Companies of all sizes and industries face the threat of cyber attacks, data breaches, and other security incidents that could jeopardise their operations, reputation, and financial stability. In this context, cyber liability insurance has become a critical tool for managing cyber risks and protecting businesses from the potentially devastating consequences of cyber incidents.
In this episode of the Broker Feature, Juliana Yong, Associate Director of Broking - FINEX, from Willis Towers Watson (WTW), shares her observations and experience as a broker in the Asian insurance industry.
Watch Episode 1 here:
Juliana: I used to be a lawyer for 12 years and I have been a broker for the last 5 specialising in financial lines types of insurance and obviously cyber liability insurance is a big part of that conversation with my clients.
Can you explain the current state of the insurance market in Asia?
Juliana: My own personal experience, being Asian and doing business in Asia, is that clients are always rather hesitant about allocating resources to cyber liability insurance, because this conversation is always against a backdrop of setting annual budgets for what to allocate towards payment of insurance premiums.
Since the pandemic broke out, there’s been this onslaught of cyber breach events that has been highly publicised, and the number of inquiries that we as brokers have been fielding in the past, I would say, 3 years has been steadily increasing.
What I would make as an observation, is that there is a bit of a paradox that I'm noticing between the availability of capacity from the insurance carriers that do write cyber liability insurance and the willingness of clients to purchase cyber liability insurance coverage. So in the context of say just before the pandemic broke out about three years ago, it was comparatively easy to get clients to listen to the upside of having cyber coverage in place. Where that conversation would kind of slow down is when we are chatting with the CFO or finance teams, or even the head of legal, about convincing the C-suites to approve budgets for payment of–whether it's a standalone cyber liability policy, bundled with other classes of business, like D&O or PI insurance.
The rationale that a lot of CFOs shared with us when we were talking about the utility of such a product would be that in their minds eye, if they have got a firm that has an external IT vendor, and there’s a breach event, then it's the IT vendors problem and if there are losses then it should be IT vendor’s PI policy that picks up or addresses the losses that arise from the breach event. So there’s that natural tension between what they feel as a priority in resource allocation and their own perception of the real exposure that lands on them.
If we are talking about numbers and rates, I would say that prior to 2022 the rates that we saw in the Asian market were perhaps about a 2% rate online.
What we’ve noticed is that because the pandemic has meant that most white-collared workers are telecommuting with or without proper encryption levels, the number of queries that we are facing has gone up especially when it comes to regulated entities that hold a CMS license. A lot of them are having conversations with us brokers because their investors or even their marquee client or flagship partners are asking them all the difficult questions in the context of first party liability rather than third party liabilities.
So what's happening is that there is much more interest in either contractual obligation that they have if they want to continue doing business with the big boy or the regulator like MAS (Monetary Authority of Singapore) are starting to hint that there are requirements that are required on the insurance procurement side.
As a consequence of which the natural tension is thus explained by price elasticity where you have burgeoning demand and very limited supply which is decreasing because of the number of claims experiences that many of the MNC insurers have had. So that just generally means that in Q4 2022, prices are very robust in the region of 3-5% rate online.
What are some of the major trends and challenges facing the insurance industry in Asia?
Juliana: Asian clients tend to have general difficulty with appreciating the value of products that they cannot see or touch in person. An example would be if you’re chatting with anyone who's an investment advisory business. A lot of Asian investors prefer asset classes like real estate or commodities to cryptocurrency and credit default swaps. And what I would say in my analysis is that the business value of service and product offerings, which are abstract concepts, is something that you need to grasp internally as compared to a physical product.
Most Asian firms especially If your business decision makers are born before 1976, they will have a lot more resistance, they will find it harder to grasp the value of cyber liability insurance because it is just the nature of insurance. And especially with losses that could be attracted in cyber exposures–it’s invisible. And unless you spend time educating yourself in these vectors of risk to really take up risk management as a discipline, most asian businesses and decision makers find that it is a bit of a bother.
But there is hope, because what I’ve also noticed is that with third or fourth generation business owners who are successors to their elders. A lot of them have spent time studying in the west or are very savvy to issues of risk against the backdrop of technology because they have grown up with tech all around them. Many of them are actively trying to act as a bridge between their elders, and their appreciation of IT literacy and the changing business landscape. So obviously at WTW, which is where I am, we are very interested in helping these third or fourth generation business owners navigate these waters more adroitly.
How has the rise of technology and data analytics impacted the insurance market in Asia?
Juliana: My observation is that it has levelled up the conversation around quantum, which is the numerical quotients of how you look at a claim or an exposure.
For us brokers in Asia chatting with Asian clients, these conversations would circle around appropriate limits of indemnity to purchase on a cyber policy whether it's standalone or bundled with another class of business. And it makes the conversation very empirical.
What’s happened on my side is that as a service provider, we've been able to utilise statistical data–of course we get this data from our research and conversations with the insurer–and we are able to model for clients what catastrophic losses would look like. According to the most recent claims data, it is the most dynamic, very volatile dataset because threat actors are very busy at work everyday.
Earlier I mentioned that business owners and decision makers born before 1976 would, in the past, have more difficulty appreciating how this would affect their bottom line. And to be fair to them, technology is a very broad church–what technology meant in 2002 is not the same as what it would mean in the context of 2022.
In the past, I would say conversation about purchasing insurance was more primitive and intended to rely more on how persuasive a broker was in fear mongering.
But what we do know right now in 2022 is that it is no longer the case that threat actors would only go after an MNC with a large target on its back. Firms in the little markets and the small medium market are all fair game. There are tons of documentaries on this about how all these cottage industries springing up–of threat actors, where it is their business to take money from you–whether it is ransomware, or to enslave your corporate devices.
So the conversation with clients–whilst it used to be one couch in the context of the regulator or client or investor sitting on them–these days we as brokers are able to fall back on cold hard facts to articulate to our clients with datasets that have been verified.
In the climate that you’re in, a risk tolerant or risk averse approach towards insurance as a solution is the better way to go. So that’s evolved the conversation.
How has the COVID-19 pandemic affected the insurance market in Asia?
Juliana: Within the context of the experience a broker has with the insurance carriers, I would say that it has made cyber underwriters more paranoid about dotting I’s and crossing T’s when it comes to the transmission of underwriting information on a cyber submission.
It's the broker's job to package facts in a way that makes it easy for an underwriter to offer competitive terms. But because the climate has changed so much since 2020, it’s more common that we have underwriters asking for technical underwriting calls before a quote is issued. These are calls not just with the business underwriter but also perhaps with someone who is very much in the business of security/information security that the insurer would retain on its panel. It’s a very rigorous kind of climate that we have and, I would say that my observation as a broker is, that it is required because there is absolute carnage in the claims experience of most insurers.
They are not a charity, they have to make money. The number of claims that they are paying out on versus the premiums pool that they are collecting is going to make commercial sense. So it would not be in the client's interest if that available capacity were to dry out. That would just mean that the prices that they are being quoted would go up astronomically.
Can you discuss the role of innovation and emerging technologies in the Asian insurance market?
Juliana: I don't think it is all doom and gloom for Asia. My own thesis is that after the pandemic a lot of Asian business leaders and owners will probably surprise the insurance industry by embracing technology as part of the conversation about risk transfer solutions, because the pandemic has shone a light on how we cannot bury our heads in the sand.
This is public information. It's a young continent, especially in SEA. So from a human point of view, I think the frictional barriers to the use of technology would only lower in the coming 5 to 8 years in Asia. And how that impacts the buy side and the sell side of cyber insurance in Asia is that the conversations are probably going to be elevated towards precision and higher-order thinking when analyzing the different vectors of liability. It isn't so much about, ‘what’s this gonna cost me?’, and ‘how is this going to affect my P&L?’. It’s a much more rounded analysis that Asian business owners would be entertained when trying to ask themselves if they have adequate limits of indemnity on their cyber policies.
What are your recommendations for businesses looking to purchase cyber insurance?
Juliana: The conversations with the broker are completely free. Data is your friend. And you want to be in the laneways of the latest information that is emerging from the market because threat actors are again–very busy. What you want is to make an informed decision–you're weighing the cost of a premium in light of the potential exposure, because it's not just financial loss, it's reputational loss. This impacts your ability to do business with say a bank, or a very large investment house if you are raising capital. These are more intangible factors that impede your ability to do business. There is really only benefit and upside to chatting with your broker on whether cyber liability insurance is a good idea.