The estimated annual cost of cybercrime to the global economy stands at a staggering US$445 billion to-date; yet Malaysian businesses do not seem to prioritise cyber insurance.
By Priya Rama
About a year back, the Bangladesh Central Bank’s system was hacked and over 36 fraudulent requests for money transfer was sent to the Federal Reserve Bank of New York, asking it to transfer slightly over US$100 million of the Bangladeshi Bank’s funds to bank accounts in Sri Lanka and the Philippines. This is just one case out of the US$445 billion in cybercrime cost that the global economy incurs annually.
Though there isn’t a specific definition for cybercrime, broadly it is a crime that is done through any ICT media, be it internet, computer or mobile phones. And the threat is definitely real.
We recently spoke to Devakumaran Palnisamy, Senior Vice President, Practice Leader Finpro/Casualty and Placement Practice of Marsh Insurance Broker, on identifying cybercrime risks and choosing the right cyber insurance to mitigate those risks. Marsh Insurance Broker is a leading insurance broking and risk management company.
SI: Media reports indicate that cybercrime is costing the global economy and businesses close to US$500 billion annually. Why is the occurrence more prevalent today?
Deva: There is only one logical explanation why cybercrime numbers are increasing year after year – criminals are evolving with technology. In the last 10 years, a bank heist where robbers physically enter and rob a bank is unheard of because banks don’t keep money anymore.
Thus now, criminals have to think of new method of stealing. And to their benefit, more people are using online banking to transact, which makes it easier for criminals to exploit using fictitious accounts. That’s why large losses are reported.
SI: Why was there a need for cyber-insurance when there are general insurances to cover these types of risk?
Deva: The menace of cybercrime has left many traditional forms of insurance, namely the general liability and property policies, unable to adequately respond to these risks. This is why cyber-insurance came into place.
Currently, the total global premiums for cyber-insurance is at US$2.5 billion. However, this is very US-centric, with minor developments in Germany and Australia. In Asia, it is still very low.
However, it must be mentioned that the growth in cyber-insurance figures is not for the crime aspects; rather it’s for data breach.
There was a law passed in the US recently for banks to mandatorily report a data breach. For instance, if a bank gets infiltrated, they must report it to all their customers, and that could run into millions. The average cost to generate and send a letter, and set up a call centre to answer customers’ queries amounts to US$20 – US$25 per customer.
Imagine the amount of money they have to spend for data breach notification. This really grew the cyber-insurance space.
Initially, the crime elements of cyber losses such as theft of money and assets were covered by crime policies. Eventually, insurance companies added the data breach element and bundled it into business insurance. In essence, they cover for both physical and online loss. This further elevated the cyber-insurance industry.
SI: How is the cybercrime and cyber-insurance scene in Malaysia?
Deva: Malaysians generally have this mind-set of not wanting to buy cyber-insurance because they think that their system is full-proof with all the security features and levels in place, which no one can infiltrate.
This is actually good because insurance companies will never come into play unless you have all the basic protection in place.
If someone manages to infiltrate the system despite all the security levels, that’s where we come in to bear the losses. But if you don’t even have the basics, it will be a walk in the park for a criminal. However, it took us a long time to convince them that this threat is real.
SI: How do companies decide on the best cyber-insurance policy for their company?
Deva: Insurance is primarily driven by fear of something happening. So ask yourself what keeps you awake at night? Which aspects of your business are you worried about most of the time? That’s what you should insure.
For a small accountancy firm, it would probably be client’s data stolen, not-filing-on-time liability, private and confidential information exposed to competitors, clients suing for not safeguarding their personal details, system infiltration and the likes of it.
SI: What are the elements of a good cyber-insurance policy?
Deva: A good cyber-insurance plan must cover Cybercrime, Data Breach, Cyber Extortion/Ransom and Cyber Liability.
Cybercrime involves tangible loss such as computer system assets, and intangible loss such as theft of data or information. While Data Breach is taken seriously in the western world, it is more voluntary in Malaysia.
When a criminal gets hold of a company’s clientele details and confidential information, they will extort money from the company, or otherwise threaten to misuse the information. We personally handled a case where a small-time property developer was asked for a ransom of 20,000 bitcoins (approximately RM20,000). This comes under Cyber Extortion/Ransom.
Cyber Liability happens when cyber criminals enter into a bank’s system and siphon their client’s money. Though the money doesn’t belong to the bank, they still need to pay back to their clients as it is technically their responsibility to ensure the money doesn’t go missing. The four elements are a must-have in cyber-insurance policies.
SI: How receptive are Malaysian companies towards cyber-insurance?
Deva: I must admit that the acceptance to cyber- insurance is still not at a level that we anticipated. Today, cyber-insurance has become more affordable compared to what it was 7 years ago.
This is because the bigger insurance companies realise that the likelihood of a cybercrime loss in Malaysia is lesser than in the western world.
Marsh also has a Cyber Security Insurance (CSI) scheme for small and medium enterprises (SMEs) which cost RM300+ per year. It comes with RM150,000 worth of coverage, which is a lot of money for an SME.
Our intention here wasn’t to make money; rather it was to create awareness about cyber-insurance. Surprisingly, the response for the SME CSI was very good but of course, there is ample room for improvement.
SI: How can we create more awareness about cyber-insurance in Malaysia?
Deva: We have to start from the schools and inculcate the importance of insurance from a very young age. There must be a concerted effort to include an insurance syllabus in commerce subjects. Only then will people be more accustomed to the idea of taking up an insurance policy for business.
In Canada for instance, every business must have liability insurance; otherwise you can’t do business or even apply for a business loan. In Malaysia, we take this for granted!