RE&H sectors in HK complacent about cybersecurity

Companies from Hong Kong’s real estate and hospitality (RE&H) sectors suffer from a widening perception-reality gap, according to a recent report issued today by insurance broker Marsh.

Entitled “Cyber Risk in Asia: Ramifications for Real Estate and Hospitality”, the 20-page report said 50% of Marsh’s RE&H clients in Hong Kong, who have responded to a cyber survey, have not implemented any cyber loss mitigation techniques – such as establishing a crisis management team or retaining forensic specialists over the past 12 months. This suggests that about 50% of them are not as risk-ready as they should be.

This despite the majority of companies from both sectors having ranked cyber threat in their top five corporate risk concerns. In fact, Marsh Hong Kong Cyber Survey found that six out of 10 RE&H respondents do not have and do not plan to develop a cyber incident response plan, even when one in five said they had experience a cyberattack in the past 12 months.

“Majority of respondents not only in Hong Kong but in Asia does not have a cyber incident response plan primarily because they have faith in their security measures. They believe they have the adequate security measures to fend off cyberattacks,” Lei Yue, managing director, Marsh Hong Kong and Macau, told Computerworld Hong Kong.

She added: “Also most of them have cited that lack of expertise as one of key reasons why they do not have IR plans. Many of them also assume that cyber incidents are covered in other crisis plans – hence unnecessary to be singled out as a stand-alone plan.”

Furthermore, Marsh’s cyber survey showed that RE&H respondents has identified emerging technologies such as cloud, mobile applications and POS devices as key entry points in the broadening attack surface of their organization. Despite the huge jump in risk, however, 85% of Hong Kong respondents revealed spending less than 10% of their annual budget on cybersecurity.

Asked what would drive locally based RE&H companies to take a more proactive stance on cybersecurity, Yu replied: “What is observed in other countries is that cyber risk awareness is relatively higher in countries with some form of government legislative intervention such as in Singapore, Malaysia, Australia, France and the US – whether these be cybersecurity laws or mandatory data breach disclosures.”

“Another external driver that can spur companies to action is a large-scale global cyberattack similar to WannaCry and NotPetya, which raised the level of cybersecurity awareness up during that period. What usually follows will be a push top-down from the board/C-suite level, as this allows cyber to be embedded in the enterprise-wide risk management framework, with the relevant and adequate budget allocated to push for cybersecurity defense,” Yu said.

Meanwhile, the Cyber Risk in Asia report found that only 33% of RE&H companies in Asia has purchased a cyber insurance policy as many have assume that cyber is already included in another existing policy.

“Clients are mistaken if they think that they have full cyber coverage in their existing policies. There may be some elements of cyber protection in their existing policies. But it will not be the equivalent of a stand-alone cyber policy. We think once companies appreciate both the coverage and associated crisis management services that you get from a cyber policy, the take up rate in Asia will rise significantly,” Yu said.