Cyber Risks are Mushrooming: Seize the Opportunity to Insurise the Economy

Digital Technologies are now the backbone of economic activities. With the advent of Covid-19 pandemic, digital means have taken on an even more critical role across activities. More than 50% of the world’s population is online and two-thirds of the global population own a mobile device. This is bringing on cyber risks, attacks and crimes, which are proving to be great hazards and threats not only affecting companies, but also critical infrastructure such as power, transportation and medical care etc. all the way down to individuals. It is reported that cybercrime organisations are getting together and cybercrime is being offered as a service. Added to this, the Internet of Things (IoT) multiplies the cyberattack potential many times more. Companies and countries now operate in a complex, global and digital economic ecosystem that not only expose them to their own cyber and technological weaknesses, but also to those of others such as customers, suppliers, service providers and any other entity in the connected system.

As a result, cyber-attacks and losses arising from cyber related incidents now rank as the top peril for companies globally as highlighted by the Allianz Risk Barometer 2020. The report states that seven years ago cyber risk ranked only as the 15th. Businesses now need to fear cyber risks which can come as if from nowhere. Not only are industrial and manufacturing firms attacked but now consultants, architects, research and innovation firms etc. are equally at risk. Apparently, even some countries are also getting involved in promoting cyber-attacks. All this makes it impossible for organiations to build a fortress against attacks, and so the emphasis is shifting to risk mitigation, loss prevention and the ability to detect and contain intruders.

In this scenario, insurance emerges as a compelling need for a series of valued assurances.  For instance, Boards of companies look to insurance for an assessment of the risks faced by them and see an insurance cover given as a validation of the robustness of the cyber risk management done by them. The service of insurers and brokers performing this cyber related evaluation is seen to offer satisfaction of the various publics that companies need to answer to. When insurers do such a service all-round, business, society and the country get benefitted in this all-pervading digital era.

The recognition of such a service given, in a way makes the insurance industry a de facto regulator, as insurers set the bars for the standards necessary to qualify for cyber coverage. Insureds will need to demonstrate that they have met certain cyber loss-proofing benchmarks in order to obtain coverage and indemnification and, increasingly, these requirements will extend down the value chain of the companies. This is not a new role for the insurance industry, because insurers had in the past driven greater safety standards in the property insurance market across centuries, and in other portfolios as well.

The Value of Cyber Insurance

A cyber insurance policy can offer many benefits. First, cyber insurance can reimburse the costs that a company pays to respond to a cyber incident. These expenses may come in the form of complying with requirements to notify and protect affected individuals in the wake of a data breach; paying the expense to recreate corrupted or destroyed data; or even paying the demand of a blackmailer. Second, cyber insurance covers the fees and damages that a company may pay in response to litigation resulting from a cyber incident. Third, cyber insurance reimburses revenues lost or expenses incurred due to a disruption related to a cyber incident. Even more, now cyber covers are getting more responsive and can go beyond mere reimbursement for financial loss.

Governments are seen placing value on cyber insurance just as the boards and shareholders of companies. In the US, the SEC (Securities Exchange Commission) wants companies to explain potential cyber risks to their stakeholders. Such an action is propelling cyber insurance as a means of showing that there is a proper due diligence. It is well accepted that insurers can help companies not only in coverage but also in the broader risk management sense so as to send signals to their stakeholders that insurers are the best neutral arbiters for optimal cyber security practices. The US Government, seeing this, has considered seeking insurer participation in creating a cyber security practices framework.

The very fact of seeking to insure, forces a company to do an assessment of their cyber practices. The underwriting process scrutinizes and evaluates a company’s technical defences, incident response plan, procedures for patching software, policies for limiting access to data and systems, monitoring of the vendor network and more. Applying for and getting cyber insurance is therefore an important risk mitigation tool. Based on the information and documentation provided, insurers can assess the prospect’s security practices and provide coverage based on their assessment. The cyber insurance rate charged offer an important incentive that can bring behavioural change among the people in organisations.

More helpfully cyber insurance can support an organization’s incident response plans. In case of a data breach, most cyber insurance policies provide the services needed to respond to breaches, including forensics to determine what customer records have been compromised, legal analysis of the insured’s responsibilities, notification to affected individuals, and credit monitoring and restoration to protect its customers. A well-executed response plan will actually reduce the overall cost of a data breach and avoid many of the problems that may later surface resulting in litigation or regulatory scrutiny. These services can be especially valuable for small and medium size companies that will require a cyber incident response plan, but lack the resources to implement one on their own.

Future of Cyber Insurance

There is a growing realisation that many traditional classes of insurance are exposed to cyber risk. This includes directors and officers (D&O) liability, environmental liability, healthcare, motor and property insurance, among others. When traditional insurance products extend cover to cyber related losses, they may, however, be limited in scope. A number of claims in the U.S. have demonstrated how cyber liability has the potential to cross over into D&O, for instance, as a result of action brought by shareholders against company directors after a data breach. The explosion of the IoT will likely speed the crossover of cyber into other classes of business.

Cyber insurance may become an add on to traditional insurances. However, it is more likely that stand-alone cyber insurance will further evolve as a comprehensive cyber liability cover, encompassing also property damage, bodily injury and other losses that may arise from a cyber incident. This is because there is a dynamic threat environment, and it is not easy to manage them in the traditional static risk coverage allowed by the older policy framework. Only cyber policies can offer the ability for companies to anticipate attacks, respond with agility, and maintain core operations.

Cyber-risk management is now an enterprise concern and not merely a technology issue. This needs boards of companies to adopt a cyber enterprise risk management strategy. There are many stakeholders involved in building cyber resilience. The senior management, all employees, suppliers and customers as also others in the cyber loop. All of them should have the ability to respond to a dynamic threat and avoid cross problems. Cybersecurity laws, regulations and policies are now coming together, though there appears to be no commonly accepted framework that an company can use across industry, and national and regional environments. Compliance and watchfulness will be built into the warranties and conditions of cyber policies.

What is now seen as a vital necessity is the need for cybersecurity culture and awareness. Mere technology solutions cannot eliminate cyber risk. It is said that more than 90 % of successful cyber attacks are launched via phishing campaigns. Accordingly, creating a cyber-aware culture and providing training for employees are critical elements of cyber resilience. Many cyber breaches are traced back to human error. Accordingly, organizations must focus on their people and processes for addressing cyber risk.

On the part of insurers, they are justifiably interested in the risk-management techniques applied by the prospect to protect its network and its assets. The more an insurer knows about a business’s operations, structures, risks, history of cyber-attacks, and security culture, the better it will be able to design a product that meets the client’s need. Cybersecurity risk remains difficult for insurance underwriters to quantify in large part due to a lack of actuarial data. This beings in dangers such as pricing the cover too low, wherein insurers face an insolvency risk and reinsurers may deny support. If rates are too high insureds cannot afford the cover. Due to lack of data, cyber policies in general are more customized than standardised, trying to factor in the type of business operation seeking coverage, the size and scope of operations, the number of customers, their presence on the web, the type of data collected, and how the data is stored etc.

There is a need for a common vocabulary for cyber risk management. There is an absence of common cybersecurity standards, best practices, and metrics as a further hurdle to a more robust insurance market. In addition, that there is considerable ignorance about critical infrastructure dependencies and interdependencies. Insurers are also not clear how a cyber-related critical infrastructure failure in one sector, can cascade across multiple other sectors. There is a problem for insurers that only few companies include cyber risk as part of their traditional enterprise risk management. Many others tend to treat cyber risk as an IT problem, separate and apart from the other business risks they face.

Cyber Insurance in India

In India, cyber insurance appears to be marginal. This is a gross injustice to the digital economy that is shaping up. Given the compulsory nature of digital in the economy and in the lives of people, there is a need to mainstream cyber insurance through an accelerated mode. Insurers need to give it its necessary high profile as a critical need in the digital world. For this, insurers may ally with all concerned to raise the barriers against cyber risks in the best manner possible. A cyber protection insurance strategy needs to be adopted with inputs from the government, business bodies and technology specialists, that may be led by the IRDAI, the General Insurance Council, IBAI and the insurers themselves. It will raise the visible role of the industry in the economy and great goodwill will accrue to it, if proactive standards are created for needed security and protection for the digital world. This will be a decisive step for insurers to lead the risk economy in the 21st century.