Cyber insurance - de rigueur but poorly understood


Headlines published in the last 30 days are listed on SLW.

Cyber insurance - de rigueur but poorly understood

Cyber insurance - de rigueur but poorly understood

Source: Business Times
Article Date: 10 Mar 2020
Author: Ronak Shah

A cyberattack will give rise to a wide range of risks, which insurers categorise broadly into two types of exposures: first-party and third-party exposures. Understanding the difference between the two is crucial to adequately protecting a business.

In today's digital age, cyber threats are very real business risks that companies must actively manage to minimise potential exposure and long-term damage.

Despite the growing digital risks however, businesses in Singapore are still underinsured. When it comes to obtaining cyber protection, most don't know where to begin, and evolving risks are difficult to understand and mitigate.

A cyberattack will give rise to a wide range of risks, which insurers categorise broadly into two types of exposures: first-party and third-party exposures. Understanding the difference between the two is crucial to adequately protecting a business.

First-party exposures are risks commonly faced by businesses across all industries and sizes. Some of these risks may include, but are not limited to, privacy breaches, damage to data and software programmes, or defacement of corporate websites.

On the other hand, third-party exposures are liabilities borne from the individuals or technology firms responsible for managing the compromised platform, where a breach has occurred.

Let's put this in context. Imagine you are a farm owner and your land has suffered an unusual pest infestation - you will need insurance coverage for first-party exposures. When the individuals or team responsible for poor management of the farmland are reprimanded, third-party coverage will help to cover losses from any lawsuit.

In Singapore, cyber insurance has been in the market for more than a decade, but the awareness level of the product outside the insurance industry remains low. While Asia's markets are relatively developed, with a high level of Internet penetration, the majority of cyber losses are either uninsured, unreported or underestimated. Fireeye Mandiant's 2019 M-Trends report found that in Asia-Pacific, the median time it takes to discover a cybersecurity breach is 204 days, more than double the global average of 78 days in 2018.

Instead of cyber-specific insurance coverage, companies typically buy traditional insurance policies covering physical assets and liabilities, which are not sufficient to cover financial losses resulting from Internet-based threats.

To mitigate this, businesses must take into consideration two key aspects.

The first is the nature of their business operations. Is the company highly dependent on processing customer data? Are business transactions done online? Secondly, what are the company's liabilities? Aside from third-party exposures, companies might also have third-party responsibilities which the risk management team will need to look into.

Picture an e-commerce firm that was hacked and which subsequently lost confidential customer and payment data. The incident not only exposed the company to direct losses in the form of notifying affected individuals and engaging an issues management firm, but also third-party damages from their customers due to breach of trust.

The proliferation of Internet of Things (IoT) has created a vast network of opportunities for cyber criminals. Phishing tactics are getting increasingly sophisticated - some artificial intelligence software has the ability to learn and mimic corporate language and styling. The global novel coronavirus public health emergency that the nation is currently fighting is also not helping the situation, as fear breeds uncertainty and inhibits sound decision-making.


Another worrying statistic is the fact that internal risks like employee negligence remain the weakest link in any business security framework; 48 per cent of organisations do not have an employee security awareness training programme. Investing in training is equally important to ensure that the insurance industry can continue to innovate to meet evolving business needs, and to minimise a company's digital transformation loopholes to prevent further exploitation by cyber criminals. What's the point of investing in sophisticated and costly technological tools if individuals are not properly trained to use them?

These challenges necessitate the expansion of the role of cyber insurance to work hand in hand with businesses to conduct robust assessment and boost cyber readiness. Aside from coverage for first-party and third-party losses, cyber insurance today needs to consider the provision of value-added risk management services like audit, legal and forensic investigation, reputation management, and crisis communications.

Many insurers in Singapore provide these response services in their policies. The responsibility is now on the industry to make sure clients thoroughly understand the terms of their cyber policies and to play a bigger role in covering the risk management process from end to end, beyond paying a sum of money.

While we have made progress, markets worldwide are still in the nascent development stages.

Singapore has been investing greatly in developing the nation's ability to deal with evolving threats, from setting up the world's first commercial cyber risk pool to unveiling a cybersecurity masterplan that will upskill experts in the field with more advanced capabilities.

Greater public-private and cross sector collaboration can help with building a more comprehensive understanding of cyber risks across a range of industries in order to provide valuable cyber propositions to protect vulnerable businesses.

The writer is a management committee member and Insurance Committee Deputy Convenor of General Insurance Association of Singapore.

Source: Business Times © Singapore Press Holdings Ltd. Permission required for reproduction.


Theme picker

Latest Headlines

Business Times / 08 Apr 2020

Bill passed to give temporary relief from contractual obligations

To claim relief, a contracting party must give notice to the other party, who is then prohibited from certain actions including commencing or continuing legal action, eviction due to non-payment of rent, or repossession of goods used for business.

No content

A problem occurred while loading content.

Previous Next

Terms Of UsePrivacy StatementCopyright 2020 by Singapore Academy of Law
Back To Top