Misconceptions about the threat and magnitude of a cyber attack continues to hold back organisations

Asian businesses are gradually waking up to the risk of cyber attacks but are still behind other regions in their preparedness, according to Lockton’s Peter Jackson.

The comments come in the wake of a Lockton study overseas, which found UK businesses are “severely unprepared” for cyber attacks.

The study uncovered misconceptions about the length and severity of disruption from cyber attacks, with half of the respondents expected to be fully operational 48 hours after a large-scale security breach, and only 2% said that a breach would affect them for more than 10 days.  But Lockton senior vice-president of cyber and technology Peter Erceg said that it can take several months, if not years, to be fully operational after a large-scale breach.

Jackson, who is director of multi-national clients at Lockton Wattana Thailand, said that Asian businesses are even more at risk than many other parts of the world.

“The reasons for Asian firms not being prepared start with a lack of coordinated response plans to a cyber attack,” Jackson told StrategicRISK. “There is still an air of denial or ‘it won’t happen to us’.

“The risk is still seen as an IT problem and not cross functional. This is reflected in many IT functions not wanting involvement from other functions and vetoing purchase of insurance as if it was a sign of weakness on their part.”

Jackson said when cyber risk is acknowledged, the likely cost of a major breach is significantly underestimated mainly because Asian businesses overestimate their ability to recover quickly.

“If customers lose confidence in your brand, go elsewhere and like the experience, it’s going to cost a lot of marketing dollars and time to persuade them to come back,” he warned.

“Despite many surveys showing the extent of cyber attacks across Asia, the lack of requirement to disclose cyber attacks means the problem is still mainly below the surface.”

Jackson continued that this situation leaves insurers in a “Catch 22” position: “Lack of demand means they can’t really invest in breach support services, with most expertise still residing 12 time zones away in the US.

“The slow pace of regulatory approval is another impediment. Why spend six to 12 months trying to persuade regulators to approve a product you are not sure businesses will buy?”

Jackson said it is only possible to buy adequate cyber cover in Hong Kong and Singapore, while businesses in Thailand, Indonesia or China have little or no domestic choice.

“Regulators should not just see their role as protecting consumers but also encouraging the insurance industry to provide protection for the most pressing risks local businesses face,” added Jackson.

“We are seeing innovative solutions in China and Philippines for weather and crop insurance. The same needs to apply to cyber insurance so businesses of all sizes can access the protection they need.”

Keith Xia, head of risk at Intercontinental Hotel Group, agreed with Lockton’s report and commented: “As far as I know, this [cyber risk] is a weak point for most of [Asia’s] companies. When a cyber crisis happens, the collaboration works are not very smooth for most companies.”