Cyber insurance in Malaysia: Addressing the gaps in traditional insurance
Maphilindo International, one of the largest loss adjusting service providers in Malaysia, recently organised a small group briefing for IT and business decision makers, to raise awareness about the importance of cyber insurance, against a rapidly evolving risk landscape.
The need for insurance from risks like cyber attacks as well as litigation; or cyber liability protection as some insurance companies call it; is very real these days. There is more at stake today, than there was over a decade ago, when a business, only had to worry about what was in the physical world – employee’s safety and well-being, protection of properties and other physical assets from damage and loss, and so on.
What some insurance service providers may propose with, say a Cyber Liability Protection product, addresses gaps in traditional insurance, which does not recognise electronic data, and hence, damages that result from compromised electronic data.
Traditional crime policies also usually cover direct loss from theft of money or other tangible property, and a broadened coverage under a computer crime extension will at most only cover the cost of restoring the corrupted data – it still expressly excludes coverage for loss of the data, and damages that result from it.
So, there is a lot that is still left unprotected.
Not to mention, the risk of litigation is also on the rise.
For example, in Malaysia, the Personal Data Protection Act (PDPA) came into force in 2013, and the penalty for non-compliance is anywhere between RM100, 000 to RM500,000 and/or 1-3 years of imprisonment.
Now, in the event of a cyber breach, there are standards that the Securities Commission (SC) requires the capital market to adhere to – capital market entities must comply to breach notification requirements, an exercise that is being implemented and enforced in phases since March this year, and which is expected to end by December of 2018.
So far, companies are required to notify the regulator, SC, and not their users, when a breach occurs. They can do this, via filling in a form and should include information like the organisation that was involved, the impact towards systems, assets, or information, where the attack came from, and what a possible resolution is.
A popular industry opinion is that, it may not be in the statute, but companies are obliged to inform customers of the possibility of their data floating around in cyberspace. This is an expensive effort, and something that insurance can potentially cover the cost of.
It is also a popular opinion that the final stage of SC’s breach notification enforcement, would involve all public-listed companies.
Cyber policy, crime policy
Insurance policies for crime and insurance policies for cyber incidents may seem like they are protecting the same thing, but they each protect against two different possible risk outcomes.
Broadly and generally speaking, crime policies insure against loss of tangible things like money and merchandise, while cyber policies insure against loss of intangible things like data. Cybercrime insurance also covers losses incurred by third party. Customers of a company that has been hacked into, is a third party; they suffer indirect losses when their data was stolen by the hacker. The company (and policy holder) that was hacked into, is the first party that suffered a direct loss.
These aren’t hard and fast definitions. The lines keep blurring and changing, especially these days, as cybercriminals get more creative about how they infiltrate and what they take.
To date, there are only about 3 insurance companies that offer cyber insurance in Malaysia, and these are AIG, Chubb and Allianz. To date, there are only 60 cyber insurance policies in the whole of Malaysia.
A few months ago, Reuters had reported that the cyber insurance market has been slow to develop. In the report, Allianz board member, Axel Theis, said he thought the market would grow more quickly and more aggressively than it has. Instead it’s only now starting to pick up, thanks to the wake-up jolt the WannaCry ransomware, gave to businesses all around the globe.
This is a thought that is echoed by others when asked about why there may be a ramp up in cyber insurance queries and take-up. A popular comment about challenges towards cyber insurance take up so far, is that it has been difficult to determine, what a good insurance risk is.
How does one accurately determine the extent of damage of a cyber attack? Difficulty in answering this, means nigh impossibility to answering the next all-important question: How do we decide the price of premium against the sum insured?
To these questions, Maphilindo believes that both parties; the prospect and the insurer; have to disclose all facts truthfully. It may or may not come out during the ‘disclosure’ process, that there are further challenges that increase the risk of cyber incidents, for example Shadow IT.
Despite this, there is no third-party assessment of the environment like there was before, so there is heavy reliance upon pure trust. That said, the organisation that wants to take out a cyber insurance policy, has to complete a Information Security and Privacy self-assessment, on average a 20-page endeavour.
Usually, every million ringgit of insured value, incurs a premium of RM10,000, per annum.