Is cyber at risk of becoming uninsurable?
Cyber threats in Asia are rapidly growing, but there are lessons to be learned
After a recent deluge of surges, global cyber insurance finally saw a 2% decline in pricing in the third quarter of 2023, the first period since the latter half of 2018 to see a decrease. Before this, in the past few years, cyber has been on an upward trend, driven by an alarming frequency in cyber-attacks and ransomware, especially in developing markets across Asia.
With so much at stake and ever-growing threats on the horizon, one could make the argument that cyber is headed in the same direction as insurance is with regards to the changing climate. Extreme weather events have become the norm across regions and geographies, leading to insurer exits for those who have calculated – and decided – that the risks now far outweigh the rewards.
The question remains: is cyber doomed to suffer the same fate of becoming uninsurable? MSIG Asia Senior Vice President and Head of Cyber & Financial Lines, Andrew Taylor, said that this is a good question to ask, and one that the industry needs to talk about more as industries become more technologically advanced.
“In general, I think insurance for cyber perils still has a role to play, and a developing role to play still, much like traditional property insurance did – and still does,” Taylor said in conversation with Insurance Business Asia. “That said, as we keep understanding some new potential scenarios of large and systemic accumulation of risks, and as cyber risks keep evolving, there's certainly a school of thought that there are some risks that potentially need some type of government backstop to help support insurance from these types of perils that have a major global implication.”
Taylor said that cyber insurance is doing a very good “societal good,” especially in an age where digital is almost at the heart of everything we do. However, while it can help transfer risks from businesses, especially smaller businesses, he explained that these risks will keep evolving and they will need to be studied closely to keep the burgeoning industry afloat.
“One of the risks being debated at the moment is war. There are new cyber war tactics that are now being employed, other than traditional tactics, like having boots on the ground confined to a single region,” Taylor said.
“What happens when cyber war tactics are used?” Taylor asked. “Collateral damage is caused because of malware strains that have been used to cripple other nations, other states. There’s also the fact that we’re so reliant on technology and telecommunications; what happens if there was a major outage to all these large cloud providers at one time from one particular malware strain or one event? These are scenarios that the industry is thinking through.”
With those considerations in mind, Taylor believes that cyber is still not currently under pressure like property is. As long as the coverage being offered is commensurate with both the risks involved and the limits are there to keep portfolios healthy, the market will remain sustainable. However, thinking forward, Taylor said that there are still aspects to reconcile if cyber is to avoid becoming uninsurable in the future.
“I think cyber is evolving, like it was with property coverage many years ago. That said, one of the challenges I think we need to overcome is a shift in the right mindset and understand that the property insurance market developed from creating assets that was developed through industrial revolutions; the issue is that we're now in the information revolution,” he said.
Simply put, Taylor said that it requires an overhaul of beliefs, and one that needs to be left behind is the thinking that cyber insurance problems can be solved in the same way as the industry did for property insurance through a process that was relevant five decades ago. He said that managing these new exposures – some still poorly understood – and building better underwriting models will be key to insurers’ arsenal.
“I say this because the other thought that we need to consider is whilst we’re in the digital revolution, or the information revolution – the fourth industrial revolution, one might say – I would consider we might also be in the fifth Industrial Revolution: the AI revolution,” Taylor said.
“I think that linking it to property, there are lessons we can learn from how we manage those exposures. But we need to realise that we need to also develop solutions and modelling for different digital scenarios now. I think, yes, cyber is still insurable risk. But there are scenarios that do sit in the back of insurers’ minds, that people are thinking through, of how we can manage to remain sustainable, and keep doing that societal good that insurance offers,” he said.
What makes Asia “low-hanging fruit?” for cyber threat actors?
While the relentless surge of cyber-attacks is a global phenomenon, Taylor said that there are still aspects worth looking at that makes Asia a particularly attractive target for cyber threat actors.
“One of the things that I believe is happening is because criminals have been successfully attacking and infiltrating business in North America, in Europe, in my home country of Australia, etc., these defences have gotten stronger in these regions and made it more difficult or challenging for those criminals,” he said.
Targeting the weakest link is not a novel strategy, and Taylor explained that this is exactly why the region is being pelted by cyber-attacks. Calling Asia the “low-hanging fruit” for ransomware groups, he said that cybercriminals must have also realised that the region is not without its share of fairly wealthy and lucrative targets to exploit.
“On top of that, another thing that kind of added to this shift or change in tactics from criminals is there has been increased legislation from governments in these other regions. I think these legislations come through at a little bit of a faster pace than across Asia, which also means that there's potentially areas that these criminals can attack with greater ease and less resources. In essence, they get a better return,” Taylor said.
Cyber trends in Asia – what should companies be aware of?
With increased threats in the region as technologies like AI continue to develop, Taylor said that there are a few key trends that companies should look out for to keep their businesses protected.
“There's certainly an increased demand from buyers because of cyberattacks in the region. There's good news on the horizon though, because there is probably a flattening of premiums that is coming, based on what I’ve been reading in other parts of the world. Coverage also appears to [be] stable, and as for policies, I think they are becoming far easier to read for the insureds as well,” he said.
Despite the headwinds, there is still a shadow looming over firms, however, stemming mostly from increased cyber attacks and ransomware. With these disruptions set to become the norm, he also warned underwriters to be cautious about deploying large policy limits, especially as the demand surges higher.
“I think what’s a benefit for companies in this region is that there's a lot of third-party tools that are being used to help assess and quantify cyber risk for individuals. So, by doing simple screening of domain names for potential insureds, we can either streamline the application process or refine the questions we ask businesses to make that application process easier and faster. And I think this trend will continue into 2024 and beyond,” Taylor said.
A huge part of the campaign against cyber-attacks is also contingent on Asia’s reputation as being particularly technologically savvy, Taylor said. Noting that this will translate to greater and more efficient trading for both insurers and insured, he said that these trends will be integral as we are less than two months out from 2024 – a year when everyone can expect cyber-attacks to still be a top worry.
“We're trying to put in some processes to right off the back of the backs of these trends,” Taylor said. “It’s all about making the journey to getting a policy easier, and also provide some feedback to our insureds about how they can improve themselves, rather than transfer to an insurance policy.”