With the world digitalising at an increasing rate, the threat of cybercrime has risen dramatically in recent years, and emerging markets are no exception. While the shift towards online platforms – along with the development of the internet of things, smart cities and blockchain technology – is generating significant opportunities for wealth creation and helping to raise efficiency, it is also creating a new set of complex challenges for governments, businesses and individuals.
The widespread nature of cyberthreats has led to a considerable increase in the resulting cost of cybercrime. In 2015 UK bank Lloyd’s estimated that cybercrime, including direct damage and post-attack disruption to operations, cost businesses as much as $400bn globally. The UN’s International Telecommunications Union (ITU) predicted that this figure would reach $2trn by the end of 2019, while industry analyst Cybersecurity Ventures expects global damages to cost $6trn by 2021, a figure that would make cybercrime more lucrative than the illegal drugs trade.
The elevated threat, along with the rise in cost, is driving investment in protection, with global cybersecurity spending expected to total $1trn between 2017 and 2021. A growing share of this protection is cyberinsurance. While it is not considered an all-encompassing solution, cyberinsurance is an increasingly important form of security as companies, government institutions and individuals look to protect themselves from threats. Cyberinsurance generally covers the losses of policyholders that stem from cyberattacks or data theft within an IT network. Policies usually include first-party risk coverage – related to the business’ own assets – or third-party risk coverage, which deals with the assets of others, usually in the form of clients or customers. In terms of specific policies, coverage falls into one of three categories: standalone cyberinsurance; package deals provided within traditional policies such as general liability; and non-affirmative – also known as silent – coverage, whereby exposure to cybercrime is neither explicitly included or excluded from coverage, which can often lead to uncertainty and litigation during the claims process. While cyberinsurance was first developed in the 1990s to protect telecoms and professional services companies against the loss of customer data, many insurers in more developed markets now provide cyber-related services, such as prevention programmes and post-breach response services. Additional services offer customers more practical assistance than that offered by traditional insurance lines, such as deploying forensic investigators to look into the causes of the breach and offer solutions, public relations professionals to help with reputational damage and skilled negotiators to deal with ransom demands.
While still in its infancy, the cyberinsurance market has seen rapid growth in recent years. Market analysts estimated that global premium would rise from $1.5bn in 2016 to $6bn in 2019. As awareness grows, industry figures predict this could increase to $15bn by 2022 and to $20bn by 2025. While representing an estimated 1% of global insurance premium, a 2017 report from consultancy KPMG estimated that cyberinsurance growth was expanding at 10 times the rate of overall cybersecurity investment, highlighting its strong potential. Despite this expansion, which has manifested across a series of increasingly digitalised industries, cyberinsurance is still concentrated in dataheavy areas such as financial services, technology, retail and health, which make up the bulk of global premium. According to research published in 2017 by UK insurance company Aon, financial institutions accounted for 29% of premium in the US cyberinsurance market – by far the world’s largest – followed by retail and wholesale (21%), health care (15%), business services and manufacturing (6% each).
Just as premium are concentrated in a small number of industries, the bulk of global market share is held by a few established, multinational insurers. The world’s 10 largest cyber-writers hold more than 50% of global premium, and are dominated by US and European companies. Some of the major players are Chubb, AXA, AIG, Lloyd’s, Travelers and Beazley.
The growth in coverage has been driven by an accelerating shift towards digitalisation across the world. As companies and government institutions continue to migrate their services online, more and more executives have identified cyberinsurance as an effective way to secure their assets. In addition, a number of high-profile cyberattacks in recent years have helped to raise awareness of threats.
Another factor helping to drive cyberinsurance growth is the enactment of data protection legislation. Laws such as the EU’s General Data Protection Regulation (GDPR), which was implemented in May 2018 and can fine companies for leaks in customer data, have been cited as factors driving insurance rates. Similar data protection laws are present in the US, with such legislation and stringent cyberattack reporting regulations common features of countries with greater cyberinsurance penetration. However, just as legislation has helped to drive cyberinsurance penetration, a lack of relevant regulations has proved to be a disincentive to uptake. In countries without strict reporting regulations, cyberattacks often go unreported, with companies fearful of the resultant reputational damage. As such, it can be difficult to gauge the rate of cybercrime in some countries.
As a relatively new segment, it is perhaps unsurprising that cyberinsurance is dominated by industrialised, high-tech countries. For example, the US accounts for roughly 80-90% of the global market. Around 15% of US firms purchase cyberinsurance, significantly higher than in other parts of the world, where the rate is often below 1%. The EU holds about 5-9% of global market share; however, this figure is expected to increase as more companies comply with GDPR requirements. Together, these markets account for between 85% and 95% of global premium, according to various estimates. While uptake among other regions – particularly developing economies – remains low, it also indicates significant room for growth.
Middle East & North Africa
The substantial cyberattack on state-owned oil company Saudi Aramco in 2012 emphasised the significance of cybersecurity for many governments and companies in the MENA region. The hack, described at the time as the biggest in history, saw 35,000 computers either partially wiped or completely destroyed within a matter of hours. While oil production remained steady due to the automation of drilling and pumping, the company’s ability to supply approximately 10% of the world’s oil was threatened as it was unable to make payments to distributors and other industry stakeholders along the supply chain. Given the importance of the oil and gas industry to the region, hydrocarbons companies face a heightened risk of cybersecurity breaches. A report published by Siemens and the Ponemon Institute in 2018 found that half of all cyberattacks in the Middle East target the oil and gas sector. As a result of this risk, countries in the region have generally been more alert to cyberthreats. In the ITU’s “Global Cybersecurity Index 2018” report, five countries in the MENA region – Saudi Arabia (13th), Oman (16th), Qatar (17th), Egypt (23rd) and the UAE (33rd) – were ranked in the top 35 out of 175 countries for cybersecurity protection. While cyberinsurance penetration is still low in the region, solutions are becoming increasingly available. For example, in Saudi Arabia, which spends more on cybersecurity than any other country in the region, online-focused insurer Tawuniya launched a series of cyberinsurance products in 2019, while industry officials in Morocco have sought to improve the regulatory framework and implement policies ahead of an expected surge in demand.
Despite having some of the lowest levels of cybersecurity in the world, cyberinsurance has yet to make a significant impact in sub-Saharan Africa. Less developed digital industries, older infrastructure and low penetration of more common insurance have been cited as major obstacles to the segment’s growth. While overall uptake is still low, there have been significant developments in a number of the region’s more advanced countries. South Africa leads the way with the most mature cyberinsurance market south of the Sahara, while in Kenya, which has a comparatively developed financial technology and digital payments market, efforts have been made to cover a variety of cyber-risks. In August 2019 Britam General Insurance, a subsidiary of Britam Holdings, the country’s largest insurer, launched a cyberinsurance policy aimed at large firms, small and medium-sized enterprises (SMEs), hospitals and state-owned bodies. The rollout comes as Kenya lost an estimated KSh29bn ($284.1m) in 2018 as a result of cyberattacks, while official statistics showed that the number of hacks increased by 10% year-on-year in the first three months of 2019, with 11.2m organisations being targeted over this period. As in the US and the EU, cyberinsurance should see significant growth in Kenya after a new data protection law was passed in November 2019. Under the law, which complies with the EU’s GDPR requirements, those found guilty of breaching data protection measures face a maximum fine of KSh3m ($29,400) or two years in prison.
Ghana is another country with significant cyberinsurance potential but low penetration. Despite being one of the most rapidly expanding economies in Africa, with an average annual growth rate of more than 7% between 2017 and 2019, there are a limited number of companies offering cyberinsurance, and uptake remains slow, in part due to a lack of awareness. “Cyber-liability insurance is important for any entity that keeps third-party data, thus demand for this cover should be high. Most corporates are exposed but do not seem to know that they can transfer the risk to the insurance markets,” Darlington Munhuwani, CEO of Allianz General Insurance Ghana, told OBG.
The Asia-Pacific region has varied levels of development in its cyberinsurance markets. While it is home to some of the world’s most innovative countries in this respect, other economies still have nascent or very limited options. In terms of broader cybersecurity, Asia Pacific is home to five of the top-15 countries in the ITU’s “Global Cybersecurity Index 2018” report: Singapore (6th), Malaysia (8th), Australia (10th), Japan (14th) and South Korea (15th). In November 2018 Singapore announced the launch of the world’s first commercial cyber-risk pool, a facility that provides insurance to corporate buyers. The pool will commit up to $1bn in risk capacity, and is backed by capital from traditional insurance companies and insurance-linked securities markets.
Another country poised to benefit from developments is Indonesia. With 150m internet users and an underdeveloped cybersecurity system, the country is at the epicentre of global cyber-vulnerability, experiencing more than 200m attacks in 2018. Indonesia is also the world’s largest source of cyberattacks, with poorly connected servers being used to target both domestic and foreign firms. Given the significant threats – and the size of the market – Indonesia has more expansive cyberinsurance coverage than some of its South-east Asian neighbours, with most major banks, along with a range of private firms and start-ups, offering policies. Despite this, uptake remains quite low. However, this should be boosted by the introduction of a personal data protection law, described by government officials as a priority piece of legislation for 2020.
While cyberinsurance coverage is forecast to gain traction in Indonesia, at the far end of the scale countries such as Papua New Guinea and Myanmar have limited industries dedicated to cybercrime and risk in general, with subsequently low levels of cyberinsurance. However, the ongoing liberalisation of the broader insurance sector in Myanmar could provide a platform for future cyberinsurance development.
Latin America & the Caribbean
Latin America has also experienced a rapid increase in both cyberthreats and cyberinsurance penetration. While coverage is still comparatively low, a rise in high-profile data breaches is helping to raise awareness of the matter.
For example, Mexico experienced 300% growth in cyberinsurance premium in 2018, according to insurance broker Lockton Mexico. This came as MXN300m ($15.5m) was siphoned from five financial institutions in 2018. The intergovernmental Organisation of American States estimated in 2019 that cybercrime inflicts financial losses of $3bn-5bn per year in Mexico. “Both regionally and globally, a lack of cybersecurity is one of the top threats facing businesses, and this is only growing as societies become increasingly digitalised and interconnected by technology,” Marcelo Herná ndez, CEO of AIG México, told OBG. “Many emerging economies are underprotected, and therefore the growth in cyberinsurance will be most pronounced in these markets over the coming decade.”
Peru is experiencing similar conditions: according to reports cited by local media, the number of cyberattacks grew by 600% year-on-year in August 2018. This has created more awareness within the business community and resulted in increased investment in cybersecurity, rising from $135m in 2017 to $180m in 2018. While Peru still has a low level of cyberinsurance penetration, it is expected to grow in the near future.
Despite the threat of cybercrime increasing, the uptake of relevant forms of insurance remains low in developing countries. A common challenge in boosting coverage is the lack of awareness among businesses and individuals of the insurance options available. According to the “Global Cyber Risk Perception Survey Report 2019”, released by US insurance and risk-management company Marsh and multinational technology giant Microsoft, 31% of businesses surveyed were unsure whether the cyberinsurance policies on offer could meet their needs. Although this figure was down from 44% in 2017, it shows significant room for improvement.
Moreover, even though major cyberattacks have made global headlines in recent years, industry players note that many business owners and executives in emerging markets feel that they are removed from the threat or are too small to be targeted. “Cyber-risk has historically been viewed as an internal IT security issue. Furthermore, there is a famous saying in Trinidad and Tobago – ‘God is a Trini’ – which means that people think certain things are never going to happen to us,” Rodney Farah, managing director of the Trinidad-based insurance broker PRFC, told OBG. This perspective is shared by many small businesses. According to the 2019 survey by Marsh and Microsoft, 57% of firms with annual revenue over $1bn were likely to have cyberinsurance, compared to 36% of those with annual revenue under $100m.
Although large organisations remain key targets, smaller firms are increasingly suffering from data breaches. KPMG noted that big businesses accounted for less than 20% of global cyber-losses in 2016, and professional services firm Accenture found that 43% of cyberattacks targeted small businesses. Given that just 14% were deemed prepared to defend themselves from cyberthreats, analysts have warned that data breaches could be highly destructive for SMEs.
Despite some of the challenges, cyberinsurance is expected to continue its strong growth trend across emerging markets as more companies and government institutions migrate their operations online. An increase in data protection laws across these regions should also help to drive expansion, with industry analysts expecting much of the market growth to come from mid-sized companies.
As the market matures, so will the products on offer, and insurers are anticipated to target new sectors and provide more specific policies. For example, in November 2019 Zurich Insurance Group, Switzerland’s largest insurer, released cyberinsurance coverage specifically tailored to the manufacturing industry, a sector with traditionally low levels of penetration. Insurance providers are also expected to increasingly follow the examples of industry leaders AIG, Allianz and Lloyd’s by explicitly excluding cyber from their conventional property and casualty packages in order to avoid the so-called silent risk of unintended cyber coverage.