The Chinese cyber insurance market is getting ready for take-off, primed by a combination of increasing awareness of cyber risk among businesses and the introduction of new laws that place statutory obligations on all kinds of network operators.

The Cybersecurity Law of the People's Republic of China, the basic legal framework that is aimed at protecting consumers, took effect as of 1 June 2017. The new law has clear provisions concerning cyberspace sovereignty in China and firm rules around the cross-border transmission of data related to Critical Information Infrastructure (CII).

Perhaps most importantly for Chinese corporate risk managers, and specialists in cyber insurance, the new law also addresses the increasingly fraught issue of personal data security.

Article 42 of the new Cybersecurity Law stipulates as follows:

• “Network operators shall adopt technical measures and the other necessary measures to ensure the security of the personal information that they have collected and prevent the information from being leaked, damaged, or lost;
• Under circumstances in which the leakage, damage, or loss of personal information has occurred or might occur, they shall immediately adopt remedial measures and notify users in a timely manner in accordance with the provisions and report to the relevant department in charge.”

The clear requirement for statutory notification of a data breach and remedial obligation has echoes of the rules introduced in the U.S. that were a catalyst for the cyber insurance market there. A similar legal framework, the General Data Protection Regulation (GDPR), will soon be applied in Europe and is widely expected to spark wide demand from businesses across the EU for standalone cyber insurance cover.

It follows that China’s new rules should lay down a solid legal foundation for the development of cybersecurity insurance in China.

A recent cybersecurity research report issued by Allianz gives a sense of the potential scale of cyber exposures in China.¹ It reckons that the economic cost of cyber attacks in China has already reached $60.0 billion annually. That figure places China second only to the U.S. ($108 billion) in the world ranking and first in Asia.

A market for cyber insurance does already exist in China, led by foreign insurers active in the commercial insurance sector. Available coverage addresses three main risks: business interruption losses caused by hacker attacks; the cost of data breach authentication services and data recovery; third-party liabilities arising out of data breach and also crisis management costs.

However, the continued development of cyber insurance in China is being held up by three issues. First, the legal and regulatory support system is not sophisticated enough, despite the passing of the Cybersecurity Law. The relevant supporting detailed rules for implementation and relevant laws and regulations still have not been perfected.

In addition, effective historical cyber loss data is insufficient, which makes it difficult for insurers to properly price and underwrite their cyber risk products. Lastly, insurers in China are not sufficiently well-versed in cybersecurity risk control/management techniques.

Of course, these shortcomings will disappear as the market evolves and becomes more sophisticated in terms of available cyber expertise. But in the meantime, insurers should control their exposure carefully, while paying close attention to cyber risk accumulation: they should “cross the river by feeling the stones,” as the old saying goes.

If you are interested in learning more about the Cybersecurity Law and its implications for insurers that plan to develop cyber insurance in China, watch out for my article on this topic.

Endnote

1. http://www.agcs.allianz.com/insights/white-papers-and-case-studies/cyber-risk-guide/.