The cost of insurance in a digital world

By Lim Teck Wee, Head of ASEAN, CyberArk

Source: CyberArk. Lim.

One often turns wary and perhaps cynical when considering what type of insurance coverage to get. Questions like ‘I have never required it before’ and ‘Is it necessary?’ race through one’s mind when faced with the steep costs of premiums. Unless you have generously deep pockets, you might never be at ease no matter how prudent you are.

The same could be true for businesses surveying the rapidly increasing costs of cyber insurance. As more businesses grow their presence online, cyber insurance is slowly gaining traction as a protection against future catastrophes. Commenting on the insurance industry’s growth in 2021, the President of the General Insurance Association, Ronak Shah, shared that “For 2022 and beyond, cyber risks and sustainability will become increasingly pertinent issues for the sector”.

As the name suggests, cyber insurance policies are designed to help organisations mitigate losses incurred in the event of a data breach or cyber-attack. Policies differ based on the severity of cyber risk faced by an enterprise, but across the board in Asia Pacific and globally, premiums are skyrocketing.

Cyber risk has emerged as a threat with even greater real-world consequences as we become increasingly digitised. The past two years have radically accelerated digital adoption, not least for the sake of business continuity. Today, firms are looking to extend hybrid work to maintain flexibility for their workers. The key component facilitating this is sophisticated technology, but with greater IT complexity comes greater vulnerability to cyberattacks. Recent years have seen a notable shift in the management and intricacy of IT estates, prompting a worrying rise in such incidents.

In the past couple of years, headlines were filled with accounts of high-profile cyberattacks. The SolarWinds attack affected thousands of affiliated networks worldwide at the end of 2020. Preliminary investigations and remediation costs for the software company were estimated at US$18 M. 

Singapore – like any other country - is no stranger to cybersecurity breaches and stolen data. Various high profile data breaches last year resulted in customers having their personal information stolen. Singapore Deputy Prime Minister Heng Swee Keat noted in his opening speech at a recent event that globally, there was a “fifty percent increase in cyberattacks on corporate networks last year, and a 20-fold increase in ransomware attacks against governments”.

According to IBM research conducted globally, the cost of a data breach rose to about US$4.24 M in 2021, the highest average cost in about 17 years. Globally, cyber insurers have responded with rapidly rising premiums and stricter required security controls. Estimates have put premium rises at 50% and some premiums have doubled as insurers are faced with rising payouts.

Yet, insurers are still suffering painful losses. According to a 2021 S&P Global report, cyber insurers’ loss ratio – the costs and claims payments divided by total premiums – increased for the third consecutive year in 2020, climbing beyond 25% from year to year.

Business interruptions, compensation to impacted customers, and regulatory fines are all consequences of a successful cyberattack. For organisations here and the region, having insurance against cybersecurity breaches is a proven lever for business risk mitigation. But with premiums skyrocketing, the interplay of insurance and security tools has become the steadfast answer in dealing with increased cyber risks and rising insurance costs. To lower the costs of premiums, high standards of cyber threat resilience must be met. This is done through the adoption of certain cybersecurity protocols.

Heightened risks produce new business models and subsequently, advanced security controls are becoming a prerequisite for insurance. Yet the question of what to look for when seeking cyberthreat protection from an external vendor remains. The first thing to keep in mind for a Singapore business is that it is non-negotiable that the provider is licensed by Singapore’s CSA to operate within the country. This safeguards customers’ interests, while providing legitimacy for providers and satisfying cyber insurers.

Most cyber insurance underwriters require industry-standard protection such as multifactor authentication (MFA) to positively confirm the identity of remote employees and privileged users such as system administrators or third-party IT support vendors. They also access whether the organisation has in place identity security controls such as privileged management access (PAM) and Zero-Trust policies. Zero Trust vets users thoroughly and does not offer access based solely on the physical or network location of users and devices while PAM effectively protects and audits access of privileged users for specific functions, providing them access for such functions only over a limited time.

In addition, insurance companies consider whether the organisation has established best cyber practices. These may include employee education programmes that raise cyberthreat awareness, such as educating workers or customers on the appearance of phishing scams that may be used as vectors for a security breach. Other ways to illustrate best practices also include incident response plans to ensure policyholders have detailed ransomware playbooks and threat detection and mitigation plans in place.

Raising awareness of the cybersecurity and threat landscape not only strengthens security posture, it also reduces premiums and ensures that cyber insurance protects, rather than costs the business. While still a comparably young sector here, cyber insurance is gaining momentum and will no doubt come to be a key element of business models. If companies can identify their diverse levels of cyber risks, they can deploy solutions that shield themselves from the worst effects of attacks and determine the best coverage for respective assets to offset losses.