As cyberattacks increase in frequency and severity, cyber issues are increasingly becoming more of a concern for companies that once felt they had relatively little exposure.
The latest reports about the threats of the malicious ransomware known as NotPetya that crippled some computer facilities in several Western countries has driven home those concerns.
Cyberinsurance was made available in the Thai insurance market in 2012, driven by the demand of corporate clients.
FPG Insurance Thailand is one of the companies that have introduced cybersecurity insurance policies in Thailand, designed to protect businesses from a wide range of first-party and third-party liabilities from cyberexposure.
"Cyberinsurance has been available in the market over the past five, six years at the request of corporate clients," said Suda Sintrakarnpol, senior underwriting manager for financial lines at FPG Insurance. "FPG got approval from the Office of Insurance Commission (OIC) to offer cyberinsurance policies to customers in Thai Market since 2012."
According to Ms Suda, interest in cyberinsurance has surged significantly this year, as seen from mounting inquiries from potential customers and questions about expenses in cyberinsurance policies.
Ms Suda said cyberinsurance policy is unique in that it offers protection for two parties: the insured (first party) and others who suffer from losses caused by cyberattacks (third party).
"Today, people have a better understanding about cyberattacks, but what we would like potential clients to be informed about is that cyberinsurance policies are among risk-management tools, helping alleviate a certain level of loss, but not all losses."
Tokyo Marine Insurance Thailand chief information officer Seree Gavinratchatarot said cyberrisks can come in different forms, such as ransomware, malware and virus, brute force attacks, phishing, and DDoS (distributed denial of services), but Thais have relatively low awareness, and the market size for cyberinsurance is very small.
He said the risk groups for possible cyberattacks comprise not only financial institutions but also companies or organisations that hold a big databases, such as hotels, hospitals and retailers.
OIC secretary-general Suthipol Taweechaikarn said the cyberattack risk for companies is escalating and large firms are increasingly installing protection systems and taking out cyberinsurance policies to cover unexpected risks. It is unfortunate very few small and mid-sized companies are doing the same, he said.
"Cyberinsurance policies have been available in the market for some time, yet they are unpopular, as potential clients are waiting and evaluating the severity of the losses from cyberattacks," he said. "But we still believe domestic cyberinsurance products will gain more popularity in the future, in line with the ongoing trends in the United States, Europe and Japan."
According to Mr Suthipol, the OIC itself is designing an affordable cyberinsurance policy to encourage small businesses to buy protection against cyberattacks.
The OIC has set the ceiling for cyberinsurance premiums at 0.1-5% of liability limits, revenue per year or size of assets.
The Stock Exchange of Thailand's information technology division head Thirapun Sanpakit said the SET may include cyberinsurance as a part of risk management in the foreseeable future.
Nonetheless, SET trading operates on a closed system that is run without internet connectivity and does not collect data from individual or retail investors in the system.
"SET spending is concentrated on creating IT systems that ensure high security and building up firewalls to prevent any possible attacks. The SET has also run penetration tests by hiring ethical hackers to try cracking the system every year on a continuous basis over the past 10 years," he said.
"However, the SET may consider adopting cyberinsurance protection if open-system technologies such as blockchain and bitcoin, for which data and asset information is collected on the internet, become popular."
Skimming and phishing scams
In 2016, the Bank of Thailand's Financial Consumer Protection Centre received 16 complaints concerning card counterfeiting, down 53% from 34 found in 2015.
However, 513 complaints concerning frauds via telephone were filed, up 115% from 238 cases reported 2015. The centre also received 133 cases concerning fraud via e-mail and social media in 2016, up 5.5% from 126 reported in 2015.
The complaints indicate that card-skimming codes and phishing remain threats to consumers, though banks have put effort into educating people on how to protect themselves from cybercrimes and buy advanced technology to counter such fraud.
Skimming uses hidden technologies to steal personal information stored in the magnetic strip of ATM cards and ATM pin numbers to access cash in bank accounts.
Banks are phasing out cards with magnetic strips and switching to chip-embedded technology by 2020 following efforts by the Bank of Thailand and Thai Bankers' Association to improve security.
However, the central bank allows banks to issue both magnets and chips in a single card so cardholders can also use ATM cards in countries where chip-embedded cards are not available. These hybrid cards are not absolutely free of skimming fraud risk.
Apart from card-skimming, phishing is another key financial cyberfraud hurting individual consumers. Phishing uses fraudulent SMS messages and emails or fake websites to steal personal data, passwords, credit card numbers and other credentials.
Text messages and emails are prime vectors for Trojan horses and spyware -- programmes that display a message asking recipients to download an application to their computer or mobile phone. Once installed, spyware can steal information and make fraudulent transactions. Normally, banks do not ask customers to download any applications or software. If such an application is received, customers are advised to avoid downloading and immediately contact the bank.