Growing Urgency of Cybersecurity: Navigating Digital Risks in Insurance
Banking Frontiers organized its annual InsureNext conclave in January in Mumbai. The second panel discussion explores insights digital risk management, regulatory landscape, data privacy, data protection, etc. Edited excerpts:
Gaurav Khera: Dr. Puneet, drawing from your extensive industry experience, could you elaborate on the significance of cybersecurity and digital risk management in today’s landscape? How do you perceive the evolving challenges and opportunities in this domain?
Dr. Puneet Kaur Kohli: In today’s evolving l andscape, digital risk takes precedence across various domains, including BFSI. In the post-COVID era, with a digital-first and mobile-first approach, transactions occur i n nanoseconds, necessitating a competitive, cutting-edge, and swiftly marketable digital ecosystem. However, technology alone cannot shape this landscape. Thorough research is imperative to ensure a seamless digital experience, be it in B2B, D2C, or B2B2C formats.
Managing risks, especially regarding Personally Identifiable (PI) data, data l ocal i z a t i on, a nd c l oud hosti ng i n alignment with regulatory directives, is crucial. Regulators, such as RBI and IRDI, emphasize declarations adhering to master directions. Beyond transactions, securing customer data, localization, and obtaining necessary concurrences for cross-selling are integral considerations.
The comprehensive approach extends beyond the front end, encapsulating 360° risk mitigation plans, Real-Time Payment Systems (RTPS), and compliance readiness.
Technology’s other facet lies in ensuring market participants possess awareness. Addressing the lack of awareness, particularly among on-ground personnel, is pivotal. Educating individuals on data sharing restrictions under the Data Protection and Privacy (DPD) Act becomes crucial, as noncompliance attracts significant penalties. This necessitates a cultural shift and active participation from all stakeholders in shaping a resilient ecosystem.
Kanishka, how does cyber risk insurance play a role in mitigating these residual risks?
Kanishka Mehra: As we convened before the session commenced, the discourse on insurance emerged as profoundly relevant. It’s heartening that our fraternity of brokers now has a platform to delve into insurance intricacies, dissecting coverages, limits, and policy trajectories. In my perspective, insurance has transcended into a pivotal risk management tool akin to cybersecurity. Des p i t e d e p l o y i n g c o mprehensi v e cybersecurity frameworks, residual risks persist, which insurance diligently addresses.
Allow me to recount our foray into insurance, particularly cyber risk coverage, initiated in 2017. Engaging with prominent banks and financial institutions, we sought insights on cyber risks, pivoting away from generic narratives to address India-centric concerns. Queries on prevalent attacks, potential impacts, loss projections, and optimal coverage limits posed significant challenges initially. Our lack of a well-defined policy framework compelled a deep dive into cyber risk assessment, ultimately culminating in a holistic cyber insurance offering.
Cyber risk management evolved from pre-assessment evaluations to quantifying risks through value-at-risk methodologies. Guiding organizations t hrough risk parameterization, we tailored policies aligned with their risk appetites and business exigencies. By integrating risk dimensions encompassing first-party, thirdparty, subsidiary risks, and international exposures, we constructed bespoke insurance solutions. Embracing a collaborative approach, we fine-tuned policy wordings through meticulous discussions within the Lloyd’s market, ensuring tailored coverage reflective of Indian market nuances.
An essential facet often overlooked is post-claim assistance, a critical feature we prioritize. Many existing policies lack clarity on claim lodging procedures, leaving stakeholders stranded during emergencies. Recognizing this gap, we advocate for emergency response assistance vendors integrated into policies, providing 24/7 support and guidance during claims. This comprehensive approach underscores our commitment to evolving insurance offerings, adapting to dynamic risk landscapes while prioritizing client-centric solutions.
Arjun, how can we quantify cyber risk more effectively?
Arjun Bhaskaran: Quantification aligns with the insurance industry’s core function of providing financial protection. Traditionally, data from security operations centers (SOCs) and dark web sources were used. We’re working with IIT Kanpur to leverage the Open Security Controls Assessment Language (OSCAL) to measure GRC compliance against frameworks like NIST 800- 53 revision 54. This collaborative effort aims to create a standardized approach for measuring cyber risk across various frameworks.
Dr. Kohli, the interconnectedness of devices raises concerns about data security across different regulatory domains. Is the regulatory landscape keeping pace with these advancements?
Dr. Puneet Kaur Kohli: In the contemporary interconnected landscape, regulatory frameworks exhibit disparate connections, especially in contrast to the comprehensive IRDA guidelines addressing diverse aspects such as SOCKS, HIPAA, and ISO 27,001 (2005, 2013) for risk assessment. A need arises for regulatory consolidation to streamline operations across varied domains. Companies operating in distinct sectors should adhere to a unified standard for data management, scrutinizing the inflow and outflow of data. As we often tout “data is the new oil,” the focus now shifts to individuals as data custodians, emphasizing personal responsibility in safeguarding data integrity.
While companies implement robust c y bers e c uri ty measures, i ndivi dual preparedness is equally critical, exemplified by the absence of basic safeguards like a `1000 antivirus on personal mobile devices. Mobiles, integral to daily transactions, become potential vulnerabilities if not adequately protected. The industry’s complex ecosystem, encompassing telematics, IoT devices, and real-time policy issuance, demands a standardized technological infrastructure. A unique algorithm for multi-connected devices should ascertain data safety and flag potential frauds in claims processing.
Technological advancements l i ke live video streaming, ICROCR devices, and surveyor apps play pivotal roles in enhancing efficiency. However, the missing link lies in ensuring the legitimacy of data feeds, calling for a standardized feature across regulators. The emphasis on quicker claim settlements necessitates a parallel focus on data authenticity, an area where regulatory readiness currently falls short.
Kanishka, how do you address the challenge of data privacy? Specifically, how do you ensure both consent and security regarding personal data functions? Furthermore, how can the insurance industry adapt to the Data Protection Act (DPDP)?
KanishkaMehra: With the introduction of the DPDP, it becomes imperative for policies to fortify themselves against potential liabilities that organizations may encounter. Many existing policies in the market currently lack provisions to address the requirements of the act. Amendments are necessary to ensure compliance with the DPDP, particularly as the sum insured amounts escalate to nearly 250 crores.
Smaller organizations, with limits as low as 20 or 25 crores, face challenges in obtaining adequate coverage tailored to DPDP requirements. It’s essential to explore options for providing these entities with suitable insurance coverage. This could involve offering standalone policies specifically designed to address DPDP mandates or devising alternative solutions to meet their needs effectively.
Some clients have already taken proactive measures to align their policies with DPDP regulations, customizing them to accommodate the new data protection requirements. However, a significant number of policies still require adjustments to align with DPDP guidelines. Timely updates to policies are crucial to mitigate risks effectively and ensure readiness for the full implementation of DPDP regulations.
Arjun, how can we address security challenges posed by interconnected devices and data privacy concerns within
the API economy?
Arjun Bhaskaran: The API economy introduces risks from unknown APIs, requiring additional vigilance from insurers. An open architecture API marketplace with regulatory consolidation at the backend could enable informed choices about API consumption. This would enhance transparency and mitigate risks associated with unknown APIs.
Dr. Puneet Kaur Kohli: I propose an API marketplace with built-in regulatory consolidation at the backend to identify data sources and ensure open architecture for i nformed API consumption. This ecosystem-wide collaboration is essential for navigating the complexities of the digital landscape.
In conclusion, while advocating for enhanced device security holds significance, the primary responsibility rests with individuals to cultivate a culture of data privacy and security. Too often, we divulge personal information without adequate scrutiny, inadvertently exposing ourselves to potential risks. The DPDP Act endeavors to confront this challenge by i mposing accountability on both organizations and individuals.
Cultural shifts, alongside stringent regulatory measures, are pivotal in nurturing a safer digital landscape. Encouraging individuals to exercise greater caution in handling their data and fostering a heightened awareness of privacy concerns are essential components of this cultural transformation. Simultaneously, robust enforcement of regulations like the DPDP Act reinforces the importance of safeguarding personal information and underscores the consequences of negligence. Through a concerted effort to instill responsible data practices and uphold regulatory standards, we can pave the way for a more secure and resilient digital ecosystem.