In an increasingly connected world, cyber risks have become more common and severe, making cyber insurance more important in protecting assets. However, one expert believes that the insurance industry has yet to sufficiently understand the nature of cyber risk.
Insurance Business spoke with Prof Shaun Wang (pictured) of Nanyang Technological University’s Nanyang Business School, Division of Banking & Finance, about the complexities of cyber risk, and how the insurance industry and other organisations can deal with this emerging threat.
Wang recently spoke at the joint conference of Nanyang Business School’s Insurance Risk & Finance Research Centre (IRFRC) and the Asia-Pacific Risk & Insurance Association (APRIA). The conference, held from July 29 to August 01, invited over 120 business leaders, experts, and academics to come together to exchange ideas, build partnerships, and gain insights into the risk management industry.
“Cyber threats are not going away and will only continue to increase in potential damage and disruption to the digital economy,” he said. “Therefore, countries must address these cyber threats head-on by enhancing their cyber risk management capacity through proactive policies and enabling the business community.”
While some organisations may think that having an insurance policy covering cyber risks ensures their safety, Wang believes that the industry has yet to reach that point.
“The insurance industry as a whole does not yet sufficiently understand the unique, complex and evolving nature of cyber risk,” he said. “As such, it is not in the best position to provide robust cyber insurance cover required by those at risk. The lack of sound data, the rapidly changing cyber threat environment, non-standardized policy coverage, developing regulation and policy landscape, and the global nature of cyber risk with potential for high accumulation risk, constrains the development of the cyber risk insurance market.”
According to Wang, the insurance industry should “take a hard look at what and where their key assets are and implement data segmentation.”
Furthermore, the industry should invest in resources and instil accountability in protecting their customers’ data. Insurers should also cooperate with each other and share threat intelligence, as well as best practices in protecting and safeguarding data.
Learning from the SingHealth breach
As an example, Wang discussed the SingHealth cyber breach, which resulted in the theft of around 1.5 million patients’ personal data, including those of Prime Minister Lee Hsien Loong. One of the reasons he believes was behind the breach was complacency.
“The recent data breach with SingHealth shows that risk prevention measures should be an essential part of risk management,” he said. “With the right resources, hypothetically, SingHealth could have identified their key assets that would be more attractive to cyberattacks as not all medical records would have the same value to hackers. On top of that, segmentation of high-value data assets with special protection may have helped.
“Another important factor is complacency and inertia – over time, people (and organisations) are accustomed or used to what they have been doing and lower their guard to potential cyberattacks.”
However, he also said that the incident can serve as a valuable learning point about how to protect data, and governments and organisations should educate stakeholders and the public that no-one is immune from cyberattacks.
“As a proactive measure, white-hat hackers could be invited to do penetration tests so as to effectively identify weakness and take corrective actions,” Wang said. “Organisations should be constantly reviewing the protection levels of their key assets and if they have an appropriate level of protection and have clear accountability for any data breaches.”