More than a quarter of the world’s cyberattacks last year occurred against Asian businesses, making the region the most targeted globally, according to figures from IBM’s Security X-Force Threat Intelligence Index 2022.
Asia has taken the status previously held by North America and Europe – something that has happened for the first time since the tech giant began documenting geographic trends.
Japan experienced the highest number of hacks among all countries in the region, followed distantly by India and Australia. But despite the increasing threat from cybercriminals, some experts say many countries in the region still lag in cybersecurity policies and strategies.
“Singular breaches no longer have a strictly local impact as individuals are hyperconnected to the internet in myriad ways, from personal digital devices to appliances and vehicles,” wrote Saurabh Mishra, head of business development and client services, and Sriram Iyer, senior specialist, both from global analytics firm Verisk’s office in Hyderabad, India, in an article assessing cyber risks in the Asia-Pacific region.
“That hyperconnectivity creates digital vulnerabilities, with cybercrime on the rise globally and criminals on constant lookout for new vulnerabilities to exploit. These events can be costly and disruptive for companies as they’re forced to pay the expenses for forensics, business interruptions, liabilities, and ransomware, among other related costs,” the experts continued.
According to IBM’s index, server access was the most common attack type in Asia, accounting for a fifth of all cyberattacks. The high percentage of server access attacks suggests that businesses in the region are adept at identifying attacks quickly before they escalate into more concerning attack types, the report said. Ransomware attacks, including those conducted by REvil, placed second at 11%, followed closely by data theft at 10%.
In terms of industry, finance and insurance (30%), manufacturing (29%), and professional and business services (13%) were the most targeted sectors in the region.
“With the increase in cyberattacks, a lack of comprehensive cybersecurity policies, and changing data protection legislation, the cyber insurance space in the Asia-Pacific region could see a surge in the coming years with organizations trying to understand the risk,” Mishra and Iyer wrote.
The experts added that insurance providers play a vital role in helping businesses mitigate the risks of cyber threats.
“Having access to a wide range of scenarios and assessing the holistic impact on the larger network are crucial to understanding the spread of cyber risk,” they wrote. “To manage cyber risk effectively, insurers must take a proactive, rather than a reactive, approach.”
Searching for the right cyber insurance policy, however, is not a simple feat for many businesses. There are several aspects that come into play and the key to finding the insurance coverage that fits their needs is being aware of the different cyber risks they are facing. Here are some of the most important factors Asian companies should consider when getting cyber coverage, according to experts.
According to insurance firm Marsh’s recent report on cyber risks in the Asia-Pacific region, one of the biggest challenges companies face when it comes to finding the right policy is the “high specificity and strict limitations in cyber insurance product offerings” in the region. Because of this, businesses must understand their risk profile to find the right coverage, the research noted.
“The scope of cyber insurance coverage remains highly specific as the characteristics of cyber threats across geographical locations, industries, and size of corporations vary widely,” the report said. “With little standardization across the products offered, companies need to have a deeper understanding of their own cyber risk exposures to determine the appropriate type and amount of coverage required based on their own risk tolerances.”
Harvey L. Johnson, chief executive officer of consulting firm PBMares, put it simply, “Buy what you need.”
“With the variety of coverages offered by insurers in the market today, it is important to focus on the basics,” he wrote in an article published in the company’s website. “You should consider whether your business needs all the coverages being offered and decline to purchase those that you do not need.”
Johnson added that it is also important for businesses to understand what coverages are available in their existing policies as this would enable them to purchase an insurance policy that they actually need.
“Your company’s standard first- and third-party policies may provide some protection from cyber risks… For example, standard financial institution bonds provide coverage for third-party claims arising from a fraudulent computer instruction to transfer customer funds,” he wrote.
A recent global study by insurance brokerage firm Howden has found that cyber insurance premiums have climbed 32% year-on-year, with 70% of brokers reporting capacity reductions. The report also revealed that many insurers have begun demanding more evidence of preparedness, resilience, and appropriate risk management practices from companies.
“The costs of responding to a data breach can be substantial,” Johnson wrote in his piece. “Perhaps the most important step a company can take to assess the value of cyber insurance is to compare the anticipated costs associated with a data breach with limits of liability available and the related costs.”
He also suggested that businesses try matching their limits of liability with their realistic exposure in the event of a cyber loss.
As mentioned in the Howden report, the Asia-Pacific region’s cyber insurance market is characterized by little standardization. In an article for StrategicRISK Asia Pacific, Menaka Muthu, vice-president at Marsh Asia, noted that understanding what the policy excludes is equally important as knowing the coverages are.
“The cyber insurance market in Asia lacks uniformity,” Muthu wrote. “Therefore, it is crucial for companies to understand coverages and exclusions. To ensure that your business has the right coverage, it is critical to assess your business and consider the specific risks you wish to insure.”
Among the terms businesses should look out for, according to Johnson, are “retroactive date” and “acts and omission by third party.”
“Cyber policies sometimes restrict coverage to breaches or losses that occur after a specific date,” he wrote. “This means that there would be no coverage for breaches that occurred before the inception of the policy. Because breaches may go undetected for some period of time, it is important to purchase coverage with the earliest possible retroactive date.”
He added that having cyber insurance coverage for claims arising from misconduct by vendors was important, especially for businesses that outsource data processing or storage to a third party.
Insurance providers use coverage triggers to ensure that the policies they underwrite only apply when specific events occur. Because of this, it is vital for businesses to understand what activates coverage under their cyber insurance policies, according to Johnson.
“Some policies are triggered on the date the loss occurs, while others are triggered on the date that a claim is made against the insured,” he wrote. “In order to provide proper notice, you need to understand how coverage applies under each policy you purchase.”
A data breach often results in regulatory actions against a company. In Asia, several nations have already updated legislation in response to increasing privacy breaches.
Japan, the country in the region most targeted by cyberattacks, for instance, has approved a bill increasing data breach penalties to up to ¥100 million. Singapore has also amended its Personal Data Protection Act (PDPA) to increase the maximum data breach fine to 10% of a company’s annual turnover or S$1 million, whichever is higher. Indonesia, meanwhile, has pushed head with a data protection law that includes fines of up to Rp210 billion for privacy breaches.
According to Singapore-based business management firm Kroll, these legislation changes indicate that companies must shift from viewing data breaches as “just a business disruption that can be remedied through backups” to treating them as incidents that can carry hefty fines.
With many businesses shifting to work-from-home arrangements due to the pandemic, many workers are also forced to use personal devices, including laptops and mobile phones, to perform their jobs. Johnson advises firms that are facing risks of data loss through these personal devices to consider cyber insurance that provides coverage for such losses.