The growing cybersecurity threats and their potential to negatively impact not only business revenue but also corporate reputation are pushing companies in Hong Kong to start looking at cyber insurance as an extra protection in the event of a security incident.
One such company is Hong Kong-listed First Shanghai Investments, whose financial services offerings include brokerage (securities and futures), asset management and corporate finance.
The company is currently seeking insurance cover for business loss caused by data breach, network damage due to a DDoS attack, and cyber extortion.
“Standard commercial insurance policies cannot cover cyber risks,” Henry Mo, chief information officer, First Shanghai Investments told Computerworld Hong Kong. “Furthermore, HKMA and SFC are starting to tighten regulations around cybersecurity. The SFC, for one, has given some guidance about customer compensation arrangement in case of any cybersecurity incident.”
First Shanghai Investments believes that the timing is right for buying cyber insurance. Last year, it has set up a cybersecurity committee within the organization. Moreover, it was selected by the SFC as one of five brokerage firms to recently undergo an onsite cybersecurity audit. Hence, the company has a very good handle of its cybersecurity posture.
However, talking to several international insurance brokers for more than a month now, the company discovers that finding a cyber insurance policy that fits their needs is not an easy task.
“There is a dizzying array of cyber insurance products in the marketplace – each with its own insurer-drafted terms and conditions, which can vary dramatically from insurer to insurer,” Mo noted.
He added that some policies are more comprehensive while others are replete with loopholes. And still some have no clear procedure for paying out compensations.
And Mo observed that since cyber insurance is relatively new, some insurance brokers have little experience in how to sell these insurance offerings; and they lack product understanding.
“So it is important to look at the sales experience of brokers selling cyber insurance products. Look at their past cyber claim records, and assess the strength and quality of the insurer that holds the policy. Be sure that the insurer is financially strong,” he said.
Complicated proposal form is a big hurdle
For companies keen to begin shopping for cyber insurance, Mo warns that they should brace themselves for the complicated checklist and proposal forms that have to be filled, so that prospective insurers can assess their risk profile and calculate the premium.
“The first big challenge is how to fill pages after pages of the proposal forms. They ask a lot of questions and some of them are very confidential. And it can be very hard to get the data they are asking for,” he said.
Insurance brokers such as Jardine Lloyd Thompson are aware of the problem and they have simplified the proposal forms to make it easy to complete.
“We have agreed with our key insurers that JLT will provide clients with seven questions. They answer those seven questions and the insurers can give an indication to the terms such as pricing, deductibles and limit of coverage – at the very least. So, I can go to a client without him getting scared of the proposal forms,” said CY Wong, regional division director of the Financial Lines Group at JLT.