"A Bold Approach to Cyber Risk Management” - Opening Address by Mr Bernard Wee, Executive Director, Monetary Authority of Singapore, at the Asia Cyber Risk Summit on 16 May 2016
Professor Ravi Kumar, Dean, Nanyang Business School
Professor Shaun Wang, Director, Insurance Risk and Finance Research Centre at the Nanyang Technological University and Chairman for today’s conference
Ladies and gentlemen, good morning.
A. Global Cyber Risk Landscape
1 Thank you having me this morning at the Asia Cyber Risk Summit. At some point, most (if not all) of us would have been targets of a cyber attack, even if it was something as simple as a phishing email.
2 Today’s cyber attacks are more frequent, more sophisticated, and more costly:
a. JP Morgan Chase’s data breach involved 76 million households and 7 million small businesses (that’s more than the number of people in Singapore);
b. An episode of ATM hackings from thousands of accounts in US, Japan and the Middle East stole USD 45 million within hours.
3 PWC’s 2015 Global State of Information Security survey found that over 100,000 cyber attacks occurred every day in the world in 2013, representing a 66% increase every year on average over the previous four years. Cyber attacks have progressed beyond individual hacktivism, to organised crime and sabotage. It has also advanced beyond a mere direct hacking of an individual’s or a single company’s computer systems to attacks on third party vendors’ systems, which are often the weakest links in interconnected global supply chains. There are also situations where attacks were targeted at critical sectors at large, including the financial sector, as we saw in the attack against South Korean banks and broadcasters in 20131.
4 Damage from a cyber attack goes beyond the immediate loss or breach of the sensitive information or intellectual property. There could be wide-ranging and long-term impact, including business interruption, financial losses, physical damage to property and loss of reputation. Cyber attacks could also have prolific impact on clients, supply chain, data and equipment riding on a similar system. A McAfee report2 estimated losses from cyber risks to be between USD 300 billion to USD 1 trillion a year. This is much higher than losses from natural catastrophes, which averaged just USD 200 billion3 over the last ten years.
5 Organisations should enhance their cyber resilience capabilities with the objective of limiting the escalating risks from cyber threats posed to them. It is necessary to adopt a multi-pronged approach to enhancing cyber resilience. Given that a successful cyber attack is no longer a question of “if” but a question of “when”, organisations need to have the resources to not only recover their systems and operations swiftly and safely after a successful attack, but also to sustain themselves financially.
6 Hence, cyber insurance is equally important, not only in mitigating losses when security breaches occur, but also by creating incentives through the pricing of premiums for firms to manage their cyber risks appropriately. Cyber insurers also partner with forensic risk assessment firms to provide risk insights, both before and after cyber events, which help firms to develop structured cyber crisis responses.
B. Demand Challenges
7 Despite growing risks, cyber insurance adoption by SMEs remains low at less than 10%4. Penetration also varies by sector. Manufacturing companies have a take-up of less than 5%, compared to financial services, technology and telecommunications companies (35-42%5).
8 Nevertheless, cyber insurance is gaining traction. Prompted by the wave of high profile attacks and new data protection rules introduced in Europe and Asia, annual gross written cyber insurance premiums have grown by 38% per annum over the last five years, from USD 500 million in 2009 to USD 2.5 billion in 20146. The global cyber insurance market is expected to reach USD 7.5 billion by 20207. But distribution is uneven: the US is expected to account for 90% of market share, followed by Europe (USD 150 million). Asia, alas, is expected to remain negligible.
9 Cyber insurance adoption in Asia has clearly not kept pace with the proliferation of technology in the region. Even though Asia accounts for 42% of the world’s internet users8, has the highest mobile phone penetration and is home to the fastest growing cloud computing market.
10 But therein lies significant opportunity for cyber insurers here. The cyber security market in the Asia Pacific region is projected to grow at over 15% per annum from now until 20199. Munich Re expects Asian market volumes for cyber covers to grow to as much as USD 1.5 billion in 202010. In Singapore, AIG estimates that cyber insurance penetration could rise from 9% today to 40% by 2020.
C. Supply Challenges
11 Even as cyber insurance demand grows, insurability remains a problem. Cyber insurance policies are not standardised, and the terms and exclusions can vary dramatically from one insurer to the next. For instance, some policies cover only first party losses (e.g. lost revenue and continuing operating expenses or cost of restoring or re-creating lost data), others cover only third party liabilities (e.g. claims brought against the insured by those whose private data have been breached), while others yet cover both. Then there are the usual issues of adverse selection, lack of historical data and the dynamic nature and randomness of cyber risks that impede the development of the market.
12 Of these issues, scarcity of data is the principal problem contributing to the lack of understanding of this growing and dynamic risk. Underwriting is hindered by the lack of publicly available data on the scale and financial impact of attacks. There is also insufficient historical data to assess potential losses beyond the short term physical costs (e.g. getting computer systems back online), which include longer term and harder-to-assess costs like brand impairment and compensation to customers and suppliers. This has also resulted in a lack of models and analytics to underpin confident, accurate underwriting for the sector, resulting in insurers holding back from providing cyber coverage. The insurers and reinsurers which do provide cyber coverage seek to cushion the uncertainty by setting high deductibles, low coverage limits and significant exclusions, which further impacts demand for such products.
D. A Bold Approach to Cyber Risk Management- Singapore Cyber Risk Management Project
13 To facilitate the systematic collection and modelling of cyber risks data, MAS is pleased to be part of the launch of the Cyber Risk Management Project today. The first of its kind in Asia, the Cyber Risk Management Project is a unique endeavour, bringing together industry, academia and government in a partnership to tackle demand and supply challenges confronting the cyber insurance marketplace:
a. On the demand side, it will engage potential buyers of cyber risk insurance, starting with businesses in high-risk sectors, through dedicated cyber risk workshops and conferences, to help build knowledge and awareness. A cyber risk assessment tool will also be developed to help buyers understand the extent and sources of their cyber risk exposure;
b. On the supply side, it will aim to create reliable databases, methodologies, analytical tools and models underpinning confident underwriting, and develop new or adapt existing products more aligned to buyers’ needs. These will form the fundamental building blocks for an efficient cyber insurance marketplace in Singapore.
14 The project is led by NTU’s Insurance Risk and Finance Research Centre (NTU-IRFRC) and supported by the insurance industry and the Cyber Security Agency (CSA). I would like to thank the founding members, the Aon Centre for Innovation & Analytics, Lloyds, MSIG, SCOR and TransRe for their valuable contributions. We encourage others to pool their expertise and be part of building the foundation of cyber risk management tools for Asia.
15 The Cyber Risk Management Project has also attracted the most experienced and innovative in cyber risk academia globally, namely St John’s University in the US, the University of Waterloo in Canada, and the Geneva Association. This reflects Singapore’s value proposition as a global innovation hub, bringing together top talent to carry out pioneering financial research and development.
16 The Cyber Risk Management Project is a unique opportunity for sellers and buyers of insurance to use new assessment technologies to unlock new sources of data. This collaborative approach serves as an innovative pilot to incubate and mainstream new and emergent risks such as supply chain risks. And it is part of Singapore’s strategy to remain the leading insurance centre in Asia.
E. Singapore as a Centre of Excellence in Cyber Security
17 The Project is also part of broader efforts for Singapore to establish itself as a global centre of excellence in cyber risk management.
18 At the national level, the Cyber Security Agency (CSA) was formed in April 2015 to develop a national strategy to tackle cyber threats; and coordinate public and private-sector efforts to protect national systems in 10 critical sectors including power, transport, telecommunications and banking from increasing cyber threats. A new Cyber Security Act will be tabled in Parliament next year to empower the CSA to manage cyber incidents and raise the standards of cybersecurity providers in Singapore. The initiatives championed by CSA are crucial in supporting Singapore’s transition to a Smart Nation, which will be highly dependent on IT systems and automation.
19 Within the financial sector, MAS has continued to exercise our supervisory oversight of cyber security risks through onsite inspections and offsite supervision of financial institutions. At the same time, we set out minimum expectations and guidance for managing technology and cyber risks in the Technology Risk Management Guidelines, which we last revised in 2013, as well as through circulars and advisories issued to FIs.
20 MAS also works closely with the financial industry, such as the Association of Banks in Singapore and Insurance Industry Standing Committees on Cyber Security (SCCS). One of the public-private partnership initiatives which MAS and the ABS SCCS were involved in was the development of penetration guidelines for the financial industry in 2015. We will also be announcing new public-private partnership initiatives later this year.
21 Let me round off by reiterating the important role that insurance plays in helping governments, businesses and individuals better manage cyber risk. Its unique ability to carry out risk assessment, and to put a price on cyber risks, is at the heart of promoting good cyber risk management practices.
22 Once again, I would like to congratulate NTU-IRFRC, the Aon Centre for Innovation & Analytics, Lloyds, MSIG, SCOR and TransRe and supporting partners on the launch of the Cyber Risk Management Project, and wish everyone a fruitful discussion ahead.1 In March 2013, the computer networks of three South Korean broadcasters and four banks (Shinhan, Nonghyup, Jeju and Woori), came under cyber attack. Shinhan Bank’s Internet banking servers were temporarily blocked. Shinhan Bank had also reported that service to their ATMs, payment terminals and mobile banking were affected. Nonghyup and Jeju had reported that their systems were paralyzed after computers were infected with malware and their files erased. Woori had reported that it suffered no damage from the attack.
2 McAfee 2014 Report on Global Cost of Cyber Crime.
3 Swiss Re 2014.
4 Geneva Association Report for G20.
5 Aon’s Global Risk Management Survey 2015
6 Aon Global Risk Insight Platform
7 Insurance 2020 & Beyond: Reaping the dividends of cyber resilience, PWC, September 2015.
8 2014 Asia-Pacific Insurance Outlook- EY
9 Research and Markets forecast
10 Munich Re, January 2016