Cyber Risk Insurance – Are You Covered? Do You Need It?

India’s digitization drive is reaching very high momentum now, and it is now spreading to SMEs as well. The volume of digital data generated, stored across devices, and transmitted every second is unfathomable. eCommerce and UPI are driving humongous growth of amount Data stored. When data is stored on one's “server on premises” or in a private/ public cloud, is vulnerable and seriously risk could be posed to one's business. The degree of vulnerability would vary depending on the protection layers deployed to protect against cyber threats.?

Despite all these protection layers, one can expose oneself or the organization to cyber threats.?

Malware, Cryptojacking, and Ransomware – The Three Trending Cyberthreats

According to SonicWall's Cyber Threat Report 2023, malware, cryptojacking, and ransomware proved to be the significant cyber security threat trends worldwide in 2023.

SonicWall 2023 mid-year update listed India at no. 2 of the top 10 countries with malware spread. India saw a jump in ransomware attacks, rising by 133% in the first half of 2023. India stands at No. 9 in the top 10 countries for cryptojacking.

The “India Cybersecurity Domestic Market Report 2023” by DSCI NASSCOM provides insights on all aspects of the cybersecurity industry and its importance for Indian corporates. The report is eye-opening and highlights the need for implementing security measures and exploring insurance products to mitigate the financial impact post cyberattacks or data breaches.

Cybersecurity breaches or cyberattacks can happen through various pathways, with emails or phishing leading pathways. These attacks can occur even after implementing cybersecurity products, often due to human or process errors.?

Our associate firm www.CTObridge.com could help on measures to be taken for cybersecurity, there is still residual risk left and hence this article is dealing with protecting the same using CyberInsurance.?

Companies might have cyber security infrastructure, but it may often be inadequate. So, there is a natural question: Like fire or marine insurance, is there any cyber insurance?

The answer is yes, and the insurance industry has a product called "cyber risk insurance” or "cyber insurance." Like any other insurance, there are terms and conditions to protect oneself from these risks. While damage cannot be undone, some associated costs can be mitigated. Let us understand this in greater detail.

No business is spared by the attackers—government, private, small, medium, or large and the resultant negative impact and costs are very high. We found a compilation of significant cybersecurity data breaches in 2023 by The Hindu .

Cyber Insurance Adoption is on the rise in India

Deloitte, in its report “Cyber Insurance in India, Navigating Risk and Opportunities in a Digital Economy”*, estimates the current Indian cyber insurance market is growing at 27–30 percent CAGR and is expected to continue for the next 3–5 years, driven by an increased awareness of the need for cyber insurance. The market in itself is expected to reach a sizeable amount of more than US$100 million.

The Deloitte report further adds that industries heavily involved in digitization, such as?

• Fintech Companies
• IT Companies,?
• Pharma and manufacturing
• D2C Companies
• Those integrated with global economies due to the nature of their multi-country operations, such as supply chain, retail, critical industries, and finance, can be the prime targets of cybercriminals.?

In addition to implementing cybersecurity measures, these sectors usually are early adopters of cyber insurance.

Factors influencing the need for Cyber Insurance

The Deloitte report also lists factors influencing the need for cyber insurance, some of which are listed below:

• Awareness around increasing Cyber threats, associated business and financial loss suffered by the businesses, their customers, and other associated businesses
• Regulatory requirements from various Central/Statutory bodies such as the RBI and IRDAI suggest companies protect against cyber risks by taking Cyber Insurance
• Increased data security needs due to the increasing adoption of digitalization, exposure to emerging technologies, remote working, and rapid changes in the way business is conducted post-COVID-19?
• Protection of brand reputation and managing customer sentiment

What is cyber risk?

Cyber risk is potential harm, loss, or disruption arising from vulnerabilities in a digital environment, which includes technology, networks, and data. It can impact individuals, organizations, governments, and societies.?

These are some of the commonly known cyber risks, and the list is evolving:

• Data Leak/Breach: Unauthorised access to any personal, confidential, privileged information like customer data, credit card data etc.
• Ransomware Attacks – The victim's computer or network is kept accessible until the ransom is paid
• Malware Infection - Infused for data theft or business disruption
• Denial of Service (DOS) Attacks – Downtime or disruption impacting business
• Identify theft – Theft of personal information and can be misused or impact on reputation
• Phishing and Social Engineering – Deceive individuals to share sensitive information

Even with cybersecurity measures in place, why do you need cyber insurance?

While periodic Cyber risk assessments testing for vulnerabilities and safeguards can partly mitigate cyber risks, they may not always be foolproof.?

Despite precautions, once a company becomes a victim of a cyber-attack, the losses related to data, finances, and reputation can be significant and disrupt day-to-day operations.

Protection Offered by Cyber Insurance?

Cyber insurance cannot offer complete protection against the losses suffered due to a cyberattack, but it still provides considerable protection for digital assets such as

?Proactive guidance

?Post-cyberattack or data breach assistance

• Financial protection
• Coverage for interruption in business operations
• Costs of restoring data and systems
• Provide a cushion for third-party lawsuits and liabilities
• Incident response support like cost of contacting impacted customers, PR related to such event etc.?

There are some exclusions, as is the case with any other insurance policy.

Cyber insurance may not offer protection against reputation loss, data sabotage, or customer loss due to disruption. However, it is still prudent to take Cyber insurance even if it does not offer 100% protection.?

Insurance companies assist businesses in estimation and risk management proactively. They guide businesses to be compliant with the regulatory requirements regarding cybersecurity.

?CFOs and finance leaders need to understand and advocate the benefits of cyber insurance to top management and choose a suitable policy. This policy will act as a risk mitigation strategy and a supplement to the company's cybersecurity measures.

Types of cyber insurance coverage available in India

• Data Breach – helps manage associated costs, forensic investigation, updates for all concerned, etc.
• Cyber Extortion – the cost associated with ransomware payments, negotiation costs, and engaging cyber security professionals to handle the case
• Cyber Liabilities – the costs associated with the settlement of liabilities arising from data breaches or cyber threats, as well as legal and other settlement costs.
• Business Interruption—recover any loss or costs incurred by a cyber incident that impacts the running of business operations.
• Cyber Fraud - loss on account of any online activities impacted through phishing scams, social engineering scams, and similar cyber incidents.
• Other Liabilities – Media - Any impact due to invasion of privacy, liabilities arising from publication of content resulting in defamation, infringement of copyright, etc.

Insurance companies may give many more types of coverage, and what is shared above is indicative and subject to change at the discretion of the Insurance companies due to the evolving nature of cyber threats.?

Cyber Insurance Premiums Vary

It is also important to note that the premiums for cyber insurance in India will vary based on some of the factors listed below (not an exhaustive list):

• Size of the company
• Nature of the Industry/Business seeking to take insurance cover
• Level of coverage desired
• The company's current cyber security controls and its past claim history
• Insurers may conduct cyber risk assessments as a pre-requisite
• Insurers may also get the underwriting evaluations to determine the premium
• There may be exclusion clauses and scope definitions need to be understood well before taking insurance.

So, sum up, if you foresee the potential for cyber risk in your business, it would help if you contemplated taking cyber risk insurance or at least had a dialogue to make a considered decision. Equally, just like we take an annual health check-up, getting a certified security professional to run a cyber security risk assessment to identify vulnerabilities and take mitigative actions is essential.

I hope you found this newsletter helpful. Do share your feedback. Thanks?

References

*[https://www2.deloitte.com/in/en/pages/financial-services/articles/cyber-insurance-gains-momentum-in-India.html ]

** https://www.bhartiaxa.com/be-smart/life/cybersecurity-and-insurance-in-india

*** https://www.sonicwall.com/medialibrary/en/white-paper/mid-year-2023-cyber-threat-report.pdf

**** https://www.dsci.in/files/content/knowledge-centre/2023/India%20Cybersecurity%20Domestic%20Market%202023%20Report.pdf