“C” is Not for Cyber

Another Day, Another (Cyber) Attack

Cyber attacks have become commonplace, even in Asia. In 2018 alone, a Google search revealed at least 14 reported cyber attacks across various countries in Asia. Only three weeks into 2019, and an Asian microfinance firm has already flagged a data breach incident to the authorities. The number of un-reported cyber incidents is anyone’s guess.

The reported attacks stretch across industry sectors, in large part due to increasing adoption of technology and digitization, as discussed in this Asia Insurance Review article.

Compounding Financial Losses

Cyber risk consistently ranks as a top concern for C-suites. In the Marsh-Microsoft Global Cyber Risk Perception Survey, “75% of respondents cited business interruption (BI) as one of the most worrisome consequences of a cyber-attack” and almost 30% are concerned about the consequential disruption to their industrial systems or operational technology. Unlike breaches of private information, contingent BI costs resulting from or related to cyber attacks are far more difficult to quantify.

When we consider the highly intertwined nature of today’s supply chain, the potential financial losses related to a cyber incident could be staggering. Respondents to the Marsh-Microsoft Cyber Perception Survey estimated that the potential financial costs of a cyber event from a worst-case incident could range anywhere from upto US$10 million to US$100 million or more, depending on the size of the organisation (see Figure 1).

“C” for Clarity and Certainty

With such hefty financial stakes, it comes as no surprise that increasingly, stakeholders, companies and even the insurers which insure these risks are all demanding more Clarity and Certainty around their cyber exposures. One of the outcomes of this is an evolving understanding, development and most importantly, clarification of, insurance coverage for cyber incidents.

On the demand side, companies are recognising the need for some and even more insurance coverage as part of their cyber risk management arsenal. Specifically with regards cyber insurance, 56% of respondents to the Marsh-Microsoft Cyber Perception Survey said their organization already purchase cyber insurance, or plan to purchase or increase cyber insurance within the next 12 months. On the other hand, about 20% of respondents do not have and do not plan to have cyber insurance; largely due to a lack of understanding the need for such coverage. In fact, a quarter of this subset of respondents pointed to the explanations being “don’t understand the available coverage” and “cyber coverage is included in another policy”.

Cyber risk cuts across the entire business and supply chain, so much so that coverage for financial losses resulting from or related to cyber incidents could possibly be provided (or not) by multiple insurance contracts. In some circumstances, coverage for cyber incidents may be inadvertently provided (referred to as "silent” or “non-affirmative" coverage) if the insurance contract is not clearly drafted or when traditional insurance contracts have not been updated to address emerging risks such as cyber risks, and therefore, fail to explicitly exclude cyber risks.

Change is Coming

On the supply side, insurers have been formulating more sophisticated approaches towards measuring and monitoring the accumulation of systemic cyber exposures in their portfolios, in order to achieve greater Clarity and Certainty. This is in part, in response to various regulatory guidance and dialogue (e.g. PRA, EIOPA) and enables insurers to continue to commit capital to covering cyber exposures.

There is not yet a harmonization of insurance coverage. Nevertheless, effective 1st January 2019, a number of multi-line insurers are already striving to improve Clarity and Certainty of coverage by introducing updated insurance policy wordings or coverage language that is explicit in its intention of covering or excluding cyber risks.

What this means for companies is:

1.     If you feel that “cyber coverage is included in another policy”, think again. With the changes that are coming, chances are that cyber coverage may be explicitly excluded from general or non-standalone cyber insurance policies.

2.     If you have insurance coverage in place (including a dedicated cyber insurance policy), review your coverage overlaps or coverage gaps across all your insurance contracts.

If you are facing ambiguity about cyber coverage, please connect with me or follow me on LinkedIn for more content. Thanks for reading!

Sue Yen LEOW