The growing cyber threat in Southeast Asia has led to a surge in cyber insurance policies and claims across the region say experts.
The devastating WannaCry and NoPetya cyber attacks in 2017 caused chaos for global corporates and SMEs over the past year, prompting more companies in Asia to consider cyber risk and appropriate insurance coverage, according to industry experts.
AIG saw a 75% increase in Asian cyber insurance claims between 2016 and 2017, with a further 20% rise for the same period (January to June) between 2017 and 2018. The claims included multiple notifications by insured parties, underscoring the regularity of cyber breaches in the region.
Liam Pomfret, AIG’s cyber lead for Southeast Asia and New Zealand said the increase in claims reflected the “commercialised” nature of cyber attacks: “It used to be a targeted thing to be hacked. It would happen when people wanted to harvest data. Now hackers can put out malware that self-propagates without too much human interaction. WannaCry spread and infected other machines.”
Malaysia has been one of the Asian countries hardest hit by cyber attacks. According to the Symantec ISTR 2018 study Malaysia ranked seventh for global email malware cases and third for phishing attacks. The country ranked third for ransomware attacks according to Trend Micro. Studies indicate Asian companies also take longer to detect cyber attacks. According to Microsoft, Asian companies detect an attack after 520 days, while US companies take 100 days.
AIG noted an 86.4% increase in Malaysian cyber insurance policyholders from 2016 to 2017, with SMEs accounting for much of the growth. AIG also noted a rise in Malaysian corporate and multinational company policyholders between 2016 and 2017.
“It is a new and constantly evolving risk,” Pomfret said. “Property insurance, for example, would not grow at anything like that rate, as it is a mature market. But this is brand new, and there has been a huge increase each year.”
Across Southeast Asia, notable recent attacks have caused significant damage. In July, a cyber attack on Singapore’s government health database stole the information of more than 1.5 million people, highlighting the danger and sheer scale of potential breaches. Pomfret said the attack had sharpened the minds of companies in the region.
He said “cyber risk has changed in recent years with hackers moving their focus from solely stealing data to the major interruption of operational technology”. He added: “Targets and motivations are changing. Historically it was organisations that collect vast amounts of data, such as healthcare, banks, or those accepting credit cards. More recently we have seen attacks on more process-driven businesses, such as manufacturers and key infrastructure, that don’t collect massive amounts of data but have operational technology. A virus can hit machinery, and a company may not be able to manufacture its products, or generate power. The computer virus that recently impacted the Taiwan Semiconductor Manufacturer is a good example of the widespread business interruption that can occur.”
Pomfret said new methods of cyber attack made it more difficult for companies to keep up. Cryptojacking, where criminals use a hacked company’s computing resources to mine Cryptocurrencies, are common, and often go undetected for long periods. He added, companies are finding it tough to stop cyber attacks: “You can have the best technology and defences, but if an employee sets forth a new virus and your security has not been updated for it yet, you have a problem.”
Pomfret called on companies to ensure staff were adequately trained and are aware of cyber risks.
He said: “As successful cyber-attacks are inevitable cyber security is moving from prevention to threat detection and response.”
He said risk departments needed to know “what their [cyber] response plan is, who is involved, and what their role is”. He added: “Companies should be increasing awareness of cyber risk among their employees, top to bottom. We have a training platform for employees to build awareness.”
Risk managers at leading Southeast Asian companies say it is imperative to focus on cyber risk in the current environment. Suchitra Narayanan, global head of risk and insurance for Air Asia, said cyber should be a “collaborative effort within a group” rather than the responsibility of one person or department. She added: “That is what companies can do better. It is not just the risk manager’s responsibility to highlight and mitigate risks.”
Narayanan described the Singapore cyber attack as a “real wake up call” for companies in the region. She said companies could boost their cyber defences by making sure employees were well trained: “Creating awareness is key. If ever there was a time to create awareness, now is it. It is important to talk to the CEO, the management, and the cabin crew. Everyone can be just as susceptible to aiding a cyber attack. The less educated you are on cyber risk, the more of a target you can be.”