Tech firms rush for cyber cover in GDPR regime
Crisis communication, non-breach related fines top management concerns
The European Union’s (EU) General Data Protection Regulation (GDPR) has raised the complexity levels of businesses operating there. And, for the same reason, brought more business for insurance companies here as information technology (IT) and data-centric entities turn to them for cover.
Contractual obligations to clients remain the prime reason for GDPR-ready policy covers. “Companies are trying to understand what changes for them when they process data for an EU based company or as they process data for a global company using EU citizen data, how it affects their liability. Also, data breaches are a serious threat to reputation, as well as their customers. It is for these major concerns that these firms are seeking insurance,” said Anup Dhingra, senior vice-president at Marsh India, a leading insurance broking and risk management entity.
IT and IT-enabled services (ITeS) firms, he said, had been early adopters of cyber insurance, to meet contractual obligations and to cover their exposure around cyber liability. Next was the BFSI (banking, financial services and insurance) sector — all major private and public sector banks, insurance companies, financial technology firms and others.
“We have also noted demand for cyber insurance from manufacturing firms to prevent cyber-induced business intelligence losses and regulatory actions,” said Dhingra.
While businesses with an EU footprint are certainly seeking cover, analysts feel the lack of strong regulation in India, pending the outcome of the Srikrishna committee report on the subject, has not encouraged other businesses to look for cover yet. Some feel it might take a major data breach for Indian businesses to realise the need.
“Indian companies’ response to availing of cyber insurance is still tepid. However, we have recently seen that the IT-ITeS sector is relatively more receptive, with GDPR a factor as compliance failures could result in penalties. Indian regulations do not mandate a cyber insurance policy but purchasing
one can mitigate future risks,” says Mukul Shrivastava, partner at consultants EY India.
Companies are seeking cover for security incidents such as data breach, subcontracted or vendor work for clients, public/private clouds, infrastructure services and data carrier services from telecommunication majors to software and IT services. Also for ransom and events beyond data breach like external audits, risk mitigation and the penalty for non-compliance.
Among the country’s top IT companies, the senior management is particularly concerned about fines on discovery of unintentional security lapses, as well as those by staffers. Apart from largescale crisis communication in the face of loss of trust from the customer base.
Over the past 24 months since GDPR was announced, there has been a minimum of two to threefold increase in the insured limits subscribed by many large Indian IT and telecom majors, said Marsh India. Smaller companies and start-ups are also likely to go for a combination of various available insurance options, to optimise their spending on this.
Among the more notable incidents, a British compliance agency last year had fined a telecommunications major, TalkTalk, for leak of customer data which was being handled by IT major Wipro.
“Since the GDPR regulation was announced, we have seen at least a 15 per cent rise in companies looking for coverage with respect to cyber security. The regulation is on top of our clients’ mind during the discussions regarding renewal of policies due to their contractual obligation with EU clients,” said Sasikumar Adidamu, chief technical officer at Bajaj Allianz General Insurance.