Are Asian SMEs Prepared for Growing Cyber Threat?Executive Director of the Asia Pacific Risk Center and Partner in Oliver Wyman's Finance and Risk practice Senior Research Analyst at Marsh & McLennan Companies' Asia-Pacific Risk Center
A recent cybersecurity investigation conducted by Singapore-based Interpol Global Complex for Innovation revealed significant cyber threats across the Association of Southeast Asian Nations (ASEAN)—approximately 9,000 servers across the region were laden with malware, which compromised several websites and government portals.
A more significant cyber event took place in February, when the Singapore Ministry of Defence reported a security breach resulting in the theft of the staff’s personal data.
Asia Almost Twice as Likely to be Targeted by Cyber Attackers
The revelation by Interpol is one of the many investigations that confirms the growing cyber threat in the region. Asia-Pacific (APAC) is becoming a prime target for cybercrime due to its higher threat potential and weaker cyber risk mitigation efforts, as detailed in the recent cyber risk report published by the Asia Pacific Risk Center.
The speed of digital transformation has evolved, enabling cyber attacks to become more sophisticated and increase in frequency, with attackers becoming bolder with every successful attempt on relatively easy targets.
The worrying cyber-risk trend in recent years has caught the attention of several APAC lawmakers; Singapore, Malaysia, China and Australia have either introduced or updated their data privacy laws to ensure better management, security and control of data (Exhibit 1).
Exhibit 1: Recent developments in the APAC region in terms of data privacy and breach disclosure regulations
In Singapore, apart from updating the existing Computer Misuse and Cybersecurity Act in March 2017, a new stand-alone Cybersecurity Act will be introduced later this year that will mandate Critical Information Infrastructure (CII) facilities to report any cybersecurity breach and incidents.
The bill is currently in discussion and debate in the Parliament; it remains uncertain whether the legislation will ultimately cover sectors beyond CII. However, what is clear is the recognition by authorities and governments of the growing cyber risk in the region and the proactive steps already taken in the region’s battle against cybercrime.
Cybersecurity a Growing Risk Concern for SMEs
While cyber is a growing risk for large companies, it may be a relatively more elevated risk concern for small- or medium-sized enterprises (SMEs), which may be less resilient than their larger counterparts. Less sophisticated systems and technology, a lack of internal cybersecurity resources, potentially relying on less-than-cutting-edge outsourcing partners, and greater dependence on a smaller number of customers all highlight the heightened risk and overall resilience requirements for SMEs to better protect themselves and recover quickly in the event of a cybersecurity breach.
According to a recent survey, cybersecurity is one of the biggest concerns to Singapore-based SMEs. While 25 percent of respondents have either experienced an attempted or actual data breach or cyber attack in 2016, a fifth of the respondents were uncertain about whether they had experienced any compromise (Exhibit 2).
Exhibit 2: Insights from the Beazley-SBF (Singapore Business Federation) survey on the Perception of Cyber Security Risk based upon 76 Singapore-based SMEs
Despite the rising vulnerability to cybersecurity breaches, a lack of awareness and high investment costs remain the two immense challenges faced by SMEs. Cybercrime poses a greater threat to SMEs, since they have significantly fewer resources as a buffer, unlike larger organizations.
How Can SMEs Address Cyber Threats?
To address cybersecurity concerns, SMEs will first have to understand the types of cyber threats confronting them. They can start by making use of available resources and support platforms provided by the government, such as the Employee Cybersecurity Kit and the Cyber Security Awareness Alliance, which were both launched in 2015 to help local businesses enhance awareness and adopt essential cybersecurity practices.
In fact, identifying potential cyber threats is the crucial first step that businesses should undertake, and it is part of integrating cybersecurity into the enterprise-wide risk management plans.
Finally, besides putting in place the appropriate cyber risk management processes, SMEs must also consider the extent of risk transfer cover they need in response to a cyber attack since cyber risk cannot be fully eliminated and the question will often remain: when and not if.
Consider Risk Transfer via Insurance Coverage
SMEs may be overwhelmed by the accelerated pace of technological change, the extent of investment needed to protect against increasingly sophisticated attacks, and ensuring comprehensive cyber-risk management strategies are implemented.
As such, insurance is being seen as a complementary and valuable risk-management tool for SMEs, with some Asia-based insurers (such as AIG and Beazley) developing tailored products for the SME segment. Cyber insurance premiums and coverage will vary, dependent on industry, risk profile and risk controls.
Nonetheless, cyber insurance adoption among Singapore SMEs generally remains below 10 percent, with less than 5 percent of manufacturing companies holding such policies, compared to 35 percent or more companies in the financial services, technology, and telecommunications sectors. Similar to Singapore, only 14 percent of Australian small businesses held cyber insurance policies in 2016, although 19 percent surveyed are looking to purchase cyber insurance in 2017.
These statistics are a far cry from the cyber insurance market in Western economies such as the U.S., the UK and Germany (Exhibit 3).
Exhibit 3: Comparison of selected countries’ cyber insurance take-up rates
Moving Ahead with Resilience
There’s no doubt that insurance plays a key role in cyber risk management. However, SMEs as well as large corporations need to be cognizant that a cyber insurance policy is just one of the many strategic response tools that form a holistic cybersecurity management framework.
In the fight against cybercrime, the government is more than just a regulator—it holds the authority to create and shape a more conducive environment to mitigate cyber risks. In the APAC region, we have seen most governments step-up efforts to put in place law enforcement on cybersecurity.
Business leaders will also need to find the right balance between cybersecurity investments and securing the appropriate insurance plans suitable to the unique needs of their industry or organization amidst changing cyber legislations and a changing risk landscape.