Access the ICMIF Knowledge Hub homepage. Members are encouraged to bookmark this page for future reference.

Thought leadership article

A primer on cyber insurance and the use of models

Global cybercrime is estimated to inflict total economic losses of USD 8 trillion in 2023, with damage costs projected to increase to USD 10.5 trillion annually by 2025. The Asian cyber market, where high vulnerability to cyberattacks is driven by digitalisation, increasing internet penetration, and changes in global supply chains, is still growing, with varying levels of penetration across different countries. The development of cyber risk models is crucial for insurers to understand and manage the complexity of cyber risk effectively. There is a need for collaboration among stakeholders, including governments, to address cyber risks and improve cyber incident data collection, policy standardisation, and legal clarity on exposure and coverage.

Introduction

The world’s first cybercrime allegedly happened in 1834, when attackers stole financial market information by "hacking" into the telegraph system in France. The modern version of cybercrime took place in 1962 when Allen Scherr attacked the MIT computer networks via punch cards to steal passwords from databases. Since the 2010s, cyberattacks have exploded in terms of scale, scope, sophistication, and damage.

After gaining prominence recently, cybercrime and cyber insecurity went down in the 2022 World Economic Forum (WEF) annual tabulation on major risks, overshadowed by fast-evolving geopolitical events and increasing anxiety about the world sleepwalking into a climate crisis. But cyber remains the 8th most prominent short-term and long-term threat. For business, it was the 4th most significant short-term risk, after the cost-of-living crisis, natural disasters and extreme weather, and geo-economic confrontation.

Importantly, this does not mean cybercrime and cyber security are less of a threat – indeed, attacks have become more prevalent. It is observed that for many corporations, efforts to strengthen cyber security are part and parcel of what they do on a daily basis.

The global and Asian cybercrime and cyber-insurance market

Size and state of the global cyber market

An accurate figure on the size of the global cybersecurity market is hard to come by, either in terms of damages from cybercrime and attacks, spending on cyber security or cyber insurance. For instance, damages and losses come in many different forms, from stolen money to loss of intellectual property and reputation damage, many of which are hard to quantify. Often, companies that fell victim to cybercrime failed to report it. As such, any estimates are, at best, eyeball approximations of the scale of the problem.

According to one estimate by Cybersecurity Ventures, cybercrime is predicted to inflect total economic losses of USD8 trillion globally in 2023 (or USD255,000 a second, or USD21.9 billion a day). Damage costs are projected to increase to USD10.5 trillion annually by 2025, compared to USD3 trillion in 2015. Separately, an assessment by Moody’s showed that around USD22 trillion of rated debts (28% of the total) have high or very high cyber risk exposure. Utilities are generally considered to have very high exposure, but banks, hospitals, and telecommunication networks are also facing high risk.

As losses (and potential losses) mounted, the defence is also getting more urgent, with estimates suggesting cybersecurity spending is on track to exceed USD 1.75 trillion cumulatively between 2021-2025. At the same time, insurance purchase has increased. For example, a US Government Accountability Office (GAO) study showed the share of insurance clients opting for cyber coverage has increased from 26% in 2016 to 47% in 2020.

In recent years, standalone cyber insurance has been one of the fastest-growing business lines. The market size is variously estimated at USD 9-14 billion in 2022, with the US being the biggest market. Lloyd’s predicts the market for cyber insurance will treble in size to GBP35 billion (USD41 billion) by 2030, from GBP12 billion (USD 14 billion) in 2022.

The state of the market keeps changing as new threats arise and countermeasures are put in place. Some of the global trends in the cyber insurance space include:

  • The increasing frequency and scope of attacks have resulted in insurers reducing coverage limits for some vulnerable industry sectors in recent years.
  • At the same time, more insurers are participating in the market, and products are increasingly specific to cyber risk (standalone) rather than bundled with other coverages. In light of strong demand but tight capacity, some players are making a case for cyber insurance-linked securities (ILS). Early in January 2023, Beazley launched the market’s first cyber cat bond.
  • The nascent cyber insurance market is still plagued by problems related to the unavailability of data and a lack of common definitions and standards.
  • The COVID-19 pandemic is believed to have driven more traditional criminals online, and a broader array of actors are now active in cyberattacks.
  • There is also a trend that cyber threats are bridging the gap between information technology (IT) and operational technology (OT) or that IT and OT risks are coming closer together. This means while in the past, IT cyber incidents did not involve physical losses, with automation and increasing digitalisation of operational processes, the risk of physical losses due to cyber threats is growing (see Figure 1 below).

Peak Re_0

This article was written by Edward Shen, Head of Casualty Product Underwriting, Peak Re. The article is reproduced with the kind permission of ICMIF Supporting Member Peak Re.

To access the full in-depth article, including more graphics, please visit this webpage. For more insights from Peak Re’s Knowledge Centre, please click here.

The original article is provided in English only. Any translation to other languages via the ICMIF website has not been done by Peak Re, and therefore Peak Re are not liable or accountable for those translated versions.

Published July 2023

Figure 1: OT industries targeted in 2022

PEAKRE GRAPH 1

Source: IBM Security X-Force Threat Intelligence Index 2023. Figures refer to the proportion of IR cases by OT-related industry to which X-Force responded in 2022.

Size and state of the Asia cyber market

The increase in internet penetration in Asia has turned the region into a hotbed for cybercrimes. It was only a few years ago when the term “Cyber Five” was coined to denote the vulnerability of Singapore, Australia, Japan, New Zealand and South Korea to cyberattacks due to their heavy reliance on technology. Countries in the ASEAN region have also gained attention of late, as more attacks have been launched from these locations, and their rising internet penetration renders them vulnerable to attacks.

Figure 2: Incidents by region, 2020-2022

Picture2

Source: IBM Security X-Force Threat Intelligence Index 2023. Figures refer to the proportion of IR cases by OT-related industry to which X-Force responded in 2022.

According to the IBM Security X-Force Threat Intelligence Index 2023, APAC remains the most attacked region, with a 31% share in 2022, up five ppt from 2021 (see Figure 2). The same report also suggested that manufacturing is the most affected sector, accounting for 48% of cases, and spear phishing is the most common infection vector at 40% across the APAC region.

While improvements have been observed in tackling some deficiencies in garnering a coordinated response to cybercrimes, like capacity building and instilling a strategy mindset among key stakeholders, much still needs to be done to manage the problem effectively. In addition, the increasing "informationisation" of strategic competition among nation-states further complicates the issue.

Again, there are no public and reliable figures on the size of the Asia cyber insurance market. Given the dominance of the US market and the high level of under- and un-insurance in Asia, the premium pool is likely to be less than USD 500 million. Transparency and awareness are relatively lower, partly due to cultural factors and the lack of mandatory notification requirements as in the US. Some of the trends in individual markets are summarised in Table 1.

Table 1
China
  • The country’s Cyber Security Law was enforced in 2017, but thus far, there have not been large data breaching claims like those in the US. This has limited incentives to buy cyber insurance and the size of the market is estimated to be USD30 million in 2022.
  • Recent cases of cyberattacks, ransomware and cyber extortion are said to be increasing, thus prompting more interest in cyber insurance.
  • Regulators and government bodies are promoting cyber insurance with industry associations. At the same time, Insurtech companies and security service providers for cyber insurance are fast developing.
  • Comprehensive cyber coverage is available, while different customer groups are looking for different tailor-made coverages as well.
  • Hong Kong
  • There is increasing demand for cyber insurance from a low base, supported by government initiatives like the "Cyber Security Fortification Initiative" of the Hong Kong Monetary Authority in May 2015.
  • Recent high-profile cases involving airlines and coffee shop chains have helped to raise awareness.
  • Cyber coverages are available mostly through foreign insurers operating in Hong Kong. Penetration among SMEs is believed to be extremely low due to affordability reasons.
  • India
  • Alongside some recent high-profile data breaching incidences, the take up of cyber insurance has risen steadily. Cyber insurance penetration is mainly for large corporate risks so far, and it needs time to develop for SME risks.
  • Large IT companies and banks are currently the main cyber insurance buyers. Manufacturers are also considering. It is believed that there is sufficient capability of local IT service providers for cyber insurance.
  • In 2022, it is believed that there were around 1,000 standalone cyber insurance policies with around USD30 million premiums in the Indian market.
  • Southeast Asia
  • The market is still nascent, and premium volume is believed to be very small.
  • Cyber cover is offered mainly as part of commercial package policies.
  • Some US-invested companies brought standalone cyber covers in line with their global risk management practices.
  • Japan
  • Despite low penetration, Japan’s cyber insurance market is the largest in Asia, with estimated premiums of around USD200 million in 2022.
  • Legal liability of information-handling institutions includes damages to clients for the distress caused by the leakage of personal data. By custom, many claims ended up paying a nominal JPY5,000 - 10,000 to each person.
  • Business interruption coverage is only provided on an optional basis and the penetration rate is believed to be around 10%.
  • South Korea
  • Given the country has one of the most stringent data protection regimes in Asia, like the Electronic Financial Transactions Acct, penetration of (low limit) cyber liability insurance is high in Korea, covering mainly third-party liability arising from data leakage.
  • Demand for comprehensive cyber coverage, including first-party covers, is said to be low.
  • Singapore
  • Cyber insurance is not mandatory, but high-profile loss events around Singapore and Southeast Asia have raised awareness.
  • However, demand is said to remain limited, with most efforts focusing on cyber hygiene and threat identification.
  • Asia’s vulnerability to cyber risks

    Many factors have contributed to the high vulnerability of Asian markets to cyberattacks and cybercrimes. For instance, Asia is going through a fast pace of digitalisation. The share of the population in China with internet access stood at 1.78% in 2000 but rose to 73.05% in 2021.[1] At the same time, high adoption of e-commerce, online shopping and online banking. A survey conducted by McKinsey suggested that 88% of Asian respondents are active digital-banking users.

    The outbreak of the COVID-19 pandemic further accelerated the region’s digitalisation trend, as more workers opted for remote working and public services were migrated online. Along with this, changes to the global supply chains with increasing diversification of production across multiple Southeast Asia and South Asia countries. Table 2 below illustrates some major cyber events reported in 2022.

    Optus The details of 11 million customers were leaked in a major data breach in an Australian telecommunication company.
    Medibank The Australian health insurance provider suffered a data breach affecting 9.7 million people.
    AirAsia Initial investigation suggested the cyberattack resulted in unauthorised access to the data of five million passengers and staff.
    Banks in Malaysia Cybersecurity Malaysia and the Malaysia Department of Personal Data Protection have been asked to investigate claims of data leaks affecting approximately 13 million customers.
    Toyota The automaker confirmed third parties may have gained access to its customer details between December 2017 and September 2022
    Insurers Insurers, including AXA and Tokio Marine Insurance Singapore, were subjected to ransomware attacks.

    Cyber models to help manage cyber risk

    Development of cyber models

    While there are many factors that will drive and define the future of the cyber insurance market, including standardisation of products, improving legal certainty of cyber exposure, growth of cyber-MGAs, etc, the development of a cyber insurance model is arguably one of the most important tasks for the industry better to understand the complexity of cyber risk and its ramification.

    However, compared to many of the other insurance business lines, developing analytic models on cyber risks has proven to be challenging due to the following:

    1. There is only a short history of cyber incidents and damage, which are often scarce and incomplete, particularly in the Asia-Pacific region.
    2. The threat vectors, agents and actors (state, state-sponsored, private, hacktivist etc.), and channels are fast-evolving. In the words of a report by the US Federal Reserve Bank of Chicago, “yesterday’s attacks do not necessarily inform us about tomorrow’s risks”.
    3. The scalability of cyberattacks means there could be significant interrelated losses across geography and business lines for insurers and reinsurers. Modelling the infection of computer viruses or the cascading effect down supply chains will be important in understanding the full ramification of cyber incidences.
    4. Furthermore, the damage of cyberattacks could arise from secondary impacts, including non-tangible losses like loss of talent and reputational damage.

    These considerations could render traditional assumptions regarding the frequency-severity of loss events insufficient, particularly for systemic cyber risks.


    CyberCube and Peak Re

    Using the probabilistic model is important in assessing probably loss scenarios, including accumulations, as cyber risks could be systematic and systemic. Moreover, different players in the insurance value chains (primary insurers, brokers, reinsurers etc.) will need different functionalities from models. And many models nowadays are supplemented by AI and machine learning.

    In March 2023, Peak Re selected cyber risk analytics specialist CyberCube to help quantify client cyber exposure. CyberCube’s model helps underwriters to know about their cyber risk accumulation and develop insights for their senior leaders and teams. The important function also allows stress testing of cyber insurance risk portfolios so that loss drivers and potential accumulation events can be identified.

    The partnership with CyberCube’s platform will help to enhance Peak Re’s presence in the cyber market with greater confidence. In addition, data-driven analytics will give Peak Re a deeper understanding of accumulation risk and help better serve customers in the expectation of the growing demand for cyber reinsurance globally.


    Conclusion

    One thing is certain: Cyber threats will continue to evolve and remain a top concern for all stakeholders. As a result, insurance/reinsurance will need to deepen their understanding of the risk landscape further, leveraging models, scenarios, analytics and data. Nonetheless, in order to manage cyber risks, more actions from other stakeholders (in particular governments) will be needed, including government support in cyber incidences data collection, standardisation of policies and improving legal clarity on exposure and coverage.[3]

    [1] Source: World Development Indicators, The World Bank
    [2] Source: Financial Institutions Data Breaches on Deep Web, SOCRadar, IOTW: Everything we know about the Medibank data leak, Cyber Security Hub, IOTW: Toyota admits to a data breach after access key is posted on GitHub, Cyber Security Hub, Optus: How a massive data breach has exposed Australia, BBC, Top 5 data breach incidents in Southeast Asia in 2022, Techwire, Fahmi Confirms Data Leak Involving 5 Million AirAsia Passengers Result Of Cyberattack, Business Today
    [3] For instance, with an increasing amount of stolen personal data in circulation, it is increasingly difficult for an affected consumer to prove a specific data leak incident resulted in a specific financial loss. Some jurisdictions also contend that massive data leaks do not automatically lead to mental distress that warrants compensation.

    Scroll to Top