Firms take cover as they come under cyberattack
As the number of high-profile internet security breaches increases at an alarming rate, Hong Kong will see more interest in so-called cyber insurance products, experts say.
'The market will go from having a handful of cyber insurance solutions on offer to having a multiple of 10 to 20 such insurance products available within the next six to 12 months,' said Murray Wood, the regional managing director in Asia for the financial services and professions group at Aon Risk Solutions.
The company is the global risk-management business unit of London-based Aon, the world's largest reinsurance broker.
'We will see a rash of insurers launching these products, which would acknowledge that the demand for these policies is developing quite quickly,' Wood said.
'There may be at least a dozen insurance companies with such offerings in Hong Kong.'
Some of the most active firms helping to educate the Hong Kong market about the level of network security threats, the consequences of those risks, and the availability of cyber insurance policies include Chubb, one of the largest property and casualty insurers in the United States, and Chartis, which launched its comprehensive cyber-related product line in May.
'Our discussions with a number of international insurance companies in Asia show that they have lined up new insurance policies to take on cyber security liabilities, such as unauthorised network access, business interruption as a consequence of their networks being breached and data privacy issues,' Wood said.
He pointed out that the high-risk industries in Hong Kong and Asia that require cyber insurance products were the same as those in the rest of the world.
These include the financial services, health care, technology, e-commerce, retail and education sectors.
'There has been a clear increase in the frequency and severity of cyber incidents that have had an impact on businesses in Hong Kong,' Wood said.
Police last week said the websites of 16 Hong Kong gold and silver investment and securities trading companies - with a combined estimated daily trading volume of HK$44 billion - were compromised by mainland computer hackers.
Six men from Shanghai, Hunan and Hubei were arrested in a joint operation by Hong Kong and mainland police on June 20 for launching targeted distributed denial-of-service (DDoS) attacks on those websites and blackmailing the affected companies for a total of 460,000 yuan (HK$563,000).
DDoS attacks bombard servers running the targeted websites with more incoming data than the computers can handle, effectively shutting them down.
The police in May reported that e-mail fraudsters ramped up attacks against companies in Hong Kong. Losses by local and overseas firms totalled HK$23 million that quarter, up from HK$1.18 million in the same period last year.
Police said international and local syndicates were behind the e-mail fraud. They hacked the e-mail accounts of the affected companies to harvest information that was used to impersonate the victims' business partners. These companies were then duped into sending payments to new bank accounts controlled by the hackers.
In August last year, a wave of DDoS attacks crashed the regulatory disclosure website of Hong Kong Exchanges and Clearing (HKEx). Investors were not able to access company announcements.
That also forced the suspension of shares in seven firms with a combined market value of HK$1.5 trillion, including blue-chips HSBC Holdings, HKEx itself and Cathay Pacific Airways. Trading was also halted on a listed debt security and 419 warrants and derivatives linked to the suspended stocks.
At the launch of Chartis' CyberEdge insurance product in May, its Asia-Pacific vice-president, Ian Pollard, described Hong Kong companies as 'significantly unprepared' for cyber liabilities. Pollard urged the leaders of these firms to 'get serious about managing their cyber risks'.
An industry source said the recent legislative approval of amendments to the Personal Data (Privacy) Ordinance could also help spur demand for cyber risk-related insurance policies.
The amendments were introduced last year to the Legislative Council, following the 2010 scandal concerning the Octopus card company's sale of customer data to its business partners.
In a recent report, DLA Piper solicitor Arthur Cheuk Ho-yin said the amendments required data users who wished to use, provide or sell personal data for direct marketing purposes to make specific disclosures to the 'data subjects', or individuals to whom the personal data related.
Such disclosures include the types of personal data and parties involved, the classes of goods/services to be marketed, and the right of data subjects to opt out.
Wood, of Aon, said: 'Legislation is trying to catch up to the pace of technology and new threats. Cyber risk has become an important boardroom discussion, not just a discussion for IT professionals.'
The Hong Kong insurance market's total gross premiums for last year reached HK$225.8 billion - an increase of 9 per cent from the previous year.