Speed VS scale VS security: Cyber underwriters try to tackle ‘impossible trilemma’

With more and more businesses prioritising speed and scale over security, cyber insurers must help balance the ‘impossible trilemma’, industry leaders said during an Insurtech Insights Asia Conference 2024 panel on Thursday (Dec 5).

The hack on Indian crypto exchange WazirX in July 2024, which cost the firm more than US$230m and forced it to restructure its Singapore-based parent company, was a key lesson for cyber underwriters in the crypto field, said Ginny Ngan, Vice President at Qubit Underwriting, a managing general agent (MGA) in the digital asset space.

“If we look at them, the solutions they’ve used on the wallet side is actually well tested and well used in the industry,” Ngan said. “What went wrong was their transaction operations, where they favoured speed over security, and somehow hackers were able to manipulate their transaction interface and actually look, change the address, and redirect all their outward transactions to malicious addresses.”

From the perspective of a cyber underwriter, businesses have increasingly valued speed and scale over security, which is why these hacks happen, Ngan added. “This is something we’re trying to pick up and help our clients balance between these three elements.”

The issue isn’t just limited to crypto, said Timothee Grange, Co-Founder and CEO at claimtech firm Quantum. “We continue to see the same pattern of ransomware being delivered through remote access services, especially RDP ports,” Grange said. Open RDP ports with very basic security or authentication measures are frequent, Grange added. “The password will be admin, 1234, it’s very common.”

Insurers are thus paying attention to misrepresentation in underwriting during claims, said Grange.

“We are seeing insurers paying much more attention, and we are starting to see the first cases of insurers raising misrepresentation of the risk when there is a claim,” added Grange. “Insurers in the past wanted claims to show that there is a value in cyber insurance, and now they are focusing on what you have said, what you have mentioned in your underwriting questionnaire, and they might deny cover.”

Selling cyber to the right people

Cyber insurers need to adapt to the needs of Asia Pacific SMEs and emphasise the benefits that cyber has in order to close the global cyber protection gap.

Even as Asian cyber premiums are set to rise to US$2bn by 2027, a significant protection gap remains for the Asia Pacific, which accounts for almost a quarter of all global incidents, according to a whitepaper by Marsh and Zurich.

“We have to put the emphasis on the benefit that cyber insurance has,” said Grange. Cyber insurance saves time, and it saves firms business interruption costs, he added.

“It’s not only a financial safety net — cyber comes with a lot of services post-incident. You have access to great breach coaches. You have access to ransomware negotiation. You have access to ransom payment facilitators, sanction checks and PR, so there are a huge number of partners that you can bring in very efficiently,” said Grange.

Finding a sustainable way to get resilience services to SMEs will be a challenge, said Alexandra Wrobel, Head of Cyber, Commercial Insurance in Asia at Zurich. “There are quite a number of hurdles to deploying something on such a large scale, but we are seeing success in a lot of mature markets with digital platforms and MGAs who are able to access that SME market and find some scale there.”

More SMEs know they are exposed to cyber threats, said Cynthia Huang, Head of Financial Lines at QBE in Hong Kong. Almost one in three SMEs surveyed in Hong Kong have experienced a cyber-attack, according to a QBE survey, with 71% of SME respondents open to buying cybersecurity insurance.

To support these SMEs, underwriting questionnaires will need to be easier to understand, said Huang. “Most importantly, we need to guide them on their best practices for them to deal with cyber exposure,” she added.

And insurers will have to think about how they can show immediate value to people who buy cyber policies as the market gets more competitive, said Jonathan Crompton, partner at law firm RPC. “Ultimately, a good pen test, a good tabletop exercise, or a good training session to start can reduce costs at the back end,” Crompton said.

“As brokers, as underwriters, we have to understand the product and sell the product,” Crompton added. “You’ve got to sell it to the CTOs, and in doing that, you’ve got to explain what it is that works.”