Cy­ber In­sur­ance

Cy­ber in­sur­ance in In­dia is at a nascent stage and there is an ef­fort re­quired to cre­ate an aware­ness about its crit­i­cal role in coun­ter­ing cy­ber­at­tacks:

Banking Frontiers - - Contents - mo­[email protected]­ingfron­tiers.com

Are­port pre­pared by US-based Al­lied Mar­ket Re­search put the cy­ber se­cu­rity mar­ket size at $104.60 bil­lion in 2017 and pro­jected to grow to $258.99 bil­lion by 2025, a CAGR of 11.9% from 2018 to 2025. As cy­ber threats be­come uni­ver­sal, find­ing se­cu­rity so­lu­tions too have be­come crit­i­cal. Along­side, cor­po­rates have be­come aware of the rel­e­vance of cy­ber in­sur­ance as the threats change faster and so­lu­tions

some­times be­come in­ad­e­quate. To­day, pro­tect­ing the com­put­ing en­vi­ron­ment is al­most ob­so­lete and se­cu­rity experts are look­ing at hav­ing a strong cy­ber se­cu­rity gov­er­nance in place marked by co­or­di­nated ef­forts to make the en­tire in­for­ma­tion ecosys­tem pen­e­tra­tion-proof and hav­ing strong cy­ber in­sur­ance cover. In fact, cy­ber in­sur­ance sits atop all other se­cu­rity mea­sures, which are prone to fail at some time or other, and there are ex­penses to­wards re­triev­ing the sys­tem and meet­ing dam­ages on ac­count of lit­i­ga­tion ini­ti­ated by af­fected cus­tomers. Cy­ber in­sur­ance, es­pe­cially for banks and fi­nan­cial ser­vices in­sti­tu­tions, is ex­pected to cover the main con­cerns and pro­tect and busi­ness loss in case of a cy­ber at­tack. Ideally it cov­ers first-party and third­party li­a­bil­ity.

Anurag Ras­togi, mem­ber of ex­ec­u­tive man­age­ment, HDFC ERGO Gen­eral

In­sur­ance, points out that the pen­e­tra­tion of in­ter­net is grow­ing at a rapid rate in In­dia with smart de­vices be­ing an in­te­gral part of our lives. “Ow­ing to this and the in­crease in cy­ber­crimes and frauds, there is a de­mand for cy­ber in­sur­ance among cor­po­rates as well as in­di­vid­u­als in In­dia and cy­ber in­sur­ance, there­fore, is con­stantly evolv­ing to cover the grow­ing cy­ber risks across the globe,” says he.

How­ever, he ad­mits while there is a rise in de­mand for cy­ber in­sur­ance, the adop­tion is still lim­ited.

TOP BUSI­NESS RISK

We can­not over­look the in­her­ent need for cy­ber in­sur­ance given the se­ri­ous threat cy­ber­crimes pose to Indian cor­po­ra­tions as well as in­di­vid­u­als. Sasiku­mar Adi­damu, CTO, Ba­jaj Al­lianz Gen­eral In­sur­ance, cites the re­sults of Al­lianz Risk Barom­e­ter 2019 sur­vey and says cy­ber in­ci­dents have been con­sid­ered as the top busi­ness risk in In­dia for 2019 with com­pa­nies in­creas­ingly con­cerned in the wake of mega data breaches, pri­vacy scan­dals and ma­jor IT out­ages.

“A cou­ple of years ago cy­ber at­tacks were ele­men­tary, but with the in­creased in­ter­con­nec­tiv­ity and fre­quency of on­line trans­ac­tions and eCom­merce, there has been a sub­stan­tial rise in the sever­ity and fre­quency of cy­ber­at­tacks. At Ba­jaj Al­lianz Gen­eral In­sur­ance, we would ear­lier re­ceive re­quests for cy­ber in­sur­ance from large cor­po­rates and MNCs, es­pe­cially com­pa­nies in­volved in IT re­lated ser­vices, but re­cently we are wit­ness­ing an in­crease in in­quiries from SMEs, star­tups and smaller busi­nesses across sec­tors. Cy­ber in­sur­ance for in­di­vid­u­als is, how­ever, at a nascent stage in our coun­try due to very lit­tle aware­ness about this cover. We only see the de­mand for this cover in­creas­ing as our cy­ber/vir­tual lives be­come as elab­o­rate, com­plex and im­por­tant as our real lives,” he adds.

Ac­cord­ing to Jayant Saran, part­ner, Deloitte In­dia, while the adop­tion of and de­mand for cy­ber in­sur­ance has in­creased tremen­dously over the past 18 months, it has not kept pace with or­ga­ni­za­tions and their exposure to in­ci­dents in­volv­ing breach or vul­ner­a­bil­i­ties in cy­ber­se­cu­rity. This exposure has been much higher, says he. He also men­tions that or­ga­ni­za­tions pri­mar­ily from the BFSI sec­tor have been early adopters/the first to adopt cy­ber in­sur­ance, to se­cure them­selves.

DATA BREACH

Saran says the pri­mary type of threat cov­ered in cy­ber in­sur­ance is data breach. Data breach can oc­cur due to a num­ber of risks such as in­sider threats and poor se­cu­rity con­trols. An­other fre­quent type of at­tack is busi­ness email com­pro­mise, trig­gered by phish­ing email or mal­ware. Ran­somware finds it tough to re­ceive cov­er­age, although it is highly preva­lent nowa­days. This is be­cause data once com­pro­mised and held ran­som, is too com­plex to in­ves­ti­gate due to the lim­ited foot­print left by the per­pe­tra­tor and/or lim­ited or no log­ging in­for­ma­tion be­ing re­tained by the or­ga­ni­za­tion.

Cy­ber in­sur­ance has made a be­gin­ning in In­dia, but it is yet to ma­ture, feels Na Vi­jayashanka­r, pri­vacy and data pro­tec­tion con­sul­tant and chair­man, Foun­da­tion of Data Pro­tec­tion Pro­fes­sion­als in In­dia. He quotes a Data Se­cu­rity Coun­cil of In­dia (DSCI) study to say around 350 cor­po­rate poli­cies have been un­der­writ­ten in 2018 in the cor­po­rate sec­tor and re­tail po­lices have been in­tro­duced by 2 com­pa­nies but these are yet to make an im­pact though there are some 15,000 re­tail poli­cies in cir­cu­la­tion in the coun­try.

Vi­jayashanka­r also says bank­ing is one sec­tor which has adopted cy­ber in­sur­ance be­cause RBI has more or less man­dated it. The IT in­dus­try in­volved in data pro­cess­ing is now slowly show­ing in­ter­est in a lim­ited way, he adds.

TYPES OF RISKS COV­ERED

The types of threats and risk that are cov­ered in the cy­ber in­sur­ance poli­cies avail­able in In­dia in­clude iden­tity theft, unau­tho­rized trans­ac­tions, rep­u­ta­tional in­jury, cy­ber bul­ly­ing, cy­ber extortion, mal­ware in­tru­sion, le­gal ex­penses, data restora­tion costs, foren­sic costs, con­se­quen­tial loss and psy­cho­log­i­cal coun­selling.

Ar jun B ha ska ran, di­rec­torCy­ber se­cu­rity, GENLIFE-RE In­surtech, is of the view that while cy­ber in­sur­ance has a very high po­ten­tial, it is in a nascent stage, mainly be­cause re­tail cy­ber in­sur­ance is a low ticket size trans­ac­tion, and there­fore, agents will not be spend­ing time and ef­fort to pro­mote and sell it. In cor­po­rate cy­ber in­sur­ance, most of the in­sur­ance bro­kers and their em­ploy­ees are not con­ver­sant with the prod­ucts, fea­tures and nu­ances of cy­ber in­sur­ance, says he.

TPA SYS­TEM NEEDED

He strongly ad­vo­cates a sys­tem of TPAs in cy­ber in­sur­ance, which he feels will bring in bet­ter trust and con­fi­dence in the minds of re­tail, SME cus­tomers about in­de­pen­dent and fair claim set­tle­ment. Also, it will bring in (a) pro­cess­ing ca­pac­ity, (b) spe­cial­ized knowl­edge to han­dle cy­ber in­ves­ti­ga­tions, foren­sics in han­dling vol­umes of claims and (c) fraud pre­ven­tion and con­trol.

He says cy­ber in­sur­ance is rel­e­vant for 3 lay­ers of the Indian mar­ket – en­ter­prise, SME and re­tail. “The Indian SME and re­tail mar­kets can be among the largest mar­kets in the world for cy­ber in­sur­ance, be­cause In­dia is the among

the top 3 coun­tries that are vul­ner­a­ble to cy­ber­at­tacks and breaches and In­dia is among the largest and fastest grow­ing adopters of in­ter­net us­age, smart­phones, IoT, etc. The quan­tum and value of per­sonal, fi­nan­cial and health in­for­ma­tion makes In­dia one of the most vul­ner­a­ble to ex­ploita­tion by cy­ber­crim­i­nals,” he points out.

EARLY ADOPTERS

Ar­jun Bhaskaran also says while BFSI, IT/ITES and tele­com are early adopters by virtue of hav­ing mis­sion-crit­i­cal IT applicatio­ns and high levels of IT ma­tu­rity, in­dus­tries like health­care, ed­u­ca­tion, re­tail, and hos­pi­tal­ity are equally im­por­tant even though they are low on IT ma­tu­rity. “In fact, be­cause of their lower IT ma­tu­rity and lower in­ter­nal IT and Cy­ber­se­cu­rity ca­pa­bil­i­ties, they are more ea­ger to adopt cy­ber In­sur­ance,” says he.

Sasiku­mar Adi­damu of Ba­jaj Al­lianz Gen­eral In­sur­ance says the ear­li­est adopters of cy­ber in­sur­ance are the BFSI and IT/ITES sec­tors, the former due to large exposure and the lat­ter often due to con­trac­tual re­quire­ments. “This changed with time and these two sec­tors have adopted cy­ber in­sur­ance rapidly. With time, the man­u­fac­tur­ing and hos­pi­tal­ity sec­tors too are catch­ing up. We are see­ing a spike in the num­ber of en­quiries af­ter any ma­jor in­ci­dent and while num­ber of con­ver­sions are go­ing up, the ges­ta­tion pe­riod still re­mains a few months and the con­ver­sion rate is still low,” says he.

COVER AGAINST CRIMES

Ac­cord­ing to Anurag Ras­togi of HDFC ERGO Gen­eral In­sur­ance, cy­ber in­sur­ance has be­come cru­cial for all com­pa­nies, ir­re­spec­tive of their size. “Sec­tors and in­dus­tries that have ex­haus­tive data repos­i­to­ries like BFSI, eWal­let ser­vice providers, eCom­merce por­tals, tele­com, tech­nol­ogy com­pa­nies and pharma/ health­care are the ma­jor adopters of cor­po­rate cy­ber in­sur­ance. We have also seen in­quiries from man­u­fac­tur­ing, in­fra­struc­ture and other sec­tors. Hav­ing said that, BFSI re­mains the ma­jor buyer of cy­ber in­sur­ance,” says he.

He says the usual cov­ers un­der cor­po­rate cy­ber in­sur­ance in­clude cov­ers such as losses aris­ing from eTheft, eCom­mu­ni­ca­tion, eThreats, busi­ness in­ter­rup­tion and oth­ers. The poli­cies also cover third-party suits against the in­sured for dis­clo­sure, rep­u­ta­tional con­duct and con­tent re­lated li­a­bil­ity claims. Foren­sic experts’ cost, no­ti­fi­ca­tion costs in case of data breach, the cost for reg­u­la­tory re­sponse and rewards ex­penses also gets cov­ered un­der the pol­icy.

HDFC ERGO of­fers cy­ber in­sur­ance cover for both in­di­vid­u­als and cor­po­rates. Its fla­ship [email protected]­cure in­sur­ance pol­icy cov­ers an in­di­vid­ual from ma­jor cy­ber risks such as unau­tho­rized on­line trans­ac­tions made on an in­di­vid­ual’s bank ac­count/debit or credit card by a third party for pur­chases over the in­ter­net. In ad­di­tion, it cov­ers the dam­age caused to an in­di­vid­ual’s rep­u­ta­tion in case a third-party pub­lishes any harm­ful in­for­ma­tion on the in­ter­net. Fur­ther, the pol­icy pro­vides nec­es­sary le­gal pro­tec­tion against the costs of pur­su­ing and de­fend­ing le­gal ac­tions and pro­vides a spe­cial fea­ture of ex­tend­ing the cy­ber cover to the in­di­vid­ual’s fam­ily, cov­er­ing their spouse and two de­pen­dent chil­dren with no age limit.

The com­pany has been of­fer­ing cor­po­rate cy­ber in­sur­ance cover since 2012 cov­er­ing threats of cy­ber ex­po­sures as­so­ci­ated with eBusi­ness, in­ter­net, net­works and in­for­ma­tion assets. The pol­icy es­sen­tially cov­ers fi­nan­cial losses due to data theft, fraud­u­lent com­mu­ni­ca­tion, eVan­dal­ism and unau­tho­rized trans­fer of funds/prop­erty. In ad­di­tion, it cov­ers the cost of hir­ing a pro­fes­sional ne­go­tia­tor and pub­lic re­la­tions con­sul­tant, if re­quired. How­ever, it does not cover for losses in case the com­pany is found guilty of vi­o­lat­ing the laws or in the case of me­chan­i­cal fail­ure. It in­tro­duced [email protected]­cure for in­di­vid­u­als in 2018, which cov­ers loss or dam­age aris­ing di­rectly due to one’s ac­tiv­i­ties over t the in­ter­net.

Ba­jaj Al­lianz Gen­eral In­sur­ance of­fers in­sur­ance cover to safe­guard against cy­ber­crimes like cy­ber extortion and cy­ber at­tacks that can pos­si­bly affect an or­ga­ni­za­tion or in­di­vid­ual. Its Cy­ber Pro­tect, a dig­i­tal busi­ness and data pro­tec­tion in­sur­ance for com­pa­nies, typ­i­cally cov­ers pri­vacy and data breach, busi­ness in­ter­rup­tion, hacker theft, cy­ber extortion, cri­sis com­mu­ni­ca­tion and con­sul­tant ser­vices. “Any com­pany or cor­po­rate ir­re­spec­tive of its in­dus­try can opt for this pol­icy. Cov­er­age in­clu­sions un­der cy­ber in­sur­ance for cor­po­rates may vary with each in­dus­try, says Sasiku­mar Adi­damu.

Again, the com­pany’s ‘Ba­jaj Al­lianz In­di­vid­ual Cy­ber Safe Pol­icy’ cov­ers fi­nan­cial loss re­sult­ing from be­ing an in­no­cent vic­tim of email spoof­ing and phish­ing, losses and ex­penses re­lated to de­fense and pros­e­cu­tion cost re­lated to iden­tity theft, IT theft loss, restora­tion cost to re­trieve or re­in­stalled data or com­puter pro­gram dam­aged by en­try of mal­ware. It also pro­vides cov­er­age for ex­penses in­curred on coun­selling ser­vices treat­ment, claim for dam­ages against third party for pri­vacy breach and data breach, cy­ber extortion loss and trans­porta­tion for at­tend­ing court sum­mons.

BUY­ING A COVER

What are the key fac­tors to be con­sid­ered

while buy­ing cy­ber in­sur­ance (a) by an in­di­vid­ual and (b) by a cor­po­rate?

Ac­cord­ing to Anurag Ras­togi, the pri­mary con­sid­er­a­tion while buy­ing a cy­ber in­sur­ance pol­icy should be tak­ing stock of all the threats one may be ex­posed to on­line, so as to buy a rel­e­vant pol­icy and suitable add-on cov­ers. Be­sides these, both in­di­vid­u­als and cor­po­rates need to be cog­nizant of the in­clu­sions and ex­clu­sions un­der their pol­icy. It is im­por­tant to check the sub-lim­its for the risks cov­ered, he says, adding one should also check the va­lid­ity of the pol­icy in or­der to do a timely re­newal with­out break.

In­di­vid­u­als, ac­cord­ing to him, must con­sider their exposure and their de­pen­dency on the in­ter­net. They must also con­sider their fam­ily’s exposure ie. the spouse and de­pen­dent chil­dren who ac­cess the in­ter­net. “In or­der to as­cer­tain the sum in­sured, it is best to con­sider an in­di­vid­u­als’ av­er­age spends on­line or the credit card/eWal­let limit. The insurer will look at the in­di­vid­ual’s past ex­pe­ri­ence and loss his­tory on­line if any. This is be­cause any loss aris­ing out of past acts will not be cov­ered un­der in­sur­ance,” says he.

Cor­po­rates, he adds, need to be mind­ful of the grav­ity of data that gets stored in the sys­tem, the geo­graph­i­cal spread of the busi­ness (whether ex­posed to GDPR coun­tries), com­pli­ance re­quire­ments such as PCI and HIPPA. On­line pres­ence of the com­pany and out­sourced ac­tiv­ity also plays an im­por­tant role here, he adds.

Sasiku­mar Adi­damu says at the cor­po­rate level, com­pa­nies need to eval­u­ate the po­ten­tial risks as well as the cov­er­ages of­fered. “For in­stance, a com­pany, which holds a lot of cus­tomers’ in­for­ma­tion (say a food de­liv­ery app, fi­nan­cial in­sti­tu­tion or a so­cial me­dia site), would want to make sure that pri­vacy and data breach li­a­bil­ity are cov­ered. In or­der to re­tain cov­er­age un­der pol­icy terms, com­pa­nies need to pay due dili­gence to avoid the cy­ber risks in the first place. A ro­bust data and cy­ber se­cu­rity in­fra­struc­ture en­sures that there is no cal­lous­ness in deal­ing with cy­ber threats. Com­pa­nies need to also have a strong re­cov­ery plan and back­ups in place. They need to con­stantly change and eval­u­ate the in­fra­struc­ture and pre­pare a frame­work to tackle these hos­tile forces on­line. Up­dat­ing and up­grad­ing con­tin­u­ously and an ap­pro­pri­ate cover is the only way to guard against these emerg­ing new types of cy­ber risks,” says he.

In­di­vid­u­als, he adds, need to match the pol­icy cov­er­age with their needs and se­lect the sum in­sured ac­cord­ing to their exposure. They must check the cov­er­age and ex­clu­sion sec­tion of the pol­icy to en­sure that his needs are be­ing met by the pol­icy.

PRE­MI­UMS, CAL­CU­LA­TION

Pre­mi­ums and their cal­cu­la­tion are cru­cial in in­sur­ance busi­ness. Jayant Saran of Deloitte In­dia says cy­ber in­sur­ance pre­mi­ums are cal­cu­lated on the ba­sis of ac­cu­rate analy­ses of risks in most cases. Third-party ser­vice providers also as­sist in assess­ing the most vul­ner­a­ble spots within an or­ga­ni­za­tion’s cy­ber in­fra­struc­ture. “This prac­tice is quite evolved for or­ga­ni­za­tions that are more aware. For smaller firms with lit­tle knowl­edge or exposure to such cases, the prac­tice may take some more time to reach to­tal ac­cep­tance,” says he.

Ac­cord­ing to Na Vi­jayashanka­r, the in­sur­ance in­dus­try at present is not cus­tomiz­ing the premium on the ba­sis of client spe­cific risk as­sess­ment. “It is mostly dic­tated by the re-in­sur­ance costs,” says he.

Ar­jun Bhaskaran says the pric­ing of cy­ber in­sur­ance is now led by MNC in­sur­ance com­pa­nies, which are set­ting the price bench­marks based on the re­search and ex­pe­ri­ence of the par­ent or­ga­ni­za­tions. Indian in­sur­ance com­pa­nies will be­gin to of­fer prod­ucts and prices that clone the early movers. Grad­u­ally, the pric­ing will im­prove based on ac­tual claims ex­pe­ri­ence and finer as­sess­ment of risks, he says.

BA­SIS EXPOSURE

In­sur­ance com­pany pro­fes­sion­als, how­ever, dif­fer. Anurag Ras­togi of HDFC ERGO, says like other com­mer­cial prod­ucts, the premium for cy­ber in­sur­ance too is cal­cu­lated ba­sis the exposure. “The premium rates de­pend on fac­tors like the scale of op­er­a­tions, limit of in­sur­ance cover be­ing pur­chased, in­dus­try risk exposure, data li­a­bil­ity exposure, claim cir­cum­stances if any and oth­ers. The premium rates are usu­ally on the higher side for fi­nan­cial in­sti­tu­tions, con­sid­er­ing the risk exposure, in com­par­i­son to those in the man­u­fac­tur­ing or the health­care sec­tor,” says he.

Cy­ber in­sur­ance premium is cal­cu­lated based on the cy­ber se­cu­rity au­dit that can be a self-au­dit by the client (via a pro­posal form and ques­tion­naire) or by in­sur­ance com­pany’s team of experts, says Sasiku­mar Adi­damu. “The au­dit con­cen­trates on the IT sys­tems and pro­cesses in place along with pre­vi­ous in­ci­dents and changes made in light of any pre­vi­ous in­ci­dents. The busi­ness con­ti­nu­ity plan, IT se­cu­rity pol­icy, cy­ber se­cu­rity au­dit process, type and volume of data stored are some of the fac­tors that are con­sid­ered. While the process is not per­fect, it is suf­fi­ciently elab­o­rate and de­tailed to pro­vide the un­der­writ­ers an ac­cu­rate pic­ture of the risk. This process too con­tin­ues to evolve,” he elab­o­rates.

EVOLV­ING CRIME PATTERNS

How are in­sur­ers keep­ing pace with the fast-chang­ing cy­ber­crime patterns?

Anurag Ras­togi says in­sur­ance com­pa­nies are tak­ing cog­nizance of the ever chang­ing cy­ber­crime patterns and cre­at­ing cov­ers for safe­guard­ing in­di­vid­u­als and cor­po­rates alike. “There ex­ists is a huge gap,” he ad­mits, “in the form of optimism bias, which means they think they will con­tinue to re­main un­scathed by cy­ber­at­tacks. Hence, the onus lies on the in­sur­ance play­ers to cre­ate more aware­ness about the ris­ing threat of se­cu­rity in the vir­tual space.”

Sasiku­mar Adi­damu em­pha­sizes that in­sur­ance com­pa­nies are reg­u­larly train­ing their cy­ber un­der­writ­ers along with con­stantly an­a­lyz­ing cy­ber in­ci­dents. “At Ba­jaj Al­lianz Gen­eral In­sur­ance, we also re­view var­i­ous study papers and re­search pub­lished by an­a­lysts and in­sur­ers/rein­sur­ers on the topic to en­sure that we are aware about the con­stantly evolv­ing cy­ber risk land­scape,” says he.

Jayant Saran of Deloitte feels although in­sur­ers are mak­ing ef­forts to keep pace with evolv­ing cy­ber­crime risks and patterns, these risks are in­creas­ing at a much faster pace.

Na Vi­jayashanka­r says while an at­tempt is be­ing made and the po­lices use some broad terms such as iden­tity theft, im­per­son­ation etc, it does not mat­ter if the modus operandi changes.

Ar­jun Bhaskaran is of the view that Indian in­sur­ers have just be­gun to wet their feet in the cy­ber in­sur­ance mar­kets and the real chal­lenge will come when large vol­umes of poli­cies are is­sued, and high volume of claims and com­plex­ity be­gin to hit them. “The abil­ity of the Indian in­sur­ers to as­sess and set­tle cy­ber in­sur­ance claims in a pro­fes­sional and speedy man­ner, will be tested.”

CRE­AT­ING AWARE­NESS

There is need for cre­at­ing more aware­ness about cy­ber in­sur­ance and cor­po­rates adopt­ing it. Ar­jun Bhaskaran says most of the po­ten­tial cus­tomers in B2C and B2B seg­ments are un­aware about the con­cept of cy­ber in­sur­ance and its fea­tures. Once they get to know about it, most of them show se­ri­ous in­ter­est in buy­ing cy­ber in­sur­ance. He cites how at a sem­i­nar of cy­ber­se­cu­rity for co­op­er­a­tive banks held in Palakkad, Ker­ala, most of the au­di­ence con­sist­ing of man­age­ment mem­bers from over 90 co­op­er­a­tive banks, showed se­ri­ous in­ter­est to pro­cure cy­ber in­sur­ance. He says there is a need for ad­ver­tise­ments and pro­mo­tion, in a joint man­ner by in­sur­ers and bro­kers to evan­ge­lize cy­ber in­sur­ance es­pe­cially among B2C and B2B seg­ments.

One way of cre­at­ing more aware­ness, ac­cord­ing to Jayant Saran, is to un­der­take a thor­ough study on why an or­ga­ni­za­tion may be tar­geted, var­i­ous types of sen­si­tive data be­ing held and the likely out­comes of a data breach. Pre­dictable con­se­quences may help au­to­mat­i­cally cre­ate the re­quired aware­ness to push or­ga­ni­za­tions to se­cure them­selves with cy­ber in­sur­ance.

Na Vi jay as hank ar too says a sub­stan­tial ef­fort at aware­ness cre­ation and more par­tic­u­larly mak­ing the user in­dus­try un­der­stand the nu­ances of cy­ber in­sur­ance is re­quired. “I am try­ing to work out an ar­range­ment with some aca­demic in­sti­tu­tions to de­velop an out­reach pro­gram for the pur­pose,” says he.

Anurag Ras­togi con­curs, and says this is mainly on ac­count of the optimism bias ex­ist­ing among con­sumers. “In do­ing so, in­sur­ers are us­ing var­i­ous chan­nels like so­cial me­dia plat­forms, news­pa­pers and mag­a­zines, ra­dio, road shows, kiosk ac­tiv­ity as well as part­ner­ing with cy­ber­crime depart­ment and cy­ber experts to drive the im­por­tance and cre­ate aware­ness among con­sumer of cy­ber in­sur­ance among con­sumers,” he says.

Says Sasiku­mar Adi­damu: “In fact, not many peo­ple are aware that cy­ber in­sur­ance for in­di­vid­u­als even ex­ists. Many in­sti­tu­tions and in­di­vid­u­als don’t know how to pro­tect their in­for­ma­tion from be­ing mis­used by oth­ers be­cause of lack of aware­ness to­wards se­cu­rity. I feel that cor­po­rates can train their em­ploy­ees on cy­ber­crime and cy­ber se­cu­rity, both on cor­po­rate and in­di­vid­ual fronts. Cam­paigns across all plat­forms about the risks one is sus­cep­ti­ble to due to us­age of in­ter­net and steps one can take to avoid fall­ing prey to cy­ber­at­tacks, can also help in­crease aware­ness about cy­ber se­cu­rity. The more peo­ple are aware about in­for­ma­tion se­cu­rity, the less they be­come tar­gets to cy­ber­at­tacks, says he.

RISK UNDERWRITI­NG

What goes into the risk underwriti­ng in cy­ber risk in­sur­ance?

Says Sasiku­mar Adi­damu: “For cor­po­rates, the underwriti­ng is done on a case to case ba­sis since any two cor­po­rates are hugely dif­fer­ent from each other in terms of their cy­ber risk pro­files. For In­di­vid­u­als, on the other hand, we have sim­pli­fied the process and have pre­de­fined pre­mi­ums for dif­fer­ent lim­its.”

Anurag Ras­togi says for cor­po­rates, the pa­ram­e­ters con­sid­ered are the availabili­ty of well-de­fined IT, BCP and DR poli­cies, type of PIII, PCI and PHI data stored by the com­pany, se­cu­rity mea­sures in each lo­ca­tion (low, medium, high) etc.

Na Vi­jayashanka­r be­lieves t he underwriti­ng process should start with a pro­posal form from the in­sur­ance seeker with rel­e­vant de­tails. “The insurer has to ask for doc­u­men­ta­tion and con­duct a pre-underwriti­ng as­sess­ment be­fore

pro­vid­ing the quote. At this time, the in­for­ma­tion se­cu­rity sta­tus will have to be eval­u­ated. At present, the com­pa­nies are try­ing to de­velop a model for assess­ing a pro­posal and take the nec­es­sary de­ci­sion,” says he.

Jayant Saran de­scribes the process start­ing with the as­sess­ment of the kind of data an or­ga­ni­za­tion holds and within this data, un­der­stand what can be clas­si­fied as crit­i­cal data or applicatio­ns. “This should be fol­lowed by un­der­stand­ing the own­er­ship of the said data and the se­cu­rity in­fra­struc­ture in place sur­round­ing the us­age, dis­sem­i­na­tion, trans­fer, and re­ten­tion of the data with or­ga­ni­za­tions, as well as any third par­ties in­volved (in safe­keep­ing the data). Known gaps dur­ing the process should be high­lighted and var­i­ous forms of breach should be sim­u­lated in a test­ing en­vi­ron­ment, to gain an un­der­stand­ing of how the se­cu­rity in­fra­struc­ture re­acts,” he ex­plains.

Ar­jun Bhaskaran be­lieves cy­ber in­sur­ance underwriti­ng can be done ef­fec­tively through co­op­er­a­tion / part­ner­ship be­tween in­sur­ance com­pa­nies and cy­ber­se­cu­rity ex­pert or­ga­ni­za­tions. “In­sur­ance com­pa­nies need to take the help of cy­ber­se­cu­rity experts for (a) con­duct­ing a de­tailed risk as­sess­ment of po­ten­tial cy­ber in­sur­ance B2B cus­tomers and cy­ber­se­cu­rity experts will be able to con­duct a com­pre­hen­sive anal­y­sis of all IT and Se­cu­rity assets, de­vices, ser­vices, etc; (b) cy­ber­se­cu­rity experts are re­quired to con­duct a foren­sic in­ves­ti­ga­tion into com­plex cy­ber in­sur­ance claims and pro­vide an in­de­pen­dent and com­pre­hen­sive cy­ber in­ves­ti­ga­tion re­port; and (c) dur­ing the life of the cy­ber In­sur­ance pol­icy con­tract, if there is a cy­ber­se­cu­rity in­ci­dent or loss, the in­sur­ance com­pany may en­gage the cy­ber­se­cu­rity part­ners to im­me­di­ately as­sist the cus­tomer in quelling and min­i­miz­ing the cy­ber losses / dam­ages,” says he.

A VI­ABLE BUSI­NESS?

Fi­nally, is cy­ber risk in­sur­ance a vi­able busi­ness propo­si­tion for Indian in­sur­ers?

Anurag Ras­togi: With the ex­po­nen­tial in­crease in the rate of cy­ber­crimes, there is great po­ten­tial in the Indian cy­ber in­sur­ance seg­ment, which has grown by about 30% to 35% in the last one year. Over the last 4 years, we have seen large and mid-sized cor­po­rates pur­chas­ing com­mer­cial cy­ber in­sur­ance prod­ucts.

Sasiku­mar Adi­damu: In­sur­ers are in the busi­ness of pay­ing claims and with cor­rect risk se­lec­tion and proper pric­ing any busi­ness can be a vi­able propo­si­tion. Cy­ber in­sur­ance is one of the fastest grow­ing seg­ments in the Li­a­bil­ity LOB and I ex­pect it to con­tinue to grow ex­po­nen­tially. There­fore, it presents an ex­cit­ing op­por­tu­nity for Indian in­sur­ers.

Na Vi­jayashanka­r: Yes. At present, in­sur­ance com­pa­nies are charg­ing up to 0.75 % on the underwriti­ng amount as premium with­out mak­ing any risk as­sess­ment. If a proper risk as­sess­ment is done and the pol­icy con­di­tions are prop­erly struc­tured, it is pos­si­ble to make the busi­ness vi­able even at a lesser rate.

Jayant Saran: Yes, and the fu­ture of busi­nesses de­pends on the evo­lu­tion of the cy­ber en­vi­ron­ment and un­der­stand­ing the risks as­so­ci­ated with it. This will be the driver for cy­ber in­sur­ance in In­dia in the near fu­ture.

Ar­jun Bhaskaran: The cen­tral premise of cy­ber in­sur­ance is that the cy­ber risks must be trans­ferred to the agent who can han­dle or mit­i­gate the cy­ber risks in a most optimal man­ner. There­fore, or­ga­ni­za­tions which are most com­pe­tent in han­dling and mit­i­gat­ing cy­ber risks must be in the fore­front of cy­ber­se­cu­rity ex­ports and in cy­ber in­sur­ance / rein­sur­ance. In­dia is among the top 10 coun­tries that have strong cy­ber­se­cu­rity man­age­ment ca­pa­bil­i­ties, along with USA, UK, Aus­tralia, Is­rael, Rus­sia, France, Ger­many, Ja­pan, Korea and China.

PROSPECTS FOR IN­SUR­ERS

For i nsurance com­pa­nies of­fer­ing cy­ber in­sur­ance, foren­sics will play an im­por­tant role in de­ter­min­ing the data loss and mea­sures to be taken to mit­i­gate the dam­age. In third-party re­lated suits, the ex­tent of loss will be de­ter­mined ba­sis the con­fi­den­tial­ity of the data. Although in­sur­ers have the ser­vices of claims, le­gal and IT experts on standby for any even­tu­al­ity, with few poli­cies in the mar­ket and fewer claims, the big­gest chal­lenge is a lack of ex­pe­ri­ence. As the num­ber of claims in­creases, the ex­per­tise will nev­er­the­less grow.

Cy­ber i nsurance cov­ers do not pre­vent frauds from hap­pen­ing. Buy, they def­i­nitely re­duce the fi­nan­cial im­pact caused by such risks. Experts be­lieve these poli­cies are of great as­sis­tance as In­dia is on its way to dig­i­ti­za­tion and the in­ter­net is be­com­ing the pre­ferred medium for fi­nan­cial trans­ac­tions. A at­tack can there­fore cause ir­repara­ble losses to the cor­po­rates, es­pe­cially banks and fi­nan­cial ser­vices in­sti­tu­tions. At least part of the loss can be re­couped as some of the ex­penses in­curred post-at­tack like third-party li­a­bil­i­ties, coun­sel­ing and ser­vice restora­tion are paid by the cover. This is be­sides con­sul­tant fees, court ex­penses and le­gal fees.

Fi­nally, what is there for in­sur­ance com­pa­nies? Will cy­ber in­sur­ance busi­ness be a prof­itable one for them given the ex­tent of frauds and heists and cy­ber at­tacks these days? It will be dif­fi­cult to say.

Anurag Ras­togi in­sists the onus lies on in­sur­ance play­ers to cre­ate more aware­ness about the ris­ing threat of se­cu­rity in the vir­tual space

Sasiku­mar Adi­damu re­veals nowa­days even SMEs, star­tups and smaller busi­nesses in­quire about cy­ber in­sur­ance un­like in the ear­lier days

Na Vi­jayashanka­r calls for aware­ness cre­ation and more par­tic­u­larly mak­ing the user in­dus­try un­der­stand the nu­ances of cy­ber in­sur­ance

Jayant Saran avers cy­ber in­sur­ance pre­mi­ums are cal­cu­lated on the ba­sis of ac­cu­rate analy­ses of risks an or­ga­ni­za­tion may face

Ar­jun Bhaskaran ad­vo­cates TPAs in cy­ber in­sur­ance for cre­at­ing bet­ter trust and con­fi­dence in the minds of re­tail, SME cus­tomers

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.