Mr Heng Swee Keat, Deputy Prime Minister, Coordinating Minister for Economic Policies and Minister for Finance announced the launch of the Global-Asia Insurance Partnership, a tripartite partnership between the global insurance industry, regulators and academia, to produce actionable research insights, develop policy recommendations, and co-create innovative solutions for the region.
"Building Resilience against Cyber Catastrophes" - Speech by Ms Elean Chin, Division Head, Monetary Authority of Singapore, at the Cyber Risk Management Project's Scenario Project Launch on 29 January 2019
Ms Angela Kelly, CEO, Lloyds Singapore
Ladies and Gentlemen
1. Thank you for inviting me to join you today. Let me begin by congratulating the Cyber Risk Management Project or CyRiM, on the launch of this very important cyber scenario report.
2. It has been nearly 3 years since the launch of CyRiM in May 2016. Since then, the cyber risk landscape has evolved significantly. In an increasingly digitised world, cyber attacks are becoming an almost daily occurrence. Cyber attacks have also become more sophisticated, complex and harmful, involving social engineering such as phishing emails, malware, and ransomware, including Petya, WannaCry and NotPetya. Today, cyber risk is one of the biggest threats to doing business, according to the World Economic Forum’s 2019 Global Risk Report.
3. Here in Asia, the likelihood of cyber-attacks is unfortunately disproportionately higher than in other regions. Asia is one of the most digital connected economic blocks, with high internet connectivity and smartphone penetration levels. Yet, cybersecurity investment and data breach protection laws remain inadequate. As a result, Asia Pacific saw the highest number of compromised records and security events in the first half of last year, accounting for close to 40% of global cybersecurity incidents and 30% of compromised records worldwide1. In 2017, Asia suffered US$1.75 trillion in economic losses, or 7% of its GDP from cyber attacks. The Bashe (Ba She) Report released today, aims to shine the spotlight, and put a price on a devastating cyber attack. According to the report, in the event of a major cyber attack originating from Asia, within 24 hours, data within 30 million devices could be encrypted, impacting over 600,000 firms worldwide, and costing Asia US$19 billion in economic losses, all from this single incident. In many ways, this is a modern catastrophe, and puts its close to the scale of Hurricane Andrew which devastated Florida, causing more than $25 billion in damages.
Global Legislative Response to Cyber Risk
4. To tackle this modern catastrophe, we need a new mindset, multi-faceted strategies and public-private partnership. Global efforts are underway to respond to this risk. Policymaking forums such as the OECD and G20 have made policy recommendations on cyber risk management. The FSB recently published a cyber lexicon that would facilitate communication and cyber threat information sharing. The FSB will also be setting up a new Working Group on Cyber Incident Response and Recovery (“CIRR”) this year, to be chaired by the MAS. The working group will develop a toolkit to help financial institutions respond to and recover from cyber incidents effectively.
5. In more than 70 countries, Data protection legislation has been passed, including the introduction, updates or coming into effect of legislation in China, Thailand, Japan, Australia and New Zealand. In Korea, authorities have gone a step further, by requiring information communications service providers to insure themselves, or hold significant cash reserves in the event of a data breach.
Singapore’s Response to Cyber Risk- Legislation, Knowledge and Information Sharing, and Capability Development
6. In Singapore, the Cyber Security Act came into force in August 2018, creating a regulatory framework for the monitoring and reporting of cybersecurity threats. Breach notification to the Cyber Security Agency and sector leads, such as MAS, for the financial sector, is currently mandatory for Critical Information Infrastructure (CII) owners. Proposed revisions to the Personal Data Protection Act will also make it mandatory to notify the Personal Data Protection Commission and impacted individuals of certain data breaches.
7. Within the financial sector, MAS is updating the Technology Risk Management Guidelines. This update is intended to give a greater focus on cyber resilience, as well as to provide further guidance on new technologies and emerging cyber threats. MAS will also be issuing legally binding requirements on cyber hygiene to help strengthen our financial sector’s resilience to cyber risk.
8. Aside from regulation, efforts are also underway to strengthen the cyber security ecosystem, with particular emphasis on knowledge and information sharing with the region. The ASEAN-Singapore Cybersecurity Centre of Excellence will be launched this year to strengthen ASEAN member states’ cyber strategy development, legislation and research capabilities. Within the financial services sector, MAS has partnered the Financial Services Information Sharing and Analysis Centre, or FS-ISAC, to establish its Asia Pacific Regional Analysis Centre in Singapore. The Regional Centre, which supports member financial institutions across nine Asia Pacific countries, allows its members to share and receive cyber threat intelligence. MAS has also worked with FS-ISAC on an information-sharing forum for Central banks, Regulators and Supervisors (CERES), which was launched in July 2018. The Cybersecurity Capability Grant (CCG) was also launched last year to incentivise financial institutions to anchor and deepen cybersecurity functions and operations in Singapore.
Role of Insurance in Responding to Cyber Risk
9. As part of broader cyber risk management strategy, the role of insurance in assessing, mitigating and responding to cyber risk is often an understated one. Insurance plays a critical role in pricing cyber risk through the premiums that firms pay, and through this pricing mechanism creates incentives for firms to mitigate cyber risk. Insurers are increasingly teaming up with technology and threat intelligence partners to assess a client’s cyber risk profile as part of their underwriting process, and work with clients on an ex-ante basis, to provide insights on preventative measures which can be taken to improve the firms’ cyber resilience. Cyber insurers are therefore key partners in promoting cyber hygiene, an important factor in building cyber resilience.
10. The Ponemon Institute’s 2018 report estimates that cyber insurance and incident response (which cyber insurance increasingly covers) brings down the per capita cost of data breach by about 12%.
11. Despite the benefits of cyber insurance, take-up is lagging globally. The Bashe report highlights this protection gap, estimated at about 86% in this particular scenario. In Asia, this is even more pronounced, with only 6% of global cyber premiums coming from the region2. However, firms in the region are increasingly taking up cyber insurance, and over the next five to ten years, we expect Asia’s cyber insurance market to grow from over an estimated US$50M in 20173 to US$1B in 20254.
Gaps in Cyber Insurance
12. One key challenge affecting cyber insurance purchase is that buyers find existing stand-alone cyber insurance policies are not meaningfully adequate to meet their needs. A survey by insurance consultancy McTavish concurred with these findings, with 35% finding it “unfit for purpose” and 22% “do not trust the insurer to pay out”. Why is that so?
13. The gaps in cyber insurance policies often stems from insufficient historical data and supporting models to support risk assessment, quantification and underwriting of cyber risk. Insurers try to deal with this uncertainty by setting high deductibles, low coverage limits and significant exclusions.
Singapore Initiatives to Address Cyber Insurance Gaps
14. CyRiM’s research on definitions, data, scenarios, risk assessment frameworks and policy aims to address some of the challenges of underwriting this complex, interconnected and dynamic risk. Can we make this uninsurable risk insurable? It is possible. However, we need to make deep foundations for the development of an efficient cyber insurance marketplace in Singapore.
15. Uncertainty also stems from insurers having to deal with potential exposure to non-affirmative or “silent” cyber in traditional property and liability policies. There are concerns that a single event, like in the Bashe scenario, can trigger a wave of losses across policies, resulting in significant cyber loss accumulation. The cyber pool, an initiative undertaken by the Singapore Reinsurers’ Association is a Singapore-based effort to address such peak exposure and reduce some of the uncertainty surrounding cyber underwriting.
16. Singapore is pleased to house these initiatives, which build on our strengths as a centre of excellence in specialised risks and we encourage industry and academia to continue to research, experiment and identify innovative cyber solutions to boost Asia’s cyber resilience.
17. Let me conclude. Cyber risk remains a global challenge, requiring a concerted global response. Insurance is a critical part of this response.
18. Once again, I would like to congratulate the Nanyang Technological University’s Insurance Risk and Financial Research Centre, University of Cambridge, Aon, Lloyds, MSIG, SCOR, TransRe, and supporting partners on the launch of CyRiM’s cyber scenario report, and I hope that this report sparks even more conversation and solutions to address cyber risk.
1 Report by Gemalto: 2018 First Half Review of the Breach Level Index.
2 Marsh & McLennan Companies Report 2017- Cyber Risk in Asia-Pacific: The Case for Greater Transparency
3 CyRiM-Lloyds Report 2019- Bashe Attack: Global Infection by Contagious Malware.
4 Delta Insurance 2018.