Interest is high, but adoption is low
Question: What has been your experience with cyber insurance as a risk mitigation tool?
One doesn’t have to ask an expert to know what are the biggest threats to any financial organization – the two biggest threats are pandemic and cyber-attacks. 14 experts share their perspectives on the effectiveness of cyber insurance is against cyber risk, and how to adopt it.
ABHILASH BALAN, CISO at Digit Insurance
Cyber insurance does offer protection in terms of mitigating monetary loss, providing support for forensics, reputation costs, regulatory fines, etc, in case an organization suffers a security breach. It also brings to the table access to international level experts and vendors to help in covering these risks. It allows us to transfer some risk to the insurance service provider, but one has to be aware that it’s just one of the components of risk management framework.
AVNEESH TRIVEDI, CRO at Moneyboxx Finance
Cyber insurance is gaining traction now. With the increased pace of digital journey in consumer lending space, cyber insurance is needed to safeguard against any eventuality. In the current scenario as most of us are working from home and are a fully remote workforce, organizations are facing email threats, end point security gaps, etc. Cyber insurance is designed to cover the fees, expenses and legal costs associated with cyber breaches. It is imperative to use this insurance as a proper risk management tool.
BIKASH CHOUDHARY, Appointed Actuary & Chief Risk Officer at Future Generali India Life Insurance
Due to the rapid adoption of remote working, cybersecurity has ballooned into major concern for all organizations, governments and individuals across the world. Since the onset of the pandemic the frequency and the complexity of cyberattacks have increased exponentially. Thus, management of cyber risks has become increasingly onerous and
inevitable.
Organizations are often left perplexed in the event of a cyberattack as they are either faced with the proposition of large payout (ransoms) to the cybercriminals or face potential reputational damage and / or regulatory penalties. In such situations cyber insurance can prove to be a very effective risk management tool.
At Future Generali Life Insurance, we are proactively working on thwarting cyberattacks. We have done so by implementing several initiatives such as SOC, endpoint encryption, endpoint detection and response, digital risk management, etc. However, we also have recognized that the dynamic nature of cybersecurity needs us to consider that we can have certain blind spots and have opted for a cyber insurance cover as well. This enables us to mitigate the cyber fallout through post facto financial loss indemnification and at the same time become a proactive ex-ante prevention mechanism.
DAMODARAN C, Vice President & Chief Risk Officer at Federal Bank
Cyber i nsurance provides an effective risk transfer mechanism against the low frequency high i mpact c ybersec urity incidents. This needs to be aligned with the regular operational risk indemnity covers for deriving the maximum benefit and cost optimizations. Assessment of the financial value to be covered and the policy clauses required are a challenge as this is a relatively new area and new cyber risks are constantly emerging.
GOPAL BALACHANDRAN, CFO & Chief Risk Officer at ICICI Lombard General Insurance
Cyber insurance is a very vital tool for risk mitigation and the times we live in make it imperative for every business, irrespective of its scale to aim at availing the right set of insurance covers to protect businesses and individuals against cyber risks.
The 14th edition of Data Breach Investigations Report (2021 DBIR) by US-based Verizon Business, analyzed 29,207 security incidents from data collected from 83 contributors, with victims spanning 88 countries, 12 industries, and 3 world regions. The report showed that with an unprecedented number of people working remotely, phishing and ransomware attacks increased by 11% and 6% respectively, with instances of misrepresentation increasing 15x compared to last year.
With most people working from home, due to the pandemic, there has been a significant growth in cybercrime. The year 2021 saw 5258 data breaches across the globe.
Additionally, breached data showed that 61% of breaches involved credential data. About 95% of organizations suffering
credential stuffing attacks had between 637 and 3.3 billion malicious login attempts through the year.
Among financial and insurance industries, 83% of data compromised in breaches was personal data, while in professional, scientific and technical services industries, 49% data was personal. Further, the report also revealed many breaches that took place in the Asia-Pacific region were caused by financially motivated attackers - phishing employees for credentials and then using those stolen credentials to gain access to mail accounts and web application servers. The above statistics speak volumes.
Therefore, in today’s day and age, whilst cybersecurity is an essential tool, it is equally important for all organizations, including SMEs, to assess their nature of business from a risk profiling perspective and accordingly make an informed decision on obtaining the right set of cyber insurance covers. They must evaluate the terms and conditions of the insurance policy.
K R MOHANACHANDRAN, Chief Risk Officer at ESAF Small Finance Bank
Cyber insurance policies offer insurance cover for risks such as data liability, administrative obligations, reputation and response costs, multimedia liability, cyber and privacy extortion, network interruption, PCI DSS assessment, reward expenses, fraudulent communication loss, cyber terrorism, fraudulent fund transfer loss, psychological support expenses, social engineering frauds, etc. Any financial institution is susceptible to cyber frauds. We have opted for cyber insurance as a mitigation tool.
PRITHVI CHANDRASEKHAR, President Risk & Analytics at
InCred
We don’t specify cyber insurance right now (apart from our broader business insurance framework). We look for ward to the technology and regulatory environment for cyber insurance becoming more stable, so we can weave these emerging technologies into our business model.
RAKESH BANSAL, Chief Risk Officer at Hero Housing Finance
We have to evaluate this option.
ROOPAM ASTHANA, CEO & WTD, Liberty General Insurance
The e-space ecosystem in India has undergone a very large transformation during the recent past and is vulnerable to both natural accidents as well as intentional interventions. Cyber ecosystem, if overlooked, can lead to credibility crises having financial and social consequences. Recent breach of data bases and systems of an airline and a large oil pipeline are perfect examples of increasing cyberattacks. Adequate cyber cover will help to mitigate the risk of losses arising from such attacks, of course along with proper IT security practices – as prevention is better than cure always. Unfortunately, the cyber risk insurance product has still not caught the fancy of consumers.
SADAF SAYEED, CEO at Muthoot Microfin
We have not availed cyber insurance till now.
SUJAY DAS, Chief Risk Officer at MoneyTap
As we move more towards better and more seamless digital processes, cyber risk is becoming more important to consider. With increasing number of cyberattacks across the globe, cyber insurance is a good tool to cover those losses. At this particular time across any industry across the globe, the awareness of how important cyber insurance is frequently known to the companies using technology usually. An increasing awareness within individuals is also necessary as we see increase in losses due to identity thefts, phishing etc. However, it is also important that fintech companies and other financial institutions constantly monitor and keep updating their systems and technologies so that cyberattacks can be minimized.
SUNDER NATARAJAN, Chief Compliance & Risk Officer at IndiaFirst Life Insurance
Reviewed renewal. No claim. We have not raised a claim yet. However, we did a comprehensive review of requirements whilst renewing our cover during the year.
VENKATA JAYARAMAN M., Chief Risk Officer at Fincare Small Finance Bank
The bank is on a journey to undertake risk assessment on continuous basis and mitigate risks to keep it within the acceptable risk appetite. However, cybersecurity is always fighting against the unknown. Any organization needs to protect a multitude of areas against any weakness, whereas a hacker needs a single gap or weakness to penetrate the organization. Hence continuous and rigorous monitoring framework is the key to staying on top of the game.
VIJAYALAKSHMI NATARAJAN, Chief Compliance and Risk Officer at Aviva India
The probability of cyber risks, which include phishing, smishing, vishing, malware and ransomware attacks have increased 3-fold with the entire world moving on to work digitally from home. This has increased
awareness about cybersecurity protocols across industries without any distinction. Data and information protection has assumed paramount importance with the industry having resorted to extensive use of internet and all available modes of digital platforms for communication, both formal and informal, to elicit information and speed up servicing.
This is where cyber insurance comes into play - to protect against damages, losses, penalties, etc associated with data loss or recovery cost in case of a cyberattack/hacking that results in disruption. But, the extent of liability covered by cyber insurance would be an area of debate for most as well as affordability to cover all damages and all instances. With the impending Personal Data Protection (PDP) Bill in India, organizations are willing to invest in cyber insurance and the
significance is growing day by day.
SUMMARY
Not a single participant has spoken against cyber insurance….all have commented on its importance and effectiveness. From the 14 organizations that responded to this question, 3 have actually purchased cyber insurance, 3 haven’t purchased and the other 8 haven’t indicated either way. Of the 3 that have purchased cyber insurance, 2 are life insurance companies and one is a small finance bank. The 3 that haven’t purchased cyber insurance are all NBFCs. The low penetration of cyber insurance indicates that the product has to mature to fit a greater variety of needs and the awareness too has to grow.