On 19 July, a link claiming that Mr Bean actor Rowan Atkinson has died was going viral. Only that Atkinson was not dead. The link in question was a malicious computer virus that spread across Britain. One click was all it took for the virus to embed itself in the system. That is how simple it is for ransomware and other computer viruses to take over. Quite recently, a report from CERT-in, the Indian Computer Emergency Response Team, was presented to the Lok Sabha, according to which 22,207 Indian websites, including 114 government websites, were hacked during April 2017 to January 2018.
However, the good news is that India is increasingly becoming committed to providing better cybersecurity. At the last count, it stood at 23rd place, out of 165 countries, as per the second Global Cybersecurity Index. The index, released by the UN telecommunications agency called International Telecommunication Union, places India in the maturing category.
When a cyber threat strikes
Despite attempts at a better preparedness, individual organisations are also beginning to realise that they stand to lose a lot when an attack strikes. The main reason for this is the financial implications of such an attack. This is where cyber insurance is developing as a category of a new class of insurance products offered in India. The concept of cyber insurance is relatively new, but the widespread attack of malware has made it possible for companies providing cyber insurance to tap the nascent sector in India. According to a report published by Allied Market Research, the cyber insurance market is expected to garner $14 billion by 2022 globally, registering a CAGR of 28 per cent during the forecast period 2016-2022.
Even though cyber insurance has been available in the market for around 10 years now, it is only recently that this class of insurance has gained traction. This is due to a significant increase in cyber crimes, such as unauthorised access and hacking, virus attacks, cyber vandalism, cyber terrorism and intellectual-property-related crimes. For instance, according to a KPMG survey, after the WannaCry ransomware attacks all over the world last May, 69 per cent of the organisations in India said that ransomware was a significant risk to them, while 43 per cent revealed they had already experienced ransomware attacks. Given this scenario, it comes as no surprise that, of late, organisations are making buying cyber insurance policies a must to cover the financial loss incurred in the eventuality of a cyber attack. By definition, cyber insurance reimburses the financial loss occurred due to cyber breaches or attacks.
Fringe benefits
However, there is more to it; cyber insurance can also guide the clients to better assess the cyber practices and risks associated with it and accordingly firms can design a better cyber response plan.
As India embraces a digital economy, it is also becoming more vulnerable to cyber crimes. According to the annual cybersecurity report released by Cisco, in last year alone Indian firms have lost $500,000. This does not include the data theft in companies like Zomato and Uber. The banking sector is another huge target for cybercriminals. In the recent past, at least 32 lakh debit cards of various banks were found to be compromised. These have opened the gates for the insurers to come up with policy solutions to cover the risks.
According to Mumbai-based insurer Marsh India, in 2017, around 250 companies have bought cyber insurance policy, which is 50 per cent more than the number in 2016. Says Kapil Mehta, co-founder of Delhi-based insurance broking company SecureNow: “The size of the market is currently over Rs 200 crore and is expected to double in the next two years. This shows that companies and businesses are becoming sensitive to the fact that there is a growing need for cyber liability insurance in India considering the ineffective dealing with cyber crimes.”
The evolving threat
The biggest challenge for the insurers is the ever-changing formats of attacks, a company has to be on top of things to access its risks. Of late, small- and medium-sized businesses are assessing themselves. The emerging mid-sized companies have clearly understood the importance of digital risk assessment, which has pushed them towards cloud infrastructure, which guarantees data protection at the outset. Says Saket Modi, CEO of Lucideus, a Delhi-based company that helps companies in assessing their cyber health, “According to me, the biggest beneficiaries of digital SAAS and cloud platforms are currently these businesses. Considering the flexibility in the pricing and the ease with which companies can opt in and out, cloud SAAS providers have been able to attract them in a big way. These companies understand the power of the cloud technology through which they are able to access global level software and digital services at a throwaway price or pay per usage model. Thus, they understand that if the assessments don’t happen for these digital services that they are subscribing to, it will have a huge impact. Therefore, an assessment or a monitoring service of where they stand in terms of the risk at a daily level becomes extremely important, as they expand their respective digital footprint,” says Modi.
It is no longer a laptop in the back office that is not working; it is the entire business that might be affected in the face of an attack, for which organisations are beginning to find solutions. Says Shankar Narang, COO at Paras Healthcare: “We are quite aware of the impact that cyber attacks have on data security. We do possess very high standards of data security that go beyond ordinary firewalls and encryption. We also have minimal data sharing with third parties and cloud systems. We continue to remain committed to ensuring best practices in healthcare and healthcare information systems and monitor and adapt to changing threats according to the best measures of risk assessment. We hope that the authorities acknowledge the need for cyber insurance regulation in a manner that is fair and transparent to all stakeholders.”
Companies in banking, financial services and insurance sectors and telecom, e-commerce, tech start-ups and healthcare industry are now inclined towards insuring themselves due to third-party data availability. The security service providers sense an opportunity in the field. Deep Agarwal, the regional sales director of Zebra Technologies, says: “Companies in India are turning to digital technology and analytics to bring heightened automation, merchandise visibility and business intelligence. With this digital economy, we are also becoming vulnerable to the attacks of the hacktivists. Thus, it is important for enterprises to incorporate cyber policy to protect data. With all cybersecurity solutions, cyber insurance policies ensure us from the cost of data breach, litigations or regulatory scrutiny.”
Cyber insurance for SMEs
According to the report titled “The Role of Cyber Insurance in Risk Management” by Marsh, as many as 60 per cent of cyber attacks target small and mid-sized businesses. The loss incurred by an attack can be critical for a small business to overcome it. In this scenario, cyber insurance can be resilient for this sector, as it can rely on a better response plan provided by insurers and cybersecurity vendors. While policies help recover the losses of SMEs, it should be kept in mind that all insurance policies have exclusions, understanding of which is pivotal in choosing the correct insurance plan. A small- to mid-level business must ask itself a few questions to arrive at the right cyber insurance covers on the extent of coverage and the exemptions to the policy. The companies must also explore whether the insurer has paid any claims and if it does have specific policies for the industry that the business operates in.
The next step is to look at the distribution of attack techniques. They could be malware, phishing, password stealing, DDoS, drive by downloads, rogue software, malvertising, etc. The busineeses should then assess their exposure to these threats. “The best way to do that is to work with an insurance intermediary, like a broker who would have the experience and expertise to ensure that your complete risk profile gets covered,” says Mehta of SecureNow. He cautions business owners about making full disclosures on the proposal to get the maximum out of the insurance cover. “Do not misrepresent or omit any information which may be relevant. Questions regarding your data retention, internet security protocol, privacy policy, penetrations tests and audits need to be filled in after consultation with experts,” he adds.
What does the policy pay for? This is the next question a company needs to consider. There are various clauses in the policy which are triggered by different causes. For example, a privacy breach clause is triggered when there is an unauthorised access of data stored in the system. The company needs to know exactly for what the insurer will pay for – there are defence costs, response costs, consultant costs, etc. “Before you buy a cyber insurance, understand the exclusions to the policy. Sensitive data that is printed on paper, unencrypted data, loss of an electronic device, liability for data entrusted to a third-party vendor if their system is hacked, claims brought by the government are some common exclusions which one needs to be aware of,” says Mehta.
How to lower premium
Small businesses are also advised to find out their cyber health rating which will help in buying a suitable policy. Says Modi: “Similar to an individual who needs a health assessment before a health insurance, any organisation will need a cyber assessment from a vendor who is empanelled with the cyber insurance company. This assessment would help the organisation quantify or visualise the cyber risk they are sitting on, based on which the insurance company would underwrite the premium.”
There is a set industry standard for cyber assessments. For instance, SAFE score is used by cyber liability insurance companies like New India Assurance for assessments. The higher the SAFE score the lower the probability of the organisation being attacked and, hence, lower the premium. Based on the SAFE score of the organisation, the premiums can be reduced by 75 to 80 per cent. For example, if the premium of $1 million of coverage is $10,000, the premium of the organisation could reduce by 80 per cent if its SAFE score is between 4 and 5.
According to a media report, Watchdog, an internet security solution provider, is said to be of the opinion that companies that are covered with cyber insurance are now more targeted by cybercriminals. If we look at numbers, in the United States 46 of the 50 states have mandatory requirements for data breach notification. Cyber insurance penetration is among the highest there, yet the number of cases reported are equally high. “Businesses in the US are more prone to risk, because of the sheer volume and the sensitivity of the data. In today’s world, no one is invincible to cyber attacks, and it is a matter of when a business will face one. With the increasing penetration of cyber insurance, these numbers might be misleading. As more and more entities get covered, the attacks on businesses already covered by cyber insurance will also increase,” says Mehta.
Watch out for GDPR
The European Union’s General Data Protection Regulation (GDPR), which went into effect from 25 May, can become a problem for businesses, particularly SMEs. It places significant new obligations on companies doing business in the European Union or with European citizens. Under this ruling, businesses will be fined with penalties if they fail to secure their data. Businesses could be fined up to €20 million or four per cent of annual global turnover. On the other hand, the GDPR will help insurance companies expand in markets that are increasingly doing more business with Europe.
Companies in India are not required by law to disclose data security breaches, so hacks go unreported, leading to a lack of sufficient data to enable precise underwriting. The exposure of a company also changes with time as the company grows and as they evolve operationally. This is not accounted for when buying the policy, hence a few years down the line and the coverage they eventually have is often not sufficient against the risks that they now face. Thus, it is important both for the insurer and the organisation seeking insurance to understand the risks that are being addressed. But, unfortunately, organisations still think of themselves as being immune to these risks and this mindset is the biggest challenge for the insurance industry.