Inside the cyber risk model debate

The sobering outlook for how much capacity is needed to cover cyber risks in Asia has led many to ponder that the insurance market is not big enough to cope.

Such concerns have powered suggestions that the only way to cover cyber risk will be through a public-private partnership which creates a pooled scheme that the government backs, such as what is done for terrorism and flooding.

Driving much of the discourse and research around the notion of a public-private partnership model for cyber risk in Asia is Nanyang Technological University (NTU Singapore).

The university’s Cyber Risk Management (CyRiM) Project is an initiative designed to help businesses and institutions defend themselves against “increasingly sophisticated” cyber-attacks.

“A public-private partnership on cyber risks can help promote awareness and best risk management practices,” professor Shaun Wang, director of the Insurance Risk and Finance Research Centre (IRFRC) at NTU Singapore’s Nanyang Business School told StrategicRISK Asia.

“Cyber risk is relatively new, an emerging risk that evolves rapidly. There is a need to collect data and share information among organisations.

“There are also gaps in terms of definitions of cyber losses and standardisation of insurance policies. These gaps are best addressed through public-private partnerships,” he said.

Wang said that given the nature of cyber risks, a realistic goal is to achieve cyber resilience, rather than a blanket insurance protection covering cyber losses.

“A public-private partnership is the optimal way to promote cyber resilience, by putting best risk management practice in place in various organisations.

“The insurance industry has a record of being effective in promoting risk management through various financial incentives and risk engineer programmes for its customers.”

As for potential complications of a public-private partnership, Wang said these include mixing up respective roles and creating the wrong incentives.

“For instance, if government creates a back-stop or pooled scheme, there may be less incentive for the private sector to carefully monitor their accumulation of risk exposures.”

The CyRiM Project is supported by the Monetary Authority of Singapore (MAS), Cyber Security Agency of Singapore (CSA), and five industry partners – Aon Centre for Innovation and Analytics (ACIA), Lloyd’s, MSIG Insurance, SCOR, and TransRe.

Andrew Mahony, regional director, Financial Services & Professions Group, Aon said: “Government and private enterprise engagement and co-operation is critical to the improvement of cybersecurity standards and the development of the cyber insurance market.”

Mahony said Aon partnered on the CyRiM Project because the broker believes it will foster an efficient cyber risk insurance marketplace by developing cyber loss data and analytics, alongside engaging academics with IT and insurance professionals to make recommendations.

But FireEye Asia-Pacific chief technology officer Bryce Boland stated,

“I’d caution that we must be wary of using public funds to pay for the failings of duty of care and diligence in operating private institutions,” he said.

“As with bailing out the banks, we risk privatising the benefits (less investment in data protection and security) and socialising the losses (the public providing cover for security failures),” Boland said.