Cybercrime costs hit S$2 billion, but insurance adoption low

Companies in the Republic lost nearly S$2 billion last year due to data loss or unplanned downtime arising from illicit cyber activities — a fact not lost on insurance companies, which are beginning to offer protection to firms here as cyberattacks become increasingly sophisticated.

But as the industry gears up to offer coverage, which can include the cost of investigative work and rectification, market watchers say a general lack of awareness, underestimation of the risks of security threats and few precedents for designing and setting premiums are impediments.

While interest is on the rise, insurers offering such policies here said uptake rates remain low despite Singapore having seen a string of high-profile online intrusions in both the public and private sectors in recent years.

Hackers illegally accessed SingPass accounts last year, while cyber thieves stole customer data from karaoke chain KBox. In 2013, statements of hundreds of Standard Chartered Bank’s clients were stolen from a server of a printing company. The incident was discovered only after the data were found on a laptop seized from James Raj Arokiasamy, who was sentenced to jail last month for hacking into the Ang Mo Mio Town Council website.

Last year, 66 per cent of businesses here suffered data loss or unplanned downtime due to illicit cyber-activities, costing them an estimated S$1.9 billion, a Monetary Authority of Singapore (MAS) spokesperson told TODAY.

To enhance the industry’s capabilities in providing cyber insurance coverage and manage cyber risks, the authority is working with the industry to create a test bed for cyber risks. “Such events are more than capable of inflicting significant reputational and financial damage. In efforts to develop greater cybersecurity resilience, insurance can play an important role in helping organisations improve cyber controls and manage the financial impact from such events,” the spokesperson said.

CYBER INSURANCE MARKET STILL SMALL

Despite the risks such attacks present, the cyber insurance market remains small. EY estimates the size of the global marketplace for cyber insurance at between US$600 million (S$812 million) to US$1.3 billion in gross written premiums in 2013.

By comparison, the global commercial insurance market is worth about US$1 trillion annually, said Boston Consulting Group. An EY study in 2013 found that only 31 per cent of respondents globally said their firms had cyber insurance coverage.

Cybercrime coverage can include forensic investigation expenses, legal and public relations costs, business income loss and internet media liability coverage. In Singapore, at least three international insurers — AIG, Chubb and Zurich Insurance — offer such policies. Globally, premiums range from US$20,000 to US$25,000 a year for about US$1 million worth of coverage.

Chubb said its first clients were mostly financial institutions, but its customer base has expanded to include firms from manufacturing, retail, healthcare and professional services.

Mr Andrew Beven, senior underwriter at AIG New Zealand, said: “The landscape for cyber insurance in Asia has changed quickly and dramatically in the past year.” Singapore has been a big driver for the 82 per cent growth seen in AIG’s cyber insurance take-up throughout Asia excluding Japan.

“Following the attacks against Sony and Target ... directors are increasingly aware of this exposure and the impact it can have on an organisation’s reputation and balance sheet,” he said. AIG did not elaborate on the take-up rate.

LACK OF AWARENESS A ROADBLOCK

Experts say apart from a lack of awareness, firms are unwilling to spend on such products, while security threats continue to evolve. Another hurdle is the risk management culture in Asia, which is weaker than that in the West, said Mr Vincent Loy, cyber-risk leader of PwC Singapore, adding that the Asian market expects cheaper premiums.

Another speed bump is the lack of a risk model and historical data to help the industry design and set premiums for cybersecurity policies. Unlike, for example, natural catastrophes, for which there is data, there is little precedent for cyber infringements.

The MAS test-bed for cyber-risks seeks to address this issue, by simulating loss events and generating data to improve pricing and coverage, while raising awareness of cyber-insurance.

Mr Noel Tan, vice-president and regional manager at Chubb, welcomed the MAS effort. “This may help breach the gap between what businesses perceive as the risk of a possible loss event and what could ultimately be the actual costs they would have to bear in the event of a data breach,” he said.