Korean Reinsurance : · Rising Need for Cyber Security Mana...

Growing concern over cyber security

Cyber security has been a greater concern than ever for businesses following the outbreak of COVID-19. As non-face-to-face interactions have become necessary during the pandemic, digital transformation is being accelerated, with companies seeking to adapt to a changing business environment and to create new operating models that accommodate the evolving needs of their customers and ensure the safety and work efficiency of their employees. As a result, companies rely increasingly more on digital technologies, which inevitably raises their vulnerability to cyber incidents.

Indeed, there has been an uptick in the number of cyberattacks globally since mid-2020 throughout the coronavirus pandemic. In Korea, the number of ransomware incidents also soared by 76% year on year to 223 in 2021 following a surge of 225.6% in 2020. The amount of losses arising from global ransomware attacks is expected to climb to KRW 312.7 trillion by 2031 from KRW 23.6 trillion in 2021 according to estimates by the Korea Internet & Security Agency (KISA).

When it comes to the type of industries affected by ransomware, manufacturing turns out to be the most affected sector in Korea. The manufacturing industry accounted for the biggest share of 32% out of the total ransomware incidents reported to KISA between January and November of 2021. The information service industry made up 18%, followed by retail & wholesale (17%) and transportation (4%).

Importance of cyber insurance

The upward trend of cyber incidents has sparked interest in cyber risk management and cyber insurance among companies in Korea. The main type of cyber insurance available on the Korean market covers third-party liability arising from accidental data leakage or the theft of third-party data. The loss or disclosure of personal data of others can have a detrimental impact on a business, including the loss of customers, revenue and reputation, and cyber liability coverage can be an important tool for companies to protect their businesses against the risk of cyber events. However, cyber risks other than third-party liability are not sufficiently covered by most cyber insurance policies issued by local insurance companies.

Against this backdrop, several non-life insurers in Korea have recently started to offer comprehensive cyber insurance products that protect policyholders against a broader range of cyber risks including costs of cyber incident investigation and data recovery, business interruption losses, and ransom payments as well as third party liability.

Despite the recent increase in cyber insurance product offerings by insurers and the growing awareness of cyber security and insurance coverage among businesses, the cyber insurance market in Korea is still in its infancy, with the volume of the market being estimated at KRW 40 billion. Given the size of economic losses related to cyber incidents, the market needs further development. First of all, it is important for the insurance industry to identify customer needs accurately amid a growing level of dependency on digital technologies and develop cyber insurance products tailored to the needs of individual businesses in ways that can help them manage and mitigate their cyber risks. It is also necessary that insurers offer cyber risk management solutions that enable companies to deal with both direct and indirect risks of a cyberattack. To this end, of course, the industry must ensure a balance between offering customers attractive solutions and maintaining the necessary sustainability and profitability in the volatile cyber business[1].

Meanwhile, the Korean government introduced a series of legislative requirements to mandate businesses to purchase liability insurance coverage against data breach events in response to growing risks of malicious attacks, network security failures or other cyber security incidents. For instance, companies that hold or process credit information are required to have at least certain amounts of liability insurance or to set aside an equivalent financial reserve under the enforcement decree and regulations of the Credit Information Use and Protection Act as below:

In addition, mobile carriers and other communications service providers that handle personal data are mandated to buy cyber liability insurance against the risk of data leakage under the Act on Promotion of Information and Communications Network Utilization and Information Protection. Depending on factors like the revenues and number of customers, the amount of liability insurance ranges from KRW 50 million to KRW 1 billion.

With these regulatory requirements and other relevant legislative measures in place, Korea is known for its strong data protection regime compared to many other Asian economies. Most types of data handling entities in the country are now required to take out cyber liability insurance. Although the limits of the compulsory cyber insurance policies are quite low, such legal requirements are likely to provide a boost to the growth of the cyber insurance market.

There is no doubt that the trends of technological development and digital transformation are leading the corporate community to pay much attention to cyber coverage. They include the rise of e-commerce and a greater use of autonomous vehicle technology, sophisticated automatic production processes, the Internet of Things, and artificial intelligence.

These trends inevitably pose cyber security threats to companies in a wide range of industry sectors. Cyber security threats involve ransom, reputational harm, loss of intellectual property and personal data - all of which can put a business in harm's way. Not only telecommunications carriers but also other sectors that deal with large volumes of personal data such as retail, healthcare and financial services may find it essential to have cyber insurance cover to manage their data protection risks effectively.

Rising demand for business interruption coverage also has the potential to help fuel the growth of the cyber insurance market. Businesses that rely on digitalized operational processes such as manufacturers, logistics and transport service providers are increasingly interested in purchasing cyber insurance because the risk of business interruption resulting from a cyberattack is one of the top issues facing many businesses today.

Challenges to be tackled

The problem is, however, that this growing interest in cyber insurance does not necessarily result in an increase in availability of cyber insurance. On the demand side, that is because there is still a gap between general interest in cyber insurance and actual demand for insurance coverage against cyber risks. There seems to be low demand for comprehensive cyber cover that is more encompassing than the minimum compulsory coverage partly because of cost. It will take more convincing for businesses to spend money on fully featured cyber insurance in addition to investing in data security improvement. Another fundamental problem is that it is not easy for most companies to determine how much cyber insurance they need. It is for this reason that insurers need to consult closely with corporate risk managers in order to grasp their needs.

On the supply side, there are a set of challenges that prevent the growth of the cyber insurance market, including a lack of historical data and the difficulty in quantifying and pricing cyber risks. A cyberattack can also potentially hit a number of businesses simultaneously due to its catastrophic nature, generating loss accumulation for insurers. On top of that, the ongoing evolution of cybercrime makes it challenging for insurance companies to assess cyber risks of businesses because the threat environment keeps changing.

Cyber insurance is a small but growing market segment, and the future growth of the market will hinge on how these challenges are addressed. The key to tackling the challenges is to balance the profitability of cyber insurance with ensuring the affordability and accessibility of cyber covers, which will absolutely be a tough task for the insurance industry. It will take many more years for cyber insurance to become a full-fledged market and a mature class of business considering the unpredictable and complicated nature of cyber risks.

[1] Cyber insurance: Risks and trends 2022, Munich Re (May 16, 2022)