Recently, there has been an increased focus on cyber regulations, especially in the Asia Pacific region. The main focus across many markets in the region revolves around increasing cyber resilience of businesses, improving consumer data protection and introducing mandatory breach notification. With the increase in regulations, it is expected that fines and penalties from cyber incidents and/or non-compliance will also increase, leading to higher potential losses for companies that suffer cyber-attacks. 

As a result of these regulatory developments and increased exposure, we see a likely uptake in the demand for Cyber insurance that has a comprehensive solution, typically encompassing data breach, indemnification for regulatory fines and penalties where insurable, and business interruption cover. Here, we summarise the changing regulations in Asia Pacific and their implications for insurers and companies looking to measure and manage cyber risk.

Key Current Regulations and on the Horizon

Personal Data Protection Bill 2019 (a revision of the 2018 Bill which proposed increased data protection requirements) is currently under review by the national parliament. Modelled similar to the GDPR, the new legislation is anticipated to create guidelines around how personal data should be managed, including individual’s rights of their own personal information. The bill also includes the creation of an independent Data Protection Authority of India.  

Some key changes we have seen as part of the 2019 revision of the Bill compared to the 2018 proposal are:  

• Reduced criminal penalties for certain actions,
• Reduction of scope of data localization/transfer requirements, and
• Anonymised data is addressed within the Bill and allows for government entities to request access to such data where required. 

Overall, we expect the net impact of the enhanced Bill, once implemented, to be (amongst others):

• Requirement of consent at time of collection of data and the right of consumers to withdraw the same consent,
• Violation of the finally implemented law could result in up to 4% of the global turnover of the violating business, or INR 150 million, whichever is higher, and 
• Tightening of overall data protection requirements to be complied with by businesses

This law is anticipated to apply to a large majority of businesses operating within India, with some exception to be finalised together when the law is passed.  

What it Means to Cyber Insurance Markets

Increased regulatory oversight into data protection and privacy laws will warrant increased attention and efforts to improve general privacy compliance and cybersecurity. 

This should translate to increased risk awareness and demand of solutions such as cyber insurance. 

Key Current Regulations and on the Horizon

New draft law has been introduced as a revision to the previous Act of the Protection of Personal Information (APPI). This introduces mandatory breach notification in event of data breach. The draft law also looks likely to impose compliance requirements when collecting personal information e.g. requirement for consent. The amendments propose to raise the maximum fine to JPY 100 million if the legal entity fails to comply with an order of the commission.

Amendments to the Payment Services Act (PSA) and the Financial Instruments and Exchange Act (FIEA) that revise the regulatory framework for cryptocurrency in Japan went into effect on May 1, 2020. The new amendments play a fine balancing act, they promise to protect Japanese crypto-asset owners even more, but also gives exchanges a very clear playbook, including guidance on baseline cyber security management requirements. 

What it Means to Cyber Insurance Markets

With the introduction of mandatory notification, there will be an increase in cost of loss (e.g. costs to notify including legal costs to draft notices) to the businesses that suffer from a data breach, particularly in industries where a high volume of Personal Identifiable Information is processed/ stored (e.g. Healthcare, Retail, Data processing).  This lends itself to an increase in the awareness of affected consumers and thereafter a potential increase in liability claims emanating from a data breach. 

Increased regulatory exposure as a result of new compliance requirements. Fines and penalties are non-insurable in Japan, however this law may increase the exposure with respect to first party investigation and reporting costs towards the regulator which is insurable.

The increase in risk as outlined should then further motivate businesses to consider their preparedness for a breach event and the potential costs involved and thereafter increase demand for cyber insurance. 

Key Current Regulations and on the Horizon

As of January 1, 2020, the grace period of compliance to the Network Act including compulsory cyber insurance for applicable companies expired. In general, companies handling personal data are subject to the Network Act, and the required insurance coverage is for third party data leakage.

In January 2020, the Personal Information Protection Act was amended to clarify the concept of personal data (including differentiating between personal, pseudonymised, and anonymised data) and the permissible scope of handling/processing such data. By having a clearer framework, it allows companies to better consider how they manage data, and also potentially invest in risk management processes/frameworks in accordance to their requirements.

What it Means to Cyber Insurance Markets

Demand of Cyber Insurance was expected to increase. However, as it is still in the early stages of implementation in regard to regulation laws and awareness levels in the market are relatively low, uptake has not yet met the expectations of the insurance industry. 

There was a recent consolidation of data protection supervisory responsibility accorded to the Personal Information Protection Commission (“PIPC”), which is a central agency under the Prime Minister’s Office. PIPC will now be part of the Central Data Privacy Regulatory Authority. With this change, we expect more active enforcement actions to be taken by PIPC relating to data privacy, as they will be more in the focus of the government and empowered with more authority.

Key Current Regulations and on the Horizon

Singapore: Enforcement of Personal Data Protection Commission (PDPC) to prevent the unauthorised disclosure of personal data. Bill to amend the PDPC in 2020 (to be confirmed): 

• Fine minimum of SGD 1 million or 10% of turnover 
• Notify PDPC within 3 days and individuals affected
• The organization must conduct assessment of suspected data breached 

Thailand: End of May 2020 the grace period would have been over and the new regulation (PDPA) and Cybersecurity Act. Due to COVID the government postponed the enforcement up to one year. Similar to GDPR there is a 72h notification period, same as fines and penalties.

What it Means to Cyber Insurance Markets

With the introduction of mandatory notification (time limited), there will be an increase in cost of loss to the businesses that suffer from a data breach.

Increased and defined financial penalties for breaches (Singapore and Thailand).

Increased regulatory oversight into data protection and privacy laws (SG / Thailand) will warrant increased attention and efforts to improve general privacy compliance and cybersecurity. 

Key Current Regulations and on the Horizon

New security law introducing national level cybersecurity standards (Multi-level Protection Scheme “MLPS 2.0”). This is an update from the original MLPS 1.0 which was previously more focused on critical infrastructure only, to now encompass all companies which operate a network (this has a broad definition which covers all connected computers processing/ sending data). 

• The scheme outlines 5 main levels of minimum security requirements based on the sensitivity of the industry and type of information which the enterprise deals with. Each level warrants different assessment requirements, with Level 1 requiring only a self-assessment and those above will require a third party assessor. 
• The fines imposed may go up to as high as RMB 1 million in cases where important data is breached. 
• This applies to all companies operating within Mainland China.

What it Means to Cyber Insurance Markets

Whilst fines and penalties are not insurable in China, this law may increase the exposure with respect to first party investigation and reporting costs towards the regulator which is insurable.

Increased regulatory oversight into minimum security requirement will warrant increased attention and efforts to improve general cyber security resiliency by businesses.

This should translate to increased risk awareness and demand of solutions such as cyber insurance. 

Key Current Regulations and on the Horizon

Potential draft legislation changes to Australian Privacy Act to be introduced to parliament in 2020. The proposed changes to include: 

• increased financial penalties for breaches of the privacy act
• Expanding the definition of personal information to capture technical details and online identifiers (for example IP addresses, device identifiers, location data)
• Changes to consent notification – requiring notices to be in plain English, concise, transparent and easily accessible
• Allowing individuals the direct right to bring actions and class actions against entities that are subject to the Australian Privacy Principles (APPs) due to interference with their privacy 
• A new Privacy Code of Practice for digital platforms (in particular social media), with a focus on vulnerable groups such as children 

The government has also indicated that it will conduct a comprehensive review of the Privacy Act in 2021, and consider a right to erasure of information by consumers.

What it Means to Cyber Insurance Markets

Strengthening of the existing Privacy framework and powers of the Office of the Australian Information Commissioner (OAIC) will exert additional pressure on businesses to ensure that their resilience to cyber incidents, and their ability to detect, respond and recover are commensurate with the threats.  

The increased downside risk from regulatory scrutiny and higher penalties may motivate businesses to review their existing budgets for IT security, level of cyber protection and even insurance spend. 

For existing cyber portfolios, these more onerous privacy laws may lead to inflated first party loss costs, and lower the threshold for third party liability actions.

Key Current Regulations and on the Horizon

New Zealand privacy Act 2020 that is due to come into effect on 1st December 2020. Key changes will include:

• Mandatory notification of data breaches that pose a risk of “serious harm” to individuals
• Increased powers for the Privacy Commissioner, including non-compliance penalties and forcing businesses to provide access for individuals to their own data
• Requirement for NZ businesses to ensure that overseas entities with which they share data operate within similar levels of privacy protection
• Criminal offences for failure to report privacy breaches or obstruct the Privacy Commissioner
• New Act applies to businesses who operate in NZ, even if they do not have a physical presence there

What it Means to Cyber Insurance Markets

Although the maximum fines in NZ for breach of privacy remain low in comparison to other jurisdictions (NZD 10,000), the introduction of mandatory reporting should motivate businesses to consider their preparedness for a breach event and the potential costs involved.  Supported by an insurance broker familiar with cyber products and exposures, we may see increased enquiry for coverage as businesses look to transfer the increasing first party costs of notification, and tap into insurers’ well-established service provider networks.  

For existing cyber portfolios, mandatory notification may increase both the frequency and severity of first party losses, particularly for those industries collecting and processing substantial Personally Identifiable Information (PII), e.g. retail, hospitality, healthcare, financial institutions etc.  

Cyber is a strategic growth area at Munich Re. As a leading global reinsurer, we work closely together with our cedants to combine risk transfer with a comprehensive service offering across the entire value chain from sales and underwriting training, automated quote to bind systems and post incident services. Depending on target segment, market specifics and capabilities of the cedant, we tailor our service offering to ensure our cedants have access to the most market and client appropriate service model. Our services do not stop at supporting our clients to go to market; we  continuously work on making hidden cyber risks in existing policies (silent cyber) transparent, and adequately assess the risks both on an individual and portfolio basis. 

Our objective - in partnership with our clients - is to make Cyber Risks insurable and, more importantly, a sustainable cyber market which considers realistic accumulation scenarios and maintenance of underwriting excellence. Our award-winning expertise which supports this objective is founded by 120 colleagues working in Cyber worldwide, further bolstered by the expertise of our partner network around Incident Response.

Ultimately, our goal as Munich Re is to ensure that we support our cedants to find the right answer to this dynamic and ever changing risk, and implement this in a sustainable manner-  whether on corporate or personal lines cyber, and regardless of the additional solutions we provide.

Disclaimer

This article contains forward-looking statements that are based on current assumptions and forecasts of Munich Re’s experts. Known and unknown risks, uncertainties and other factors could lead to material differences between the forward-looking statements given here and the actual market developments in Asia Pacific. The company assumes no liability to update these forward-looking statements or to make them conform to future events or developments."