Is cyber risk a myth or reality in Asia?

When viewing an organisation’s consolidated risk landscape it quickly becomes clear that business models and risk exposures have shifted away from traditional physical risks towards newer intangible risks, which themselves are interconnected and complex in nature.

However, a comprehensive summary of several digital and intangible risk forums held by JLT across Asia recently makes it clear that many corporates still have an unhealthy focus on physical risk categories.

The report Is cyber risk a myth or reality in Asia? provides an overview of high-level discussions held at events in China, Hong Kong, Indonesia, Japan, the Philippines, Singapore and Thailand.

More than 350 delegates attended, representing more than 200 corporates ranging from start-up companies to major national corporates and multinationals spanning multiple sectors.

The CEO of JLT Asia Duncan Howorth says that interest from the broker’s customers and partners, combined with the fact that Asia has some of the greatest digital exposures globally, prompted JLT to hold the series of events across the region.

“Rather than re-hash discussions and concepts borne in the European and USA markets, our conferences were developed ground-up based on local loss events, locally-derived risk landscapes, local legal concepts and regulation, and finally local cultures and customs,” Howorth said.

“From here, we as an industry can then develop advanced industry solutions which add value to our Asia clients, respond to their local needs and risk landscapes, and importantly provide long-term sustainability.”

Insurance and intangible risks

Head of JLT’s global communications, technology and media (CTM) practice Peter Hacker and CTM’s deputy head Sam Tiltman (both pictured) managed sessions covering topics such as whether insurance products are available to insure intangible risks and if there is an optimum way to integrate insurance with risk management for intangible risks.

Hacker says that the main objective of these sessions was to debate what value insurance can play as a risk management tool, and how the industry can improve in order to provide greater value and match customers’ requirements, particularly in relation to cyber exposures.

“We are absolutely convinced that the insurance policy itself is the cherry on the cake – not the cake itself – and that pre-risk identification, quantification and stress testing are really the most exciting parts,” Hacker added.

Each session began with a debate over the true definition of cyber and intangible risks.

“Commonly, ‘cyber’ is a broad term which is used in many different contexts across the industry and everyone seems to have a slightly different definition,” Hacker said.

“Based on JLT CTM’s research over the past 10 years, and advanced work with clients, we can make the following statements. Cyber in itself has no globally agreed definition and is in fact an industry buzz word used to encapsulate risk categories and solutions relating to IT risks.

“Cyber risks are just one sub-category of intangible (non-physical risks) and usage of the term ‘cyber’ can lead to confusion as well as failing to appreciate or fully consider the other critical intangible risk components. Therefore, it is more relevant to use the term ‘intangible risks’.”

Further discussions covered trends relating to mobile landscape developments, cloud computing adoption and bring-your-own-device evolution.

“Then we picked a couple of key risk areas and discussed why these are relevant to corporations in Singapore or Japan, for instance,” Hacker said. “We really tailored it for each country.”

Business interruption

Tiltman explains that the one subject that “came up time and time again” was business interruption.

“The concern about continuity of revenue and being able to continue trading is the main discussion point in Asia,” he said.

“Today’s risk is the revenue, the business interruption, however customers are also concerned about the incoming litigation or legal risk and the regulation.”

Much of the litigation and liability exposure is less apparent in Asia than it is in Europe and the USA, Tiltman concedes, although “it is shifting, becoming more litigious, particularly customers that trade internationally”.

“And in Asia, a lot of regulations are coming to the fore,” he added. “Singapore has a data protection act now, Hong Kong is developing one, Thailand is developing one. So we looked at what the law says today but also what the regulators are doing tomorrow.”

Hacker explains that for each forum, there was a local law firm invited to “talk about the data act from a pan-Asia point of view and then per country”.

“Then the next step was we had Crawford discuss the forensic accounting steps you have to go through if there has been, for instance, a privacy breach,” he said.

When it came to the product solution section of the programme, Titman says customers were saying that they had thought many intangible-risk exposures should be covered under their existing, traditional policies.

“So we discussed why they are not insured for these new exposures, what the pitfalls are, what the exclusions and limitations are,” he said.

“Then, as insurance is just one part of the overall management strategy, we discussed risk management strategies and tools, such as the IT department doing risk engineering audits of the network and business continuity management.

“A lot of customers do this for property and physical risks, but we think it should be done for non-physical risks or triggers.”

Shifting focus

Tiltman asked participants if their risk landscape had shifted from tangible to intangible, and if their insurance and risk management programme had done the same?

“In the case of companies who have over 85% value derived from intangible assets, ask yourselves, is 85% of your insurance budget focussed on intangible exposures; is 85% of your risk management strategy focussed on intangible risks?,” he asked.

Hacker says that similar events are now being held in Europe – including JLT’s Global Digital Risks and Technology Summit being held in Salzburg, Austria, in June – and then they will move on to Canada and Latin America.

“There will also be events in Australia later this year, and two major events in September and October in south-east Asia and north-east Asia.”