Asian boards need to take responsibility for cyber

August 11 2017 by Nick Ferguson

When computers around the world were infected by the so-called WannaCry ransomware earlier this year, we confidently predicted that it would have little effect on the sale of cyber coverage in Asia.

The jury is still out on that one, but at a press conference in Hong Kong this week, Cynthia Sze, head of financial lines for Greater China at AIG, said that the company received an 87% spike in enquiries about cyber policies in the wake of the incident. Enquiries are not premiums, of course, but the insurer says that it expects this interest to translate into a bump in new business.

This is not entirely at odds with our earlier article, where we acknowledged that WannaCry might encourage some buyers to get off the fence and finally pull the trigger on extensions they had been considering for years. However, we doubted that it would drive a new universe of clients into the hands of grateful insurers — it wouldn’t be a game-changer.

Our logic was simple: WannaCry exploited older versions of Windows operating systems and those that had not been kept up to date with the latest security patches. In Asia, the vast majority of infected computers were undoubtedly running pirated software — around 70% of all software used in China is unlicensed, according to The Software Alliance, and estimates are similar across most of South-East Asia. Clearly, the next step from using unlicensed, out-of-date software is not to go out and buy a cyber insurance policy. Nor would such networks be insurable anyway.

Instead, the next step is for senior executives to start taking cybersecurity seriously.

“This is no longer an IT issue,” said John Kelly, AIG’s head of liability and financial lines for Greater China, Australasia and Korea. “Cyber is a board-level issue. It’s too important to ignore.”

To put that into context, Kelly cited data for 2015 showing that sales of cybersecurity software totalled US$22 billion, compared to US$400 billion in damage caused by security breaches.

While high-profile incidents might serve to convince a portion of the market, a much more effective tactic that some countries in the region are now trying is regulation. Even in Asia, companies are reluctant to admit that their networks have been hacked or their customers’ data stolen, so laws requiring companies to disclose such breaches can help escalate the issue to the level of senior executives and board members.

Breach notification rules were first adopted in the US in 2003 and in the EU in 2009, and are now arriving in Asia, including new requirements in China and Japan. However, the wildly different requirements and thresholds across the region are already creating problems for companies that become victims of security breaches.

“It’s a very uncertain process compared to the US,” said Anna Gamvros, a partner at Norton Rose Fulbright and co-head of the technology and innovation practice, who recently advised a client on a global breach. “Staying on top of the regulations can be difficult for companies. It’s important to have a plan in place.”

In some cases, notification periods are far too short. In the Philippines, for example, notification is required within three days — when companies are still likely to be getting to the bottom of what has happened, let alone being ready to inform customers. Some places are even worse. In Singapore, which is positioning itself as a fintech hub, the Monetary Authority of Singapore has instructed financial institutions to report all security breaches within one hour of their discovery.

Rules that are impossible to comply with are as useless as rules that aren’t enforced, so it is to be hoped that Asian regulators and lawmakers will move towards something approaching common standards that reduce the compliance challenge for companies and create a more reliable basis for enforcement.

For insurers, challenges still remain in underwriting cyber risks, with particular focus on how to minimise the aggregation of exposures.

AIG’s product, CyberEdge, can include coverage for personal and corporate data liability, outsourcing, data security and defence costs, with optional extensions for media content, cyber extortion and network interruption.

WannaCry aside, the uptick in cybersecurity regulations and the growing commercial importance of data is clearly spurring interest in such solutions.

Indeed, many Asian businesses may already be under the aegis of US and European data privacy and breach notification laws if they handle customer information belonging to citizens in those jurisdictions. All the more reason for boards to start taking cyber more seriously.