Cyber Insurance: Assessing the NeedDemand for Insurance Grows as Breaches Multiply
Demand for cyber insurance is slowly building in India as more data breaches worldwide grab headlines. Organizations must carefully assess their risk exposure when making the decision about whether to invest in a policy.
The number of policies sold in the nation in 2018 totalled 350, up 40 percent from the previous year, according to a new report, "Cyber Insurance in India - Mitigating Risks amid Changing Regulations and Uncertainties," from the Data Security Council of India.
"Cyber risk, data breaches and consequent financial liabilities loom large on the rapidly evolving digitization momentum of every sector and business," says Rama Vedashree, DSCI's CEO. "Cyber insurance is a key tool in the risk management and cost-offsetting arsenal [along with] scaling up prevention and protection measures."
Breach Incidents Fuel Demand
Bhishma Maheshwari, executive vice president and cyber leader at Marsh India Insurance Brokers Pvt. Ltd., says: "Prominent data breaches in the USA ... demonstrate the need for coverage against loss due to breaches. Indian firms with global exposure also are opting for cyber insurance."
A "Risk Barometer 2019" study from Allianz, an insurance firm, endorses the view that cyber risk is a growing concern for Indian businesses as a result of major data breaches and privacy scandals, IT outages and the introduction of tighter data protection rules in the European Union and elsewhere.
Early adopters of cyber insurance in India include IT companies and those offering IT-enabled services, as well as those in the banking and financial services sectors. But demand is beginning to grow in manufacturing, pharmaceuticals, retail and hospitality, according to the DSCI report.
Indian units of companies in the IT and IT-enabled services sector are turning to cyber insurance because they have a contractural obligation to protect customer data, Maheshwari says. And they often obtain insurance via their parent companies based in the U.S. or Canada.
But Sethu S. Raman, senior vice president and chief risk officer at Mphasis, which has purchased cyber insurance coverage, says that most of the critical data that's vulnerable to attacks resides within the systems of IT outsourcers' customers, which is why those firms need policies as well.
Assessing Risk is Crucial
Some security experts say cyber insurance policies should be customized for sector-specific needs.
"All organizations must take a 360-degree approach to their preparedness, including cyber risk management, says Rajesh Pant, coordinator, national cybersecurity, in the Prime Minister's Office. "Financial services continue to be a prime target for breaches, and businesses could face enhanced cyber liabilities. The insurance industry must offer comprehensive risk coverage policies tailor-made for the risk assessment of a sector and the business."
Cyber insurance is a critical need for those companies that handle huge amounts of customer data, especially those that store credit card information, Raman says.
Over 40 India banks, including State Bank of India, have cyber insurance policies, Maheshwari says.
Cyber insurance covers breach response costs, such as mitigation services, notification, forensic services, public relations, crisis management and any customer loss which can be quantified, as well as third-party risk exposure and othe specialty services, such as hiring an auditor.
Premiums for cyber insurance are determined, in part, by the organization's risk exposure level, Raman explains.
When deciding whether to buy insurance, Raman says, organizations should consider regulatory compliance issues, the risks posed by business interruption stemming from a breach and the potential cost of damage to reputation and customer relationships after a security incident.
K. Suresh, senior vice president-IT at Tata AIG, an insurance firm, says some Indian organizations fail to recognize the potential cost of a breach, so they don't immediately understand the value of cyber insurance.
While cyber risk insurance can help companies minimize losses, they still need to adopt an effective cybersecurity strategy, Maheshwari emphasizes. In fact, insurance providers will carefully evaluate the strength of a company's cybersecurity position before issuing a policy.
Indian enterprises should form a risk committee, with the CISO playing a key role in the decision about whether to acquire cyber insurance, Suresh says.
Too often, Maheshwari says, insurance decisions are made soley by a risk officer without input from the CISO.
If India enacts a data breach notification law, more organizations may choose to buy cyber insurance. That's because more breaches likely would be made public and more companies might face substantial breach resolution expenses, which insurance could help cover.
Some say adoption of a national data breach notification law would help fuel demand for cyber insurance. This is because the notification requirement would lead firms to have good processes to assess their risks and take preventive measures, as well as consider insurance coverage to cover breach-related costs, Suresh says.