Introduction

Recent ransomware attacks across the globe, including in China, have once again brought to the fore the all-encompassing enterprise risk management challenge that cyber-risks present to corporations. The raft of operational consequences of such an attack – including directors' and officers' liability for errors and omissions, reputational and market valuation knock-on effects and regulatory compliance issues(1) – present an ever-burgeoning opportunity for insurers to expand further into this potentially lucrative new line of business.

Cyber-insurance market

The ability of insurers to address market incumbents' fears with sufficient clarity and certainty in respect of coverage will be tantamount to the successful expansion of the cyber-insurance market. China in particular seems to present an obvious but largely untapped cyber-insurance market, which is relatively new compared with that of other major jurisdictions and the wider Asian economy in general. For now, market participants are confined mainly to international insurers providing coverage to larger businesses operating in the region. This is partly because cyber-related losses are harder to quantify in light of an absence of publicly available data and the increasing proliferation of attacks. Therefore, such losses are more suited to experienced underwriters that have the ability to withstand a sequence of high-loss events.(2) In addition, potential losses – beyond repairing systems and reputational and brand damage – and the claims of multiple stakeholders are harder to quantify and require proper controls to avoid over-exposure.(3) In China, AIG recently led the way with an 87% jump in cyber-insurance policy enquiries for China (including Hong Kong) in May 2017 compared with April.(4) This followed in the wake of the self-replicating WannaCry ransomware attack, which affected over 200,000 computers globally. Despite the apparent falsity of such attacks, they can:

  • cause significant damage to major integrated data and operating systems;
  • cause personal and sensitive information to be lost or leaked; and
  • in some cases, affect sensitive industries, such as airports and hospitals.

Cyber-attacks have the potential for widespread systematic disruption and, as such, present liability risks that may be inadequately covered by existing property and casualty terms with respect to, for example, directors' and officers', professional liability and business interruption insurance. This is especially so where such terms are silent or untested in their application to cybersecurity.(5)

Comment

The widespread damage that may stem from these events makes cyber-insurance particularly pertinent in China. Following an unprecedented infrastructure boom, the country is shifting towards increasing digitisation and automation in various high-tech industries for which data and system integrity are paramount, and security and stability are of national importance. This has been accompanied by a rise in cybercrime-related losses to an estimated $60 billion a year,(6) second only to the United States. To this end, in July 2015 the Chinese regulators began introducing a series of laws and draft laws on internet controls and state access to private data, including the regulation of data management in the insurance sector. The new Cybersecurity Law, which took effect in June 1 2017, was an important step in aligning cybersecurity norms and practices with global standards, particularly since – compared with the United States and Europe – cybersecurity and data management were less comprehensive overall.(7) At present, no government-led policies relating to cyber-insurance exist. However, given that a higher proportion of small and medium-sized enterprises in China are leading the way in various high-tech endeavours and may not consider cyber-insurance a priority in light of their restricted budgets, it may be regulation that finally brings impetus to the market.

This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.

For further information on this topic please contact Sharif Hendry at AnJie Law Firm by telephone (+86 10 8567 5988) or email (sharifhendry@anjielaw.com). The AnJie Law Firm website can be accessed at www.anjielaw.com.

Endnotes

(1) Further information is available here.

(2) Further information is available here.

(3) Ibid.

(4) Further information is available here.

(5) Further information is available here.

(6) Further information is available here.

(7) Further information is available here.