We hear about Cyber attack impacting companies or government regularly (while writing this article, i read a data leak of 14,200 HIV patient in Singapore, less than a year after the cyber attack on SingHealth that had exposed 1.5 M medical data). Despite all the noise around cyber risks, it seems that companies and their insurers have not yet realized the level of risks they are facing. A recent report published by Cyber Risk Management (CyRim) – a project led by Singapore Nanyang Technology University in collaboration with Cambridge and financed by many large insurers like Lloyd’s – is likely to scare them, as it shows how companies and insurance companies are at risks in event of global cyber threat.
A global threat
This study simulates the potential impact of a serious coordinated cyber attack on a global level through a ransomware sent via company emails. Based on various simulations, estimated damages vary from 85 to 193 billions of US dollars. It is as much as Harvey storm that wipe out United States in 2017 (85 billions of damages according to Munich Re).
There has not been an attack as important as the one that has been modelized by CyRim but it can happen and it is useful to understand the damages that such attack can cause. It also helps insurers understanding the level of risks as they are currently lacking data to estimate potential losses: indeed, a lot of companies currently facing cyber attack are not sharing information as they are not well insured and the risks keep changing as well.
Asia classified as 3rd affected area
Without surprises, most of claims will be registered in USA, about 50% of all estimated claims. It will mostly affect large companies service sectors such as Finance, Healthcare and Retail, and causing significant disruption in US financial market.
Europe will comes 2nd with 35 to 39% of the claims. It has a lower impact as it will mostly affect medium sized companies, due to poor cyber defense, less the large multinational companies, so financial losses will be lower than in USA.
As for Asia, it should represent around 8% to 10% of total estimated claims. It will have a lower impact as USA and Europe as its company are less exposed. It will impact mostly the manufacturing companies across Asia and China will be the most affected country in the region.
Low level of coverage
Impact of such attack will be huge for insurers. It will involved both standalone policy as well as standard policies without written exclusion regarding Cyber security risks. Most of indemnity payable will be related to loss of profit, which is estimated to reach 10.2 to 27.3 billions dollars depending on each simulation done. This amount is much higher than premium collected for Cyber risks, which is estimated at USD 6.4 billions in 2019.
Despite that, the part taken care by insurers will only represent a small part of total losses. It is estimated that insurers will only have to cover 9 to 14% of damages caused (depending on simulation): the majority of the losses will be supported by companies, showing how most companies are badly covered for such risks. The needs of proper Cyber insurance coverage is however much more important than what the market can offer: most insurers remains very cautious with this risks and will set restriction or low annual limit to reduce their exposure.
The report highlight the fact that cyber insurance needs will grow significantly. But if companies can only cover 10% of their potential losses due to policy restriction or policy limits, then insurance will remain a limited part of their risk management strategy: currently, companies spends an estimated amount of 120 billions USD for their cyber security but only 6 billions for cyber insurance. Companies will remain under insured until insurance companies grow their capabilities for facing global cyber risks.
To know more about CyRim report, you can download it here.
If you have questions about cyber insurance or looking for insurances for your risks in China, Singapore or Hong Kong, do not hesitate to contact us.