Development of cybersecurity insurance

System bugs at several chain hotels in China led to a data breach of an estimated 20 million hotel reservations in 2013. Personal data of 130,000 users of 12306.cn, a website for booking train tickets, were circulated on the internet in 2014. A hacker attack on the backbone network of Netease caused a massive service outage on 11 May 2015, and many mobile apps and online games were inaccessible as a result. On 27 May 2015, a massive breakdown hit Alipay because optical fibres were destroyed, and the disruptions lasted about 90 minutes. On 28 May 2015, Ctrip’s official website and mobile app were blocked for 12 hours.

An increasing frequency of cyber attacks has sounded the alarm on cybersecurity. As internet applications are expanding to a wider spectrum and cyber threats are escalating, the demand for cybersecurity insurance has been on the rise. More and more enterprises hope to buy the insurance to get protections against potential financial losses caused by data leaks and business interruptions.

Enormous market demand for cyber-security insurance

According to the 2015 Report on Internet Development and Security issued by the Internet Society of China and China Internet Network Information Centre, there were 3.647 million websites registered in China as at the end of December 2014, and the number has stopped falling and started to rise in the past three years. Meanwhile, cybersecurity has become a prominent headache for China, as hacker attacks and controls cause tens of billions of dollars in economic losses every year, and the figure keeps rising. These growing threats bring enormous development potential to the cybersecurity insurance market.

According to an underwriting manager at an insurance company, a 2016 survey showed only 10% of SMEs worldwide believe their businesses are too small to be targets of cyber crimes, down seven percentage points from 2015.

China’s cybersecurity insurance market is still in its infancy

The market is virtually negligible compared to China’s huge potential demand for cybersecurity insurance. According to a report released by PricewaterhouseCoopers, total premium income for the global cyber-
security insurance market is estimated to reach US$5 billion by 2018, and US$7.5 billion by 2020, although the market is largely uneven in different regions. The US dominates 90% of the global cybersecurity insurance market, while Asia-Pacific accounts for 1% and the Chinese market is still in the initial stages of development.

Insurers must be mindful of some problems when underwriting cybersecurity insurance

Development of cyber-security insurance is subject to a country’s social climate, legal environment and talent conditions. China is still a distant laggard in the development pace of cybersecurity insurance compared with well-developed foreign insurance markets, where a comprehensive insurance system and a sound legal and regulatory framework have been in place. Here are some suggestions to insurance companies from the perspective of product development, insurance underwriting and insurance compensation.

First, insurance companies should build reliable economic models to gauge the risk of cyber attacks. Development of insurance products requires big data analysis, but big data used for cyber-security purposes are very scarce in China because its cybersecurity insurance market needs more time to take shape. Cybersecurity insurance was created in the 1990s and has developed well in advanced regions like North America.

Chinese insurers can study overseas cybersecurity insurance markets and take into account domestic market conditions to develop cybersecurity insurance products. If necessary, they can purchase economic models that can measure the risk of cyber attacks from professional companies to gain an early foothold in the market.

Secondly, insurers must define the scope of insurance liability. At present, most cybersecurity insurance products cover economic losses, personal injuries and property losses caused by cybersecurity incidents, such as human errors, deliberate malicious attacks as well as software bugs.

Since cyber attacks are technically sophisticated and could be caused by multiple factors, insurance companies should take into consideration various factors that might result in losses to the assets insured when devising insurance policies. They should specify which losses are covered by the insurance and which are exclusions. Insurance companies are also advised to roll out targeted insurance products so as to narrow the insurance coverage and reduce insurance risk.

Finally, insurers should define the types of insured losses. Cybersecurity insurance covers such losses as caused by business interruptions, actual business losses, data recovery expenses as well as privacy losses. These losses are hard to be accurately measured, and insurance claims are hard to be justified.

Insurance companies are advised to specify which losses are covered by cybersecurity insurance and require the insured to present papers and files to justify its claims, so as to avert disputes when the claims are being processed. When the losses cannot be reliably measured, the insurance company can either refuse to compensate or cap the amount of compensation to keep losses under control.

As a new product on the market, cybersecurity insurance is bound to face many unpredictable challenges. But more and more insurance companies are going to get a foothold in this untapped gold mine as the internet market grows, legal frameworks improve and corporate demand increases. In order to get the upper hand, an insurance company must survey the market and make full preparations at this early stage.

Dylan Yu is an associate at Wintell & Co