MAS is teaming up with NTU on a project to lower cyber insurance premiums and standardisation of insurance policies
With companies here losing billions of dollars each year to cyberattacks, the Monetary Authority of Singapore (MAS) is working with a university and several industry players to comprehensively address the growing threat and help firms shore up their defences against illicit cyber activities.
The three-year Cyber Risk Management (CyRiM) project was launched yesterday by the Nanyang Technological University (NTU). It is supported by MAS, the Cyber Security Agency of Singapore (CSA) and a host of industry partners — the Aon Centre for Innovation and Analytics, Lloyd’s, MSIG Insurance, SCOR and TransRe.
Amid low take-up rates for cyber insurance especially among small and medium enterprises (SMEs), the project aims to bring about lower premiums and standardisation of insurance policies. Among other things, it will also develop best practices and recommend policies to the Government to guard against increasingly sophisticated cyberattacks.
Globally, less than 10 per cent of SMEs have cyber insurance. The adoption rate varies by sector, with manufacturing firms having a take-up rate of less than 5 per cent. For firms in financial services, technology and telecommunications, the proportion is higher, at between 35 and 42 per cent.
The adoption rates are understood to be similar for Singapore.
Speaking at the Asia Cyber Risk Summit, Mr Bernard Wee, MAS executive director of financial markets development and payments and technology solutions, noted the existing challenges of cybercrime insurance.
“Cyber insurance policies are not standardised, and the terms and exclusions can vary dramatically from one insurer to the next,” he said. “Some policies cover only first-party losses … Others cover only third-party liabilities … while others cover both.”
The lack of historical data is a stumbling block towards assessing costs, especially long-term ones, he added. “Underwriting is hindered by the lack of publicly available data on the scale and financial impact of attacks. There is also insufficient historical data to assess potential losses beyond the short-term physical costs,” said Mr Wee, citing “brand impairment” and compensation to customers and suppliers as longer-term costs that are harder to assess.
In Singapore, two-thirds of companies lost nearly S$2 billion in 2014 due to data loss or unplanned downtime arising from illicit cyber activities, showed the latest available statistics from EMC Global Data Protection Index. Last year, Lloyd’s estimated that cyberattacks cost businesses around the world as much as US$400 billion (S$548 billion) a year, which includes direct damage and post-attack disruption to the normal course of business.
Mr Wee noted that the lack of accurate underwriting has resulted in insurers holding back from providing cyber coverage. Even if they do, they seek to “cushion the uncertainty by setting high deductibles, low coverage limits and significant exclusions, which further impacts demand for such products”, he added.
In Singapore, the few insurers that offer cyber coverage include AIG and Zurich Insurance. Globally, premiums range from US$20,000 to US$25,000 a year for about US$1 million worth of coverage. Cybercrime coverage can include forensic investigation expenses, legal and public-relations costs, business income loss and Internet media liability coverage.
For a start, the CyRiM project will work with businesses in the financial and healthcare sectors. Professor Shaun Wang, director of NTU’s Insurance Risk and Finance Research Centre, noted that companies need to have risk management in place before they can be insured. “So we will be making some recommendations of best practices. For instance, they should have an inventory of key assets they want to protect, and formulate a crisis response if their IT system should be breached,” said Prof Wang.
SMEs TODAY spoke to cited costs as a reason for not buying cyber insurance. They also felt there was no need for it.
Mr Chan Tai Pang, CEO of Laundry Network, uses RFID technology to track and count laundry and linen at the Integrated Resorts, which are his clients. “Our vendors will usually test the systems well because if it isn’t reliable, both (IRs) will be affected,” he said.