APAC cyber uptake still low despite softer pricing, ample capacity

November 1 2024 by

The cyber market has been the buzzword for the insurance and reinsurance market in 2024. Carriers and intermediaries have been building cyber capabilities in the region as evident from the frenetic hiring activity.

While softer pricing and ample capacity have led to higher demand for expanded cyber insurance offerings, particularly for SMEs, from both multinational and domestic insurers, lack of cybersecurity awareness and advanced data modelling in the region means the uptake is not as high as it could be, industry experts told InsuranceAsia News (IAN).

“Market pricing is softening, and capacity has increased substantially in the region,” Sie Liang Lau, head of cyber at Gallagher Re, told IAN.

Consequently, there is a growing demand not only from multinational insurers’ perspective but also from domestic insurers looking to expand their offerings.

However, while there is plenty of capacity, uptake remains low as the value of cyber insurance is not recognised by all potential buyers, said Natalie Miladinski, cyber underwriting manager, Asia Pacific, HDI Global,

She highlighted the necessity for better risk awareness and understanding of the product as “cyber insurance offers more than just policy wording; it also provides access to expert vendors and services to assist insureds in managing cyber incidents.”

This lack of understanding among buyers was mentioned as a significant challenge during the APAC Cyber Risk & Insurance Summit 2024 on October 24, organised by InsuranceAsia News.

During a fireside chat at the event, Gallagher Re’s Sie stressed the importance of cyber insurance in providing immediate response services in the event of a breach.

Real-time monitoring tools can help underwriters assess clients’ risk profiles, he said.

He also pointed out that education is essential, as a significant cyber protection gap persists, particularly in emerging markets where awareness of cyber risks remains low.

Asia is a very risk averse market and companies are not willing to discuss or talk about company risks, according to a spokesperson for a Singapore-based cyber insurtech Protos Labs.

Speaking at the summit, he stressed the importance of changing this mindset as having clear transparency and visibility of risks can help companies identify pain points and provide better solutions for cyber risks.

Samuel Bye, head of cyber for Asia and the Middle East at Axa XL, speaking at the same event, emphasised the critical need to promptly contact experts during a cyber incident to mitigate damage.

“We’ve learned from clients who didn’t contact the hotline and tried to manage the crisis themselves. Within two weeks, they realised they were overwhelmed and needed us to retroactively fix the problem,” Bye said.

Post-Crowdstrike landscape
Despite the softening prices, Sie stressed that risk selection remains crucial.

“Collaborating with reinsurers can leverage traditional markets to underwrite larger and more complex policies,” he said.

Sie added that “insurers and cybersecurity companies working together to reduce overall rates can create mutual benefits, leading to more stable and lower costs.”

“Baseline standardised coverage can help reduce uncertainty around product offerings, making policies more accessible to businesses of all sizes,” he explained.

The breadth of coverage available in the market is relatively consistent across the APAC region, with a shared understanding among insurers regarding the cyber risk gap their clients face, Miladinski noted.

“Organisations across various sectors are recognising that cyber risks extend beyond mere IT issues. They can affect a company’s reputation, financial stability, and operational continuity.” Sie Liang Lau, Gallagher Re

“I believe this consistency is driven by the presence of major insurers in key countries across the region, which supports brokers in educating their clients,” she said.

There is an increasing demand for modular and affordable policies tailored to SMEs and personal cyber needs in the APAC region, according to Sie.

“Even with standardisation, flexibility and scalability are vital to support smaller SMEs and personal cyber policies with modular coverage options that address their budget constraints,” Sie said.

SMEs and personal cyber clients in the APAC region are seeking customisable solutions that fit their specific needs and budgets, Sie explained, contrasting this trend to the western markers where insurance products tend to be less modular and often focus more on larger enterprises.

Evolving threats such as ransomware, phishing attacks, and advanced persistent threats (APTs) are on the rise in the Asia Pacific market.

The increased interconnectivity among businesses also heightens vulnerability in supply chains, making them more susceptible to cyber attacks.

Incidents involving systemic failures, like CrowdStrike, illustrate the widespread impact these threats can have.

“Organisations across various sectors are recognising that cyber risks extend beyond mere IT issues. They can affect a company’s reputation, financial stability, and operational continuity,” Sie explained.

This realisation may lead companies to seek coverage for both first- and third-party risks.

“Some insurers currently do not provide coverage for non-malicious attacks, indicating a need to consider offering optional covers,” Sie told IAN.

“The Crowdstrike incident not only underscored our reliance on technology but also highlighted how interconnected our systems are, reinforcing the importance of IT literacy for restoring business operations,” said HDI’s Miladinski.

“I believe this incident has been a wake up call for companies to ensure they have appropriate risk management procedures in place to handle cyber incidents and outages,” she added.

Regional challenges
The cyber insurance industry is hindered by limited extensive data due to its relatively short history, Sie said.

“That has led to simplified models being adopted by organisations and therefore the output data becomes highly directed,” said the Protos Labs’s spokesperson. The threat landscape is evolving and threat actors are leveraging new technology such as deepfakes to gain access to organisations.

“However, there are really no tools currently or data that can be used to calculate this type of threats,” he said.

It is crucial that insurance companies should take into consideration on how to get access to more relevant data that can be used for analysing and risk modelling, he said.

Privacy laws in the APAC region have expanded significantly, with new regulations being introduced in several countries, aiming to align with international standards.

By the end of 2023, privacy laws in the Asia-Pacific (APAC) region have expanded by over 25% compared to 2021.

“China is implementing comprehensive policy laws for the first time, while India and Vietnam are set to introduce new regulations in 2024,” Sie said.

Countries like Australia, Japan, South Korea, New Zealand, and Singapore have established cyber privacy frameworks that aim to align with European standards, such as the General Data Protection Regulation (GDPR), Sie added.

In a keynote speech for Hong Kong FinTech Week, Raymond Cheung, chief executive officer of Insurance Authority, Hong Kong, highlighted the serious consequences of ignoring cybersecurity threats and introduced a cyber resilience assessment framework under the cybersecurity guidelines.

Partner Content