Urgent need for incentives to support information security investment by small and micro enterprises
The number of corporate cyber insurance policies has surged because cyberattacks targeting core infrastructure and companies in sectors such as telecommunications, platforms, and finance have increased, leading not only to more cases of personal data breaches but also to more cases of financial damage.
According to data titled "Status of the Cyber Insurance Market" obtained by The Asia Business Daily on the 26th from the office of Assemblywoman Lee Haemin of the National Innovation Party, a member of the National Assembly's Science, ICT, Broadcasting and Communications Committee, the number of cyber insurance payouts by 13 non-life insurance companies in Korea was only 341 cases in 2020, but grew by 74% to 592 cases last year. During the same period, as hacking incidents continued, total insurance payouts also jumped 68%, from 2,043.72 million won to 3,425.8 million won.
Corporate security responsibility strengthened, driving surge in insurance subscriptions
In particular, as major companies suffered a series of large-scale personal data breaches last year and were hit with massive fines, awareness in the industry has heightened. In the case of SK Telecom, which suffered a personal data breach affecting as many as 27 million customers in April last year, the company was fined 134,791 million won and penalized an additional 9.6 million won by the Personal Information Protection Commission. This is the largest fine ever imposed by the Commission on a domestic company.
The strengthening of corporate security responsibility following the passage of the amended Personal Information Protection Act is also serving as a major driver of cyber insurance subscriptions. The amendment introduced a new provision allowing fines of up to 10% of total sales if a large-scale personal data breach occurs due to intent or gross negligence. As corporate liability has increased, the need for risk management is seen as having come to the fore.
Hong Gwanhee, Head of the Information Security Center at LG Uplus, said, "As hacking damage and personal data breach incidents occur frequently, service interruptions, loss of trust, recovery costs, and legal liabilities for the affected companies are all increasing," adding, "Cyberattacks are not merely technical issues; they cause tangible financial losses and operational shutdowns, which has heightened the need for risk management and, accordingly, led to an upward trend in corporate cyber insurance subscriptions."
Experts: "Cyber insurance alone is not enough for corporate security"
Experts point out that although the cyber insurance market is expanding, the institutional foundation remains insufficient. Park Chunsik, a professor in the Department of Cybersecurity at Ajou University, said, "Because cyber insurance subscriptions are not mandatory, they are left to the discretion of companies," emphasizing, "The government needs to encourage companies to take out insurance by providing incentives such as tax benefits." He went on to say, "There are limits to applying the basic non-life insurance model, because it is difficult to determine whether an incident occurred, to assess the scale of damage, and to identify the hacking entity," and stressed, "The cyber insurance system needs to be designed more elaborately, for example by differentiating premiums according to a company's level of security investment."
Yeom Heungryul, a professor in the Department of Information Security at Soonchunhyang University, also said, "We need to refine the loss data and risk assessment criteria used to calculate cyber insurance premiums," adding, "It is important to transfer related costs to insurance when cyber security damage occurs, but this must be accompanied by a structure in which security services are used in parallel to mitigate risks in advance."
Another limitation is that, under the Personal Information Protection Act, companies with sales of 1 billion won or more that manage the personal information of 10,000 or more individuals are required to purchase liability insurance, but the minimum required coverage amount remains at only between 50 million won and 1 billion won depending on company size. Critics argue that even for companies with large sales, the legally enforceable maximum coverage of just 1 billion won does not provide substantial help with compensation.
The rapid development of generative artificial intelligence (AI) is making cyber threats more sophisticated, and interest is growing in insurance products that cover the risks of generative AI. However, the fact that such products are still at an early stage in Korea is seen as another area in need of improvement. A representative of Hyundai Marine & Fire Insurance said, "In the cyber insurance domain, new risks are emerging and new products are appearing," adding, "Paradoxically, the more incidents occur, the more statistical data accumulates and the more products can be developed. To provide detailed coverage for new types of hacking that use AI, it is essential first to accumulate statistics and research."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
