Companies in the region now value intangible assets above physical assets, and recognise that a major loss to intangible assets is likely to be more damaging than a major loss to physical assets, a major shift from 2015. Despite this shift in risk awareness, however, protection of intangible assets by insurance has not increased at the same pace, according to the latest Asia Pacific (APAC) Cyber Risk Transfer Comparison report from Aon and the Ponemon Institute.
Among the 520 individuals in Asia Pacific surveyed, who are involved in their company’s cyber risk management as well as enterprise risk management activities, information assets are now valued at about $903 million, as compared to $824 million for physical assets loss (based on Property, Plant and Equipment). In contrast, information assets in 2015 were valued at $589 million compared to a higher $706 million for physical assets.
Meanwhile, the probable maximum financial impact of losses to information assets increased to $939 million this year, a major increase from just $297 million in 2015, while that for physical assets stands at $739 million in comparison ($595 million in 2015).
Information assets are underinsured
However, despite recognising the value of information assets and the potentially catastrophic impact of a loss to those assets, there remains a considerable lack of insurance protection for information assets, where only 14% of the loss is covered by insurance, compared to 57% coverage for physical assets.
Even as 62% percent of respondents believe their company’s exposure to cyber risk will increase in the next 24 months and 86% percent of respondents believe cyber liability is one of the top 10 business risks for their company, only 18% of respondents say their company has cyber insurance coverage. In addition, four in ten (41%) of those companies surveyed had experienced a material or significantly disruptive security exploit or data breach one or more times during the past two years, with an average economic impact of $3.3 million.
The report said that given the sharp and very recent rise in awareness and valuation of cyber risk, it can be expected that companies will now look more closely at insurance solutions to transfer that risk, with 39% planning to purchase in the next 24 months. It is likely that take-up was behind risk awareness given the long gestation process associated with investing in a new insurance programme. This commonly involves risk education and awareness, dialogue between risk, legal and IT functions (among others), senior management budgeting and approvals before a placement can begin.
Risk recognition needs to be matched by protection
Comparing APAC 2017 with the global results for 2017, there are some surprisingly close parallels, particularly in the estimation of probable maximum loss, impact of business interruption, likelihood of loss, and coverage of assets by insurance, suggesting that APAC is closely aligned to the global trend towards a higher valuation of information assets and an estimation of the damage that can be done when they are compromised.
Encouragingly, fewer businesses in APAC are refusing to formally assess their exposure to cyber risk, down to 50% from 58% in 2017, and closing the gap on the global figure at 46%.
“Overall, these figures suggest that the gulf between cyber risk assessment in APAC and the global standard has been overstated. APAC companies recognise the value and the vulnerability of their information assets, in line with their global counterparts,” said the report.
“With this awareness, comes a need for companies in APAC and globally, to protect themselves from the financial impact of damage to those assets, in the same way they do for tangible assets.”
Most of the respondents were in finance, treasury and accounting (29% of respondents) or risk management (26% of respondents). Other respondents were in corporate compliance/audit (13% of respondents) and general management (13% of respondents). The Ponemon Institute is based in Michigan, USA and conducts independent research on privacy, data protection and information security policy.