Is a public-private partnership the only way to cover cyber risk?

Cyber attack

Sobering estimates of the capacity needed to cover cyber risks in Asia have led many to ask whether the insurance industry is too small to cope.

It may be that the only solution is a public-private partnership, with a pooled scheme backed by the government, as is the case with terrorism and flooding.

Much of the discourse around this comes from Nanyang Technological University (NTU Singapore). Its Cyber Risk Management (CyRiM) Project is designed to help businesses and institutions defend themselves.

Professor Shaun Wang, director of the Insurance Risk and Finance Research Centre (IRFRC) at NTU Singapore’s Nanyang Business School, said: “A public- private partnership on cyber risks can help promote awareness and best risk management practices.

“Cyber risk is relatively new, an emerging risk that evolves rapidly. There is a need to collect data and share information among organisations. There are also gaps in terms of definitions of cyber losses and standardisation of insurance policies. These gaps are best addressed through public-private partnerships.”

Wang said a realistic goal is cyber resilience, rather than blanket protection covering losses. Potential complications include mixing up roles and creating the wrong incentives. “For instance, if government creates a back-stop or pooled scheme, there may be less incentive for the private sector to carefully monitor their accumulation of risk exposures.”

The CyRiM Project is supported by the Monetary Authority of Singapore, Cyber Security Agency of Singapore, and five industry partners: Aon Centre for Innovation and Analytics, Lloyd’s, MSIG Insurance, SCOR and TransRe.

Andrew Mahony, regional director, Financial Services & Professions Group, Aon, said: “Government and private enterprise engagement and co-operation is critical to the improvement of cyber security standards and the development of the cyber insurance market.”

But FireEye Asia-Pacific chief technology officer Bryce Boland said: “We must be wary of using public funds to pay for the failings of duty of care and diligence in operating private institutions. As with bailing out the banks, we risk privatising the benefits (less investment in data protection and security) and socialising the losses (the public providing cover for security failures).”