Wong has 20 years industry experience. Before joining JLT, he has worked in Malaysia, Taiwan and Hong Kong on liability and financial loss claims. Wong’s current focus is Cyber Insurance in the Asia region and providing input on manuscript / bespoke policy wordings. He is intricately involved in claims matters, including Cyber / data breach claims, high profile D&O-related litigation and claims in the Hong Kong insurance market.
Wong has 20 years industry experience. Before joining JLT, he has worked in Malaysia, Taiwan and Hong Kong on liability and financial loss claims. Wong’s current focus is Cyber Insurance in the Asia region and providing input on manuscript / bespoke policy wordings. He is intricately involved in claims matters, including Cyber / data breach claims, high profile D&O-related litigation and claims in the Hong Kong insurance market.Read less
When disaster strikes it’s perfectly normal to want to salvage something from the situation. For most people the immediate concerns are likely to be people and possessions. But depending on the situation you find yourself in, it might also be your reputation that needs salvaging.
Mitigating the damage from accidents, calamities, and disasters is nothing particularly new. But data, reputation and customer trust have become intrinsic to the value of many businesses – and affect their ability to trade successfully. This means the nature of risk, and how we account for it, is changing.
Among the most pressing and constant risks businesses face are those relating to cyber security. Once synonymous with words like virus and Trojan, the cyber threat landscape is now far more complex and sophisticated than many people realise.
The reasons for this are almost as complex as the threats themselves, and they range from phishing attacks that dupe people into sharing sensitive information with hackers, to stolen SSL certificates that make malicious software and apps look like they can be trusted online.
Technology is the foundation that modern businesses are built on. Few businesses would be able to run without it and, from Alibaba to Uber, some exist only because of the possibilities unlocked by technology. Any business that is part of a supply chain – or any kind of value chain for that matter – is now inexorably linked to every other business in that chain. If your organisation is made up of different business units and operating companies those connections are even more embedded and complex.
“At the heart of all of these connections is data, and it is that data which is targeted by hackers – whether acting alone or as part of a coordinated effort,” explains CY Wong, Regional Divisional Director for Financial Lines Group at JLT Hong Kong. “This is for the simple reason that in today’s world, data is valuable. Organisations are learning how to make full use of big data and becoming reliant on it, especially business-critical data. Hence, data is now being (and should be) recognised just like any other corporate asset, and protected and valued accordingly.”
While that might sound like a contentious opinion to many, from an insurance perspective the costs associated with data loss are beginning to feature increasingly prominently when businesses evaluate risk and remediation.
Last year, a UK-based telecoms company was fined £400,000 (US$518,060) after it was judged to have allowed customer data to be stolen ‘with ease.’ Also last year, the US Health & Human Services department announced it had levied a fine of US$5.5m on one of America’s largest healthcare systems providers following breaches that compromised approximately four million electronic patient records.
Wong continues: “Cyber Insurance products first came into being more than 15 years ago. One of their core features has always been mitigating the losses and costs incurred in a significant data breach. Such costs range from fines levied by privacy regulators, to legal fees during a regulatory investigation. After a breach, a company may see further costs still, in the form of hiring IT forensic experts to trace malicious activities or crisis PR specialists to protect the business’s reputation.”
For many businesses in the APAC region, all of this might feel like it’s happening a very long way away. But while that is true in one sense, things might be about to change.
Protecting your data also means protecting your customer relationships, your reputation and ultimately, your business. But risks can never be completely or perfectly mitigated. In the unfortunate event that a risk materialises, the next line of defense – and arguably the one that will prove most useful in the event of a cyber attack or data breach – is an at-the-ready toolkit to alleviate the damage. And this is where cyber insurance can play a pivotal role.
In May 2018 the European Union General Data Protection Regulation (GDPR) comes into force. It replaces all current existing data protection legislation with a single, consistent set of laws. For those businesses in Asia targeting customers in Europe, this is a piece of legislation worth paying attention to.
Among the GDPR’s requirements are that data must be handled with the highest levels of care, businesses must hire a Data Protection Officer, and – most significantly – all data breaches must be disclosed within 72 hours. That will be challenging for anyone who can’t detect a data breach considerably earlier than the current APAC average of 172 days (according to 2017 research from Mandiant).
“This law may apply not only to businesses in Europe, but potentially to any business that trades with Europe or stores the data of European customers,” Wong explains. “Failure to comply might result in maximum fines that could amount to 4% of a company’s global annual turnover. All it takes is one weak link in a company’s system chain to provide attackers with access to multiple systems, potentially wreaking havoc and causing costly harm.”
The Mandiant researchers calculate that it takes just three days after a compromise has taken place for attackers to equip themselves with admin rights and gain full access to a system. You don’t need an overactive imagination to see the potential for harm there.
In those territories where the fallout or fines from such attacks is either minimal or manageable, there would appear to be little to be overly concerned about. The risk/reward ratio might not send many running in search of cyber-insurance. But that’s a situation that could easily change, especially as the laws of other countries look like they could start to impinge on the aspirations of increasingly successful and confident Asian businesses.
A short time ago, trade between East and West was a predominantly one-way affair. Big-name Western brands were falling over themselves to sell into China in particular. The world looks a little different in 2017 though, with a growing number of industrial and commercial heavyweights from the East now selling into Europe and North America and buying Western firms. But in so doing, such businesses put themselves directly into the jurisdictions of those market territories.
It is a cliché to say the world is getting smaller. But in many ways it is. Transaction timescales are shrinking and your most loyal customers might live on the other side of the globe. The rapid pace of change should indicate one thing above all else – predicting the future is harder now than it has ever been; change and uncertainty are the only certainties.
Wong urges businesses to evaluate their data risks and consider the role of cyber insurance. “Protecting your data also means protecting your customer relationships, your reputation and ultimately, your business. But risks can never be completely or perfectly mitigated. In the unfortunate event that a risk materialises, the next line of defense – and arguably the one that will prove most useful in the event of a cyber attack or data breach – is an at-the-ready toolkit to alleviate the damage. And this is where cyber insurance can play a pivotal role.”
While those risks persist, the role of cyber insurance products is plain to see. Remedial action could be an extremely costly affair, especially – as noted above – if regulatory bodies become involved and fines are levied. An organisation that is able to shoulder the burden and off-set the cost will be able to act more swiftly and with greater confidence when it comes to putting right any damage and reassuring both customers and investors.
Gain access to a wealth of resources and network with industry experts at our events. Register here.