Cybersecurity comprises a lot of different aspects, but we’re now seeing those in the insurance industry getting more involved in the cybersecurity space because let’s face it, in today’s world, cybercrime, hacks, cyber fraud and breaches are a legitimate and growing risk that most organisations have to deal with whether they like it or not.
Therefore, it was interesting for CSA when we were invited to attend a media briefing by global insurance company, Chubb, who shared findings from its SME Cyber Preparedness Report 2019 titled ‘Ignorance is Risk’, as it provides a viewpoint of cybersecurity from a slightly different angle than what we usually see in our coverage.
According to Chubb’s survey of Small and Medium Enterprises (SMEs) in Malaysia, there exists a significant perception gap between the threat of cyber risks and how prepared SMEs are to deal with them. For instance, while 67% of Malaysian SMEs believe that large corporations are more at risk when it comes to cybercrime than SMEs, 84% of the respondents in Malaysia were victims of cyber incidents in the past year.
“This is a worrying misconception,” said Andrew Taylor, Cyber Underwriting Manager, Chubb Asia Pacific. “Particularly with the recent implementation of the National Cyber Crisis Management Plan by Malaysia’s National Cyber Security Agency to combat cyber threats.”
“Complacency leaves the door wide open for malicious attacks, future breaches and inadequate incident response,” he added. “In fact, smaller companies face a larger degree of exposure to cyber risk owing to their size and resources, as well as the lack of capital to invest in cyber risk management tools.”
The Best Laid Plans?
While 61% of Malaysian’s SMEs say they have a data breach response plan in place, around the same figure, 60% of respondents reported that they were unaware of all the cyber threats that they face. This could likely mean two things: an even higher percentage than 84% of SMEs could have actually suffered from cyber incidents but don’t realize it, and due to a lack of understanding of the threats, the response plan that they have in place may not be sufficient to be able to help them recover their business and data when they need to do so.
As the title of the report alludes to, being ignorant of the risks and ways to mitigate those risks pose a huge risk to businesses today.
It’s also important to note that there is a clear difference in cyber preparedness among SMEs of different sizes. 77% of SMEs with 100-249 employees have a data breach contingency plan compared with 53% in smaller SMEs with fewer than 50 employees.
Andrew explained that Chubb decided to conduct the survey focusing on SMEs because they make up 98% of businesses in Malaysia, employing 65% of the country’s workforce and accounting up to 38.3% of its GDP. Thus, without good risk mitigation, incidence response planning and consideration of cyber insurance, they will in fact be the hardest hit.
On a positive note, according to the report, Malaysian SMEs were faster to respond to cyber incidents than other markets surveyed, with 67% resuming operations within 12 hours of a cyber incident. Two-thirds (66%) indicated that everyone involved knew the proper protocol and crisis response went ahead as planned.
Man vs Machine – Where’s the Greatest Risk?
With nearly half (48%) of cyber incidents resulting from human and administrative error, it is unsurprising that more than one third (37%) of SME leaders in Malaysia say their employees’ poor understanding of potential cyber threats is challenging their ability to protect their business. Critically, 20% of SMEs believe employees are the weakest link in their cyber defence.
While leaders recognise the importance of cyber training, 41% believe that employees are neglecting their responsibilities around data protection.
In the event of a major cyber incident, businesses indicated that customers (60%) followed by company profits and reputation (58%) would be most affected.
When people think of cybercrime, they often think about theft of money. However, this is not always the case. The value of data has grown tremendously in the age of digital economy. Among Malaysian SMEs, customer records are the most commonly breached data – with 40% of businesses facing a breach of customer files in the past 12 months, followed by R&D data, IP data and financial performance data, all at 31%.
How Insurance Can Help
The survey further found that 70% of SMEs believe the insurance industry has an important role to play in helping businesses protect themselves against cyber risk. However, 60% also believe the industry is not moving fast enough to keep up with the rapidly evolving nature of cyber risk.
“In Malaysia it is concerning to see a high number of small businesses falling victim to cyber incidents coupled with a general lack of understanding and preparedness around the risks,” said Steve Crouch, Country President, Chubb Malaysia.
“Worryingly it appears many Malaysian SMEs falsely believe that their general insurance policies cover cyber risk, when in fact it most likely does not. Given the large proportion of the economy that SMEs make up in the country, I believe this is a critical issue to address.”
When asked whether SMEs should invest in insurance or focus on cybersecurity and data protection technologies to boost their cybersecurity posture, Andrew said that education is essential, and businesses need to understand the value that they get out of their investments.
“Insurance should be seen as something that’s offering them access to tools to help them cut down the confusion they might be suffering about how to manage [the risk],” he explained, before adding that this is a business issue and not an IT issue.
“Once the businesses realise that this risk is something our IT departments need assistance with, they'll see the value in the policy, because it gives them access to: vendors they couldn’t normally afford; a range of vendors that suit large or small industries; a range of vendors that they wouldn’t even know exist or otherwise have access to; credit monitoring services; crisis management experts; global lawyers around the world; as well as 24/7/365 hotlines to help them,” Andrew said further.
And because SMEs are resource-constrained, Andrew said they need to trade off where they get the biggest value or benefit for their business. He added, “I see the biggest value is buying a small premium insurance policy because all the value it gets, because they know spending the extra money on IT can’t stop this risk. No matter how much technology their business buys, it will not make them 100% secure. They will always have a risk. All industry reports indicate that.”
Steve then said that in recent years, Chubb Malaysia has been focusing on making people aware of the risks they’re facing. “Insurance product is one mitigating factor, but there is a whole range of other mitigations that can be taken.” He continued, “So we’re focused on mitigation and awareness, and part of [the goal of] this report is to enhance further the awareness of cyber threats and the options that consumers have.”