Much like the cost of healthcare for the sick, the truth is that the cost of cybersecurity solutions is often out of reach for small and medium-sized enterprises (SMEs).

Gene Yu, CEO of cyber crisis management firm Blackpanda, says the average cost of an incident response case ranges from US$30,000 to US$50,000 for SMEs, with long-drawn ransomware cases running up to seven-figures. Small firms are forced to choose between insecurity and their bottom lines.

“We came to realise that the most affordable way for people to purchase our solutions was through cyber insurance,” says Yu in an interview with The Edge Singapore. Much like health insurance, risk-pooling allows policyholders to enjoy cybersecurity coverage for a fraction of the original price. Insurers benefit too since offering cybersecurity services lowers the risk of their clients, which by extension means lower premiums for policyholders.

Recently, Blackpanda has teamed up with cyber insurance firm Pandamatics Underwriting to provide cyber insurance coverage of up to US$5 million for a range of industries. These policies cover a full spectrum of cyber risks ranging from human errors to cyber-attacks, financial losses and reputational damage.

“While many insurers provide elements of cyber insurance coverage under other policy types and extensions, we understand that cybersecurity poses an existential risk to modern businesses that must be addressed directly, through comprehensive coverage and holistic cyber risk management solutions”, says Struan Todd, Pandamatics’s vice president of Underwriting.

Insuring the cyber world

With the increasing digitisation of the global market, demand for cyber insurance has been creeping up for some time. “The US [cyber insurance] market has been growing substantially for a number of years. It is expected that the Asian market is on track to be the fastest developing,” says Todd, with the latter seen to be worth US$1 billion by 2025.

Yet, many players have been hamstrung by trying to apply existing insurance methodologies without consideration for regional nuances. This is why Pandamatics seeks to differentiate itself from the rest of the market by being the Asian “hub of cyber-risk resiliency”.

Typically, insurance companies will appoint a “breach coach” — usually a law firm or loss-adjuster — to provide guidance when a cyber breach occurs. The coach will form a panel of relevant experts, such as forensics and public relations consultants, to handle the fallout from the breach.

But this process is often slow since the coaches will want to ascertain if an event is insured before forming this panel. This delays the speed of response to an escalating crisis, worsened by the lack of familiarity the designated forensic experts have with their clients.

“I want clients calling the firefighters straightaway,” says Todd. Instead of having to wait for the breach coach to arrive, Pandamatics’s clients can contact Blackpanda immediately due to their pre-existing relationship to conduct a crisis response. Blackpanda can also quickly appraise Pandamatics and their appointed breach management firm Crawford & Company of the ground situation to rapidly kickstart the crisis management process.

While Pandamatics’s novel process is relatively new, it is backed by established names in the field. It is supported by Hiscox and Chaucer, syndicates of legacy insurer Lloyd’s of London. Should Pandamatics find itself unable to pay out clients for a breach, it can call on the considerable resources of Lloyd’s and its syndicates to make sure that everyone gets paid. Pandamatics is only Lloyd’s third cover holder in Singapore.

SMEs are currently the backbone of Pandamatics’ and Blackpanda’s business. Still, Todd does not rule out the possibility of creating services for both multinational corporations (MNCs) and even business to consumer (B2C) solutions as the firm grows across Asia. Currently, barriers to applying Pandamatics’ and Blackpanda’s model for MNCs and B2C solutions are complexity and lack of cost-effectiveness respectively. SME clients have the right mix of simplicity and cost-effectiveness to be a viable business segment.

While there are some firms offering such services in the US in the form of “cybersecurity insurtech”, such services are not yet common in Asia due to high barriers to entry. Blackpanda’s Yu says that obtaining the highly-skilled personnel and licences to operate such a business is no easy task. But with the relationship between cybersecurity and insurance as close as “lips and teeth”, he sees such services as the future of the cyber insurance industry.

Cyber insurance

While there is a growing awareness of cyber-attacks and the need to protect oneself, there is also a need to understand the importance of cyber insurance. The cyberspace is still largely unregulated, and despite the best efforts of an organisation, they may still get hit by a cyber-attack. What they will need are experts who can help them to manage the crisis and get their businesses back-up and running quickly.

In most cases, this attack will take the form of ransomware. Yu says this is the “number one” type of event that Blackpanda responds to. The company specialises in ransomware negotiations and negotiation advice to help them get safely through the extortion. If it comes to the point where the company needs to pay the ransom, Blackpanda will help with the process.

Some may ask if it is necessary to go to all these measures. After all, can a company not simply clear the affected system and restore a clean back-up to deal with ransomware?

Yu does not think so — cyber criminals have many tricks up their sleeves, and no two ransomware situations are always the same. He also remembers a time where a company was hit with a ransomware attack and when Blackpanda offered its services, the company decided that it was too expensive, and simply decided to restore the back-up it had.

What the company did not know was that the attackers were still in their system and once the back-up was loaded, the attackers proceeded to encrypt the back-up and the original system, compounding the problem. Nothing else could be done except to cough up a considerable ransom.

See also: The dark side of cryptocurrencies

His advice for SMEs? “Find people who do this for a living to help you get through the crisis. We’ve seen all the pattern recognition so we certainly would have some value to add in terms of historical context and strategies.”

As digital devices, solutions and networks become increasingly part of our daily lives, Yu foresees cyber insurance to become common, like mandatory fire insurance for buildings. He likens the model to the current so-called “social contract” that a country has with its residents. “If a fire breaks out, we call 995. But how do we pay for that service from the government? Through tax. We all pay a little bit into the kitty and then that pays for the unfortunate few.”

In cyberspace, the government cannot put together an omnipresent, all-encompassing response. The solution, Yu says, is to pool risk via an insurance model “and that way we can replicate a bit like the tax system, making it affordable for the Singapore SMEs to have cyber insurance on standby.”

Taking it one step further, he believes that cyber insurance could become mandatory in future, considering that the world’s digital systems are digitally intertwined with the user’s lives. Referring to the fire insurance model, Yu adds: “The chance of a fire happening is one in 2000. The chance of a cyber-attack right now is one out of five. Which insurance do you think you need more?” 

Photo: Bloomberg