Cyberinsurance adoption especially 'cold' in APAC

Spike in cyberattacks not spurring similar rise in cyberinsurance adoption worldwide due to issues of cost, trust and limited regulation, which reflect a still immature market especially in Asian region, observers note.
Written by Jamie Yap, Contributor

Despite the growing number of security and data breaches on enterprises across the globe, cyberinsurance adoption remains fledging worldwide but more so in Asia, due to budget and trust issues, limited cyber-regulation and a still immature market, say observers.

Aliza Kasim, ICT industry analyst at Frost & Sullivan Asia-Pacific, said an insufficient budget and a lack of trust in cyberinsurance carriers have meant a "cold" reception in terms of adoption from Asian enterprises so far. While cost is a fundamental deciding factor given how companies may "balk and decide otherwise", the "trust factor" is the bigger hurdle to cross if adoption should ever increase, she said.

When it comes to digital, intangible property, policies can be vague and complex, and the majority of carriers have not yet been able to clearly define their services and gain "absolute trust" from clients, Kasim explained.

Barry Rabkin, principal analyst, insurance technology at Ovum, concurred, saying there are dozens of insurance companies that provide cyberinsurance and each tended to offer different types of coverage that companies have to evaluate the various benefits and limits beforehand.

He however downplayed affordability as a major obstacle to adoption. Instead, Rabkin argued that main barriers were either "cultural or hubris" where companies believe attacks or breaches "can't happen to us".

Another analyst, John Wheeler, research director at Gartner, said the growth of cyberinsurance adoption follows either the limitation or proliferation of cyber-regulation across regions. That would explain why adoption is "lagging" in Asia as compared to Europe and the United States, he pointed out.

Ian Pollard, Asia-Pacific vice president at insurance provider Chartis, had similar observations as the analysts, saying cyberinsurance penetration to be "extremely low" in Asia. "From what we understand at Chartis, penetration in the United States is around 20 to 30 percent [and] we have been writing this product in the U.S. for more than 10 years."

Pollard however argued that rather than trust or budget constraints, the real barrier hindering cyberinsurance uptake was the low level of awareness of cyber risks, exposures as well as coverage.

Observers that ZDNet Asia spoke with were unanimous in their belief that the various reasons for poor adoption can all be traced to how cyberinsurance overall remains an immature market worldwide.

Gartner's Wheeler said the infancy of the market is evident from the lack of history of paid claims, causing a somewhat cyclical effect. Potential clients remain skeptical about the likelihood, much less the amount, of a claim being paid. And without any historical precedents, insurance providers themselves typically have several policies include ambiguous exclusion statements, which further diminishes the likelihood of a claim payment, he added.

While the number of data breach incidents globally having spiked on the one end, at the other end, the cyberinsurance market as a whole is not at full momentum yet due to the lack of enterprises' trust in policies, added Frost & Sullivan's Kasim.

A lack of industry standards and regulation only exacerbated this issue, she highlighted. Hence, providers will need to proactively tackle the ambiguity in responsibility or liability between tangible and intangible property, she said.

Awareness, regulation the keys
Pollard said since cyberinsurance is a fairly new concept in Asia, it will take time for it to become mainstream--and it is up to providers to educate existing and potential customers on the benefits of cyberinsurance. "Essentially the task we have as an industry and a business is to increase awareness of exposures," said the Chartis executive.

Pollard also predicted that cyberinsurance will increasingly become a priority for many commercial organizations and government institutions, given how the business environment today is increasingly "convoluted and risky [and] not a week goes by where we don't see a cyberattack, data breach or insider event in the headlines".

The rapid advancement of technologies, changing legislation on privacy, intensification of malicious and non-malicious cyberthreats, and tougher challenges of risk assurance due to social media and cloud computing will also drive adoption, he added.

Stella Tse, managing director and head of financial and professional risks practice for Asia at insurance broker Marsh, concurred that greater awareness was critical and beneficial. "We strongly encourage businesses to keep ahead of the curve and businesses shouldn't wait until it's too late."

In addition, regulation will help tackle the ambiguity that is plaguing adoption, she noted. "Once the laws and industry regulations that clearly spell out accountability and liability are in place, insurance take-up will increase accordingly."

Cyberinsurance for everyone?
Asked if cyberinsurance is a must for any company across the board, Tse replied: "Yes [because] to one extent, every organization keeps personal data of employees, and privacy risks certainly cuts across most industries and businesses."

This said, she acknowledged that each business is unique, and thus each client needs to understand their role profile and then come up with the most appropriate risk management and cyberinsurance program.

Ovum analyst Rabkin pointed out that rather than define which industries are a more natural fit for cyberinsurance, the crux is that any company should at least take responsibility in safeguarding their data and systems. "Even if an enterprise does not purchase cyberinsurance, it should at least encrypt all of its data," he said. If a company was cyberattack victim, it was due to its own "laxness…or it was part of a group of companies within which a zombie's laxness allowed the attack and put the others at risk", he added.

Rabkin noted that the business marketplace is transforming into a digital and mobile environment, which also carries "significant negative consequences" on security. "Enterprises which do not protect themselves either through cyberinsurance or self-insurance, or both, should not be in business at all".

Editorial standards