In May, the WannaCry ransomware attack affected over 200,000 computers in more than 150 countries – causing the UK’s National Health Service to cancel surgeries, and impacting major businesses like Fedex, the Spanish phone company Telefónica and German state railways. Just last month, Petya affected more than 12,000 machines at major corporations such as shipping giant Maersk, the world’s biggest advertiser WPP and food company Mondelez.
Two such ransomware attacks in close succession show how vulnerable our systems can be; and importantly, how debilitating such cyber intrusions are.
It is an easy throwaway solution – buying insurance coverage for cyber risk means companies and individuals may transfer some financial exposure to insurance markets; but if you look closely, the cyber risk insurance market is immature and coverage is still less than ideal. It is not clear whether it is due to low levels of awareness or whether some companies, after conducting a cost-benefit analysis, have little incentive to invest in preventing such cyber loss. Even when corporates do decide to buy coverage, the types of losses covered in stand-alone cyber policies can vary significantly across providers. There are also big differences as to which types of liability would be covered – for instance, whether ransomware would be covered? Furthermore, cyber incidents can sometimes cause damage to business reputation and future business, which are often difficult to quantify.
Currently, with the scare of WannaCry and the so-called Petya or Not Petya malware, interest in insurance will possibly rise. Nonetheless, as the Organisation for Economic Co-operation and Development (OECD) points out, for insurance to have a real impact on risk reduction, the market must be offering a material level of coverage to a large share of individuals and companies - but such wider availability is not currently the case.
The insurance market can enhance the management of cyber risk by promoting awareness, encouraging measurement, and providing incentives for risk reduction. As part of this work on the digital economy, the OECD is addressing impediments to cyber insurance. The report prepared for the G7 Presidency and G7 Finance Ministers and Central Bank Governors’ meeting held earlier this year argues that due to the impact on economic and social prosperity, governments need to play a key role in supporting the development of this market; and outlined crucial obstacles to the development of this market for governments to better address.
First, they argue that the policy community could improve public policies to manage cyber risk such as offering incentives for businesses to measure and manage their exposure to cyber risk. Secondly, insurance regulators should be key stakeholders when coordinating cybersecurity matters across government bodies. Thirdly, governments could consider requesting that more transparency and clarity be provided on the extent of coverage, as well as losses that are excluded by insurance companies. Another major impediment for the insurance market to be effective is the need for more and better data on the frequency and impact of cyber incidents as well as related claims payments in order to drive the confident underwriting of insurance coverage.
A number of national level and insurance company initiatives are already underway.
The upcoming implementation of the EU General Data Protection Regulation seeks to establish uniform notification and disclosure requirements, fines, and an environment for victims of data theft to pursue compensation.
Europol works closely with the Netherlands’ Police National High Tech Crime Unit, Kaspersky Lab and Intel Security to combat ransomware by helping victims obtain encrypted data without paying ransom, as well as providing guidance on countermeasures to prevent infection.
In the United States, the Federal Trade Commission (FTC) specifies that a company’s failure to update its systems and patch vulnerabilities known to be exploited by ransomware could violate the FTC Act. The FTC may also consider the accuracy of promises made to consumers by an organisation regarding the security of its systems. Data security laws may also apply where ransomware attacks are successful on account of companies’ failure to implement reasonable safeguards.
Nearer home, the Governments of the Republic of Korea and Japan are considering insurance policies for SMEs that are not perceived to have the extensive financial or labour capacity of larger organisations to improve their own cyber resilience.
The OECD report specifically cites work in Singapore within the NTU-MAS Cyber Risk Management project (CyRiM). A government-industry-academia research endeavour that also integrates inputs from global insurance companies and IT security experts, CyRiM will facilitate research in a wide range of topics – longevity risk financing, actuarial science and insurance economics. It will also recommend policies to the Singapore government on advanced cyber risk protection and prevention in area. Some focus areas will include security data analytics, infrastructure and strategies to improve protection of corporate assets and data.
As cyber threats have impacts across borders, another key issue that needs to be addressed is how regional organisations can encourage public-private and private-private partnerships to increase regional cyber resilience. This is especially relevant to the Asia Pacific region where national market and regulatory frameworks are not always strong enough. Government has a large role to play not only in ensuring the development of coherent digital security and privacy protection risk management practices; but also in the development of this market by supporting business solutions which, while ultimately meeting their own interests, can ideally lead to enhanced cybersecurity and reduced costs. If successful, this is especially beneficial given the concern among cybersecurity experts across regions that the costs of cybersecurity are often unrealistic and unsustainable.
About the author
Caitríona Heinl is a Research Fellow responsible for cyber policy and strategy, within the Cyber Risk Management project at Nanyang Business School, NTU. This piece is written with Tina Sim and Janet Loh of Nanyang Business School College Communications.
This commentary was published on The Business Times on 19 July 2017.