyber risk by paying a premium to transfer the risk to a third party. Companies first conduct risk assessments to identify their risk areas and implement security measures (such as firewalls, intrusion detection detection/prevention systems, anti-virus software) to mitigate the risks. The management team then evaluates the residual risks and decides on the most cost-effective measures. Such measures could be either to mitigate the risk further by implementing further controls, accepting the risks, or simply transferring the risks to a third party.
The risk transference strategy is traditionally used for risk areas that are high in impact but low in occurrence, making risk mitigation by putting in more controls ineffective from a cost perspective. Insurance companies take into consideration the annualised loss expectancy of the potential risk areas, and determine the level of premium that the companies need to pay.
What coverage is offered?
Cyber insurance in general covers first party losses and third party liabilities. First party coverage allows the insured companies to recover the loss of income from the system downtime and the associated recovery costs resulting from the security breaches. Third party coverage insures companies from the liquated damages and potential lawsuits that may result. According to the Insurance Information Institute, coverage generally includes:
Loss - Corruption of Data: Damage to or destruction of valuable information assets as a result of viruses, malicious code and Trojan horses (a general term referring to programs that appear desirable, but actually contain something harmful).
Business Interruption: Loss of business income as a result of an attack on a company’s network that limits the ability to conduct business, such as a denial-of-service computer attack. Coverage also includes extra expense, forensic expenses and dependent business interruption.
Liability: Defence costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of:
- Breach of privacy due to theft of data (such as credit cards, financial or health related data);
- Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties;
- Failure of security which causes network systems to be unavailable to third parties;
- Rendering of Internet Professional Services, and;
- Allegations of copyright or trademark infringement, libel, slander, defamation or other ‘media’ activities in the company’s Web site.
Cyber Extortion: The ‘settlement’ of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
Public Relations: Those public relations costs associated with a cyber attack and restoring of public confidence.
Criminal Rewards: The cost of posting a criminal reward fund for information leading to the arrest and conviction of the cyber criminal who attacked the company’s computer systems.
Cyber Terrorism: Those terrorist acts covered by the US Terrorism Risk Insurance Act of 2002 and, in some cases, may be further extended to terrorist acts beyond those contemplated in the Act.
Identity Theft: Access to an identity theft call centre in the event of stolen customer or employee personal information.
Is cyber-insurance prevalent in the US and Europe? What about the Asia Pacific?
According to various sources (Insurance Information Institute and George Mason University Critical Infrastructure Protection Program), cyber insurance is reportedly a US$300 to 400 million business. It has been available since the late 1990s with established companies such as AIG, Chubb and Lloyds offering specific products to address cyber risks. In the Asia Pacific, cyber risk is more likely to be managed as part of the business risk, with traditional insurance coverage being extended to cover part of cyber risk.
What insurance companies in the Asia Pacific are currently doing this and for whom?
Major insurance companies (AIG Singapore, Allianz, AXA, Great Eastern, MSIG, Tokio Marine, UOI, OUI) in Asia do not seem to offer a specific insurance product that covers cyber risk. However, most provide some form of cyber risk coverage as part of their overall corporate insurance.
What is the cyber insurance market situation? What sort of demand is there for policies?
For the fiscal year 2008, companies have spent more than US$200 billion on Microsoft, IBM, Cisco Systems, Sun Microsystems and Oracle alone. This substantial investment in IT presents a significant opportunity for first party insurance protection. In addition, from the Open Source Foundation Data Loss DB, it is evident that the issue of data loss is prevalent. This represents a significant market for third party liability coverage.
However, getting companies to transfer their cyber risk is less straightforward. There is a lack of empirical data necessary for the accurate modelling of information risk. This has resulted in the wide adoption of qualitative risk assessment. The subjective nature of qualitative risk assessment inadvertently results in the differing perception of the actual risk exposure of the enterprise, making the issue of determining premium and compensation potential contentious.
What are the major benefits, challenges and milestones of cyber insurance?
One of the key research areas that could benefit cyber insurance is the development of security metrics. Security metrics allows companies to quantify their state of security which will provide the common language for companies and insurance companies to reach for a consensus. MIS Asia
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.