Southeast Asia is one of the world’s most economically dynamic regions, but there is a large and potentially disastrous flaw in the business model of many companies in the region. In 2017, ASEAN member states collectively spent US$1.9 billion or 0.06 percent of their gross domestic product (GDP) on cybersecurity, less than half of the global average of 0.13 percent.
As technology develops at light speed and hackers get more sophisticated and unpredictable, this lack of preparedness for cyberattacks may cost organisations in ASEAN dear. The risks include cyberattacks leading to business interruptions that organisations – in particular traditional brick-and-mortar businesses and small and medium-sized enterprises (SMEs) – may find crippling.
A Cyber Risk Management (CyRiM) project led by the Insurance Risk and Finance Research Centre at Singapore’s Nanyang Technological University (NTU-IRFRC) in collaboration with industry partners (including Lloyd’s and Beazley) and academic experts earlier this year studied a hypothetical email ransomware attack across the world and forecast that Asia could lose US$19 billion. Apart from ransom payments, other costs would include cyber-incident response, damage control and mitigation, business interruption, lost revenue and reduced productivity.
ASEAN’s nascent cybersecurity industry needs to grow at the same pace, if not quicker than technology advancements in order to minimise the risk of cyber incidents disrupting the region’s economic growth. A concerted effort across government and regulators, business leaders and the insurance industry will be required to strengthen cyber resilience.
The region’s pillars of support
Singapore has taken the lead for the region, investing US$30 million to fund the ASEAN-Singapore Cybersecurity Centre of Excellence aimed at deepening the region’s cyber capabilities and enhancing its ability to respond to emerging global cyber threats. As an extension of the Centre, it is also critical for governments to make cybersecurity and risk management tools easily and efficiently accessible to businesses, especially SMEs that generally have less capital to invest in areas such as information security.
Charting the direction for businesses
High-level executives are increasingly aware of cyber risks and threats, with roles such as Chief Privacy Officer and Chief Information Security Officer becoming more widespread within organisations. Staying abreast of technological advancements and digital disruption in order to understand and even predict new risks associated with these developments will improve the accuracy of organisations’ risk exposure models, which in turn will help insurers design more innovative cyber insurance products and services.
Employees remain one of the top causes of data breaches, both malicious and negligent – 36 percent of organisations in Singapore do not have an employee security awareness training programme and 44 percent do not have an incident response process. Business leaders need to drive a culture of cybersecurity across the organisation and prioritise and incorporate training to educate employees on information security, the potential risks and repercussions.
Tailoring the right coverage
The insurance industry has an important role to play in helping to educate business stakeholders beyond IT departments on cyber-risks ranging from malicious attacks to human error. At the same time, brokers can advise businesses on the associated financial and reputational impact and risk-transfer solutions available to support them in the event of an incident. Leveraging publicly available data such as white papers and reports – for example, Beazley’s quarterly breach insight report – is essential to promote understanding of the various risks and scenarios.