Navigating through the COVID-19 pandemic, 2020 turned out to be quite a busy period for CISOs across the APAC region. Organisations were faced with managing operational continuity by invoking their BCM processes while, simultaneously, working to strengthen their network security in order to create a safe environment free of any security incidents. Despite all these efforts, attackers were still successful in infiltrating networks via different techniques. Taking advantage of the special circumstances during the last year, the number of cyber-attacks increased, and hackers found new methods to infiltrate, causing multiple impactful incidents.

Ransomware attacks and data breaches continued to remain as common, albeit consequential threats throughout the year, contributing to a noticeable overall increase of incidents. Based on a study by Microsoft, APAC had 1.7 times higher-than-average encounter rates* for ransomware attacks than the rest of the world. The region accounted for 7% of the total number of reported ransomware incidents in 2020, with Maze and Revil as the most prolific ransomware behind more than 50% of all successful attacks. 

It is no surprise that the development of ransomware attacks in APAC is observed also on a global level. The diagram below shows the increasing trend of financial losses due to the rising ransomware incidents up to 2021. With APAC experiencing a higher encounter rate compared to the rest of the world, it is expected that the region will emerge to become an additional driver to this global trend.

 

*defined as the percentage of computers running Microsoft real time security products that reported a malware encounter

In step with the worldwide industry trend for 2020, most of the ransomware attacks within the APAC region set their sights on the manufacturing industry followed by government, education, technology and healthcare sectors respectively. The ransomware incident trends were mainly seen in form of:

• Big Game Hunting (BGH) which consists of targeting large-scale corporate-controlled businesses
• ‘Leak and Shame’ tactics that add the pressure of being publicly shamed with the release of sensitive information of a ransomware victim if ransom is not paid
• Ransomware-as-a-Service (RaaS) in which hackers sell or lease their ransomware exploit codes to associates who may not have the technical expertise to perform an attack on their own

As a consequence of the above ransomware developments, here are some key outcomes that were experienced in 2020 in APAC and globally:

• In Q2, Coveware, a security vendor, estimated the average ransom payment was around US$ 178,000. That was 60% higher than Q1 period. 
• The average downtime cost totaled to US$ 283,000 – an almost 100% increase from 2019.
• Higher ransomware attacks on SMEs in Q2: 55% hit were on businesses with fewer than 100 employees and 75% were on companies making less than US$ 50m in revenue.
• 73% of all ransomware attacks were able to encrypt victim’s data, as per the Sophos report.

Ransomware attacks have still managed to have an adverse and quite relevant impact to the respective economies. Using India and Japan as a litmus test for APAC, here are some key trends and highlights that were observed and remain indicators for the region as a whole: 

India:

• India, compared to the rest of the region, was the most affected by the ransomware attacks in 2020 – resulting in increased frequency and severity of losses claims. 
• As per the recent survey by a local media and information1 platform, 74% of organisations in India suffered ransomware attacks, of which, more than one-third paid ransoms of between US$ 1m to 2.5m to hackers in order to recover the data and system access.
• High Business Interruption (HBI) and data breach losses were focused mainly on the large and mid-corporates segments, e.g., Lupin, Interglobe, Dr Reddy, Haldiram and The Press Trust of India.

Japan:

• Ransomware has been identified as the biggest threat to local organisations. As per the recent report from IPA, the threat of ransomware has jumped from 5th ranking in 2020 to number 1 in 2021.
• As per the security provider report, Japan has had the least success at stopping attacks with 95% of attacks resulting in the encryption of data. This implies lower defensive measures that result in higher success rates for attackers in comparison to the US (25%) and Germany (31%) respectively.
• Large and mid-corporates were largely targeted which also led to HBI losses and multiple data breaches, for example, in the cases of Honda, Canon, NTT Docomo and Capcom.

The cyber threat landscape of the past year has affected the way the insurance industry does business as well. In the light of deteriorating loss ratios and dynamic exposures, global (re)insurance carriers are taking actions in order to re-establish a long-term sustainable market environment. Various international lead cyber insurers have implemented partly radical changes in their risk and underwriting approach. The global market is hardening and, in the first months of 2021, we are already seeing this hardening all over Asia as well, especially in more mature markets. 

Key implications for cyber insurance in Asia Pacific markets moving forward: 

• Market Hardening: Hardening market conditions were observed in 2nd HY 2020 on a global level. 2021 is likely to catch up with this development – and we expect APAC to follow this global trend. 
• Terms and Conditions: Cyber has started off in a soft market in regard to where new business has been generated. The market increasingly became softer due to the broadening terms & conditions of cyber insurance. This trend has been interrupted in a good way. We are starting to see tighter terms and a trend of implementing exclusion rather than deleting them.  There is now a tendency towards having a full Critical Infrastructure exclusion as a market standard in order to maintain sustainability. We are glad to see regulators in India and other countries also seeing this as the most favorable direction forward. 
• Rate Increase: The soft market conditions rates have been decreasing for the better part of the last five years. Due to less capacity, reasonable deployment and diligent Underwriting, we are now seeing substantial rate increases.
• Underwriting Excellence and Risk Assessment: In 2021, the key will be to re-establish Underwriting discipline in general with a strong focus on ransomware events since the latter can trigger several heads of cover. Ransomware claims may lead to an increasing acceptance of sub-limiting ransomware or crime cover.
• Claims: The above-mentioned threats have already materialised into increased claims activity in 2020. At this point, the utmost importance is to learn and work closely between underwriting, claims departments and external Service Providers in order to implement the learnings into informed underwriting processes. 
• Growth: Healthcare, Professional Services, Retail, Manufacturing, Governmental agencies including Educational Institutions as well as Financial Services will be driver for losses and therefore demand. SME will be hit dis-proportionally by such losses as well.
• Silent Cyber: Cyber markets are looking to carve back silent cyber to make it affirmative. In line with property/casualty policies excluding silent cyber, this may foster growth.
• Coverage elements: Importance of how to deal with Cyber Warfare and Cyber Terrorism. The Trend for Cyber Terrorism will disappear from cyber policies and war will be excluded. The discussion around Cyber Pool solutions may arise. 

Munich Re, as a global cyber player, remains dedicated to adequately assessing risks within the rapidly growing cyber market. We see the above evolution of risks and changes to the landscape as further proof that properly assessing these perils and providing risk-adequate pricing requires exceptional cyber experts working together across industries, markets and regions – this remains true for Asia, especially when looking at trends in India and Japan. This transparency remains the key to achieving sustainable and profitable growth across the entire cyber insurance industry.