Insurance Article, The Insurance Times 2021, The Insurance Times January 2021

CYBER ATTACKS HAVE INCREASED MANIFOLD: SITUATION TURNED ALARMING

Pandemic-enforced mindset has changed the insurance landscape. Enforced lockdowns or restricted movements in India have pushed consumers to begin looking digitally for insurance solutions that may not have been there prior to COVID-19. Increased digital penetration, faster download speeds and smarter ‘phones are changing the insurance purchasing landscape in these three countries.

These digital platforms include e-commerce apps/websites, payment/digital wallet apps, health-tracking apps and connected commuter platforms. Amid the pandemic, there have been rising incidences of cyber attacks and a growing number of high-profile data breaches.

It is felt that cyber security is the most important need for all sectors today to address the numerous risks posed by cyber-attacks. Cyber criminals are exploiting this opportunity to hack into organizations, exfiltrate data, cause network disruption etc.

Over 8 billion data records were compromised in Q1 of 2020 and such incidents have only paved way for cyber insurance amongst organizations looking to minimize the loss due to cyber incidents and data breaches. Over the last few months, the pandemic has significantly changed the cyber security threat landscape.

Amid the pandemic, there are rising incidences of cyber attacks and a growing number of high-profile data breaches. It is felt that cyber security is the most important need for all sectors today to address the numerous risks posed by cyber-attacks.

The Insurance Regulatory and Development Authority of India (IRDAI) has set up a panel to explore possibility of a basic standard product structure to provide insurance cover for individuals and establishments to manage their cyber risks. The general liability policies do not cover cyber risks, and cyber insurance policies currently available are highly customized for clients in a new and quickly growing market.

Cyber security insurance safeguards online users from damage and loss which might arise due to unauthorized disclosure of personal and financial data. Apart from financial cover, it will also give you the umbrella to keep away from psychological stress which might arise otherwise due to hacking of sensitive date. “In Europe, they have a new cyber law which is called General Data Protection Regulation, implemented in May 2018. As per the Data Security Act, they are mandated to report every cybercrime case. We have an IT Act, but it is not stringent as GDPR.”

 

CYBER INSURANCE AT A NASCENT STAGE:

Cyber insurance is as dynamic as the companies it protects and is consequently far from standardized. The cyber insurance market has grown rapidly in recent years. Despite this, low premium prices and high risks are combining to stifle further growth, and leaving many firms underinsured against this growing threat.

Even as the cyber security threat looms large in India, cyber insurance covers have not picked up in a big way. While the non-life insurance industry received premiums of Rs 1.89 lakh crore in the last financial year, the share of cyber insurance was a paltry Rs 200-220 crore.

The issue that needs to be looked at is email spoofing and phishing attacks. To protect investors’ against any cyber frauds or digital risks that could result in a financial or reputational loss. According to the Internet Crime Report for 2019, released by FBI’s Internet Crime Complaint Centre, India ranks third among the top 20 countries that are victims of cybercrimes. Unsurprisingly, cyber insurance emerged onto the insurance scene recently as a result of the fact that other traditional business insurance policies were simply not created to cover the types of risks most commonly associated with cyber insurance. This is the Cyber Insurance Ecosystem:

ICICI Lombard General Insurance recently launched a retail cyber liability policy. According to ICICI Lombard General Insurance, hackers based in China attempted over 40,300 cyber attacks on India in the third week of June, mostly Covid-19 based scams.

Attacks were aimed at causing issues such as denial of service, hijacking of internet protocol and phishing. There has been pick-up in the corporate cyber policy in the past five-six years, but individual policy is still at a nascent stage in India. Corporates are facing challenges on multiple fronts.

Say for example, any social media company or a financial institution or a hospital has huge volume of personal data and if fraudsters get hold of that data, it can be disastrous for those companies. Hackers can hack the data and leak in public, which will mean loss of face for those companies. This is where Cyber Insurance can serve as a risk management and mitigation strategy, having a corollary benefit of improving the adoption of preventive measures (products, services and best practices).

Typically, cyber covers are in the range of Rs 40 crore to Rs 200 crore depending on the sector, and premiums are in the range of 1-4% of sum insured. An individual can buy cyber cover anywhere in the range of Rs 5 lakh to Rs 20 lakh. Cyber Insurance products are designed to mitigate risk exposure by offsetting costs, after a cyber-attack/breach.

STANDARD CYBER LIABILITY INSURANCE COVER:

The General Liability policies do not cover cyber risks and cyber insurance policies currently available are highly customized for clients in a new and quickly growing market. Hence, it is felt that a basic standard product structure is required to provide insurance cover for individuals and establishments to manage their cyber risks. As a step towards such a product, a Working Group has been constituted by the regulator.

After conceptualizing Standard Health and Life insurance covers, the IRDAI is keen on evolving a basic Standard Cyber Liability Insurance product. Working Group has to explore possibility of developing standard coverages, exclusions and optional extensions for various categories.

The Group has to study various statutory provisions on information and cyber security; evaluate critical issues involving legal aspects of transactions in cyber space; and to examine various types of incidents involving cyber security in recent past and possible insurance coverage strategies for them. The working group examining the cyber liability insurance covers available in the country and abroad. Many cyber attacks are not publicly known as it is not mandatory in India to report such crimes, and sometimes companies too refrain from it fearing dent in image and reputation.

Cyber security insurance is the new age policy which tries to safeguard online users from online criminal acts. Net banking, social networking and online shopping are some of the daily activities performed by Indian users over the internet.

Individual Cyber Insurance policies were written with the expansion of the internet of things in mind, and coverage extends to most items on your home network that are owned or leased and operated by you or a member of your family. Such attacks can happen to anyone, so buying a cyber insurance is a smart option. First-party coverages apply to losses sustained by you directly.

An example is the damages caused to your electronic data files by a hacker. Third-party coverages apply to claims against your firm by people who have been injured as a result of your actions or failure to act.

CYBER ATTACK:

The word cyber-attack refers to data breaches at a retailer or some big organizations, but did you know that you could personally bear the brunt of a cyber attack too? From a surprise virus to a deliberate rental scam, to deeply hurtful cyber-bullying, the threats you and your family face in the connected world are real and not to be ignored.

If electronic data stored on your firm’s computer system is lost, stolen, or compromised, the cost of restoring it can be significant. A data breach can damage more than just your computer system; it also can damage your reputation and put you and your family at risk. That’s why cyber insurance can be a smart precaution to avoid such threats.

A cyber-attack is likely what you first thought of as being protected by Individual Cyber Insurance. If a computing device (desktop, laptop, tablet, etc.) or connected home device (smart phone, thermostat, security system) owned/leased and operated by you is attacked by a virus, this portion of the policy will help you recover.

The ways that we are connected to the internet are rapidly increasing, and all of them provide opportunities for a cyber-attack to hit your home. External attacks on companies result in the most expensive cyber insurance losses, but it is employee mistakes and technical problems that are the most frequent generator of claims by number. If a cyber-attack results in people being unable to access their home or needing to replace an electronic device, the coverage will ensure they’re reimbursed for the costs associated with coping up with the unfortunate event.

 

 

 

GLOBAL CYBER INSURANCE HUB:

The cyber insurance has been identified as one of the next significant markets of growth for London, the capital city of UK. A recent report from the City of London Corporation in association with Accenture highlighted London’s globally unique position as both a hub for commercial insurance as well as the centre of a thriving and comprehensive ecosystem of cyber security service providers.

“No other city has London’s concentration of (re)insurers and brokers, co-located with some of the world’s leading cyber security service providers spanning across InsurTech start-ups, large cyber technology vendors and specialist cyber law practice. London is said to be well-placed to meet the growing demand for cyber insurance and remain the pre-eminent global hub.

The city is expected to serve globally as a hub for writing cyber insurance and offering associated protection services as well as play a pivotal role in the cyber protection of UK post pandemic landscape. Cyber Insurance global market is expected to grow at a CAGR of 27% from 4.2 Bn to 22.8 Bn from 2017 to 2024. In India, it’s at a nascent stage with 350 policies sold till 2018 but with a high adoption rate of 40% Y-o-Y growth from 2017 to 2018. IT/ITES and Banking & Financial Services are early adopters with newer demands from manufacturing, pharma, retail, hospitality, R&D and IP-based organizations.

The pandemic has driven a marked acceleration in businesses adopting digital and cloud technologies. In the global re/insurance industry, it’s no secret that the cyber insurance market has run into some structural issues. The entire pricing exercise – although sophisticated and effective in getting the market as far as it has come – hasn’t been tested by a major loss event. And the lack of cyber insurance penetration would blunt the effectiveness of such a scenario. The yearly economic cost of Cyber crime already exceeded$700bil., but cyber insurance premiums are about $5billion.

AT A DISASTEROUS STAGE:

Cyber insurance may still be in its infancy, but over the past few years, we have seen rapid growth followed by what we all hope to be a temporary plateau. Insurers are issuing more policies. The amounts of protection are increasing. In fact, our community has finally seen the first cyber insurance programme to exceed $1 billion.

Meanwhile, the breadth of coverage continues to expand. Cyber insurance is maturing and businesses are adapting to the new and emerging cyber security threat. Losses from incidents such as distributed denial of service (DDoS) attacks or phishing and ransomware campaigns account for a significant majority of the value of cyber claims today, unfortunately, cyber attacks have become more frequent and severe.

We’ve seen ransomware perpetrators become emboldened, with ransoms swelling from five- and six-figure price tags to a reported $10 million earlier this year. Hiscox Re reports insured cyber losses of $1.8 billion in 2019, up by 50% year over year. Aggregate losses of that amount against estimated premiums of more than $5 billion is certainly not cause for alarm, even with the 50% growth in claims. Caution, perhaps.

Despite the rapid growth, original insureds often don’t have enough cyber insurance – if any at all. The “big guys” – insured firms with protection of at least $200 million – account for about 20% of what is believed to be $5.5 billion in global cyber insurance premium, according to internal research conducted by PCS Global Cyber.

HOW TO PREVENT CYBER-ATTACKS?

Today, hacking is a full-time job and an organized crime in the cyber world. Cybercrime is not something that can be prevented but with the advent of cyber insurance, it acts as a helping hand to people in need by giving them the best line of defense if their information is compromised. Here are some precautions to follow to avoid cyber threats:

  • Lock down your login details online, especially for social media networks and email, by using two-step authentication.
  • Regularly change your passwords (every 2-3 months) and use a password manager to securely save this information. A strong password is at least 12 characters long.
  • Never save credit card information online.
  • Use safe payment options when making purchases online. Credit cards are generally the safest option because they allow buyers to seek a credit from the issuer if the product isn’t delivered or isn’t what was ordered.
  • Upgrade your computer and devices with the latest updates and operating systems.
  • Backup your digital information, such as photos, music, financial and health records, and personal contacts, by making copies of your data.

We live in a digital world where information is created and transmitted at hyper speed, thus, making it crucial to safeguard ourselves against the risk that digitization brings with it i.e. cyber threats. There has been an increase in the usage of internet on personal computers and digital devices in the recent past and that has seen an uptick in the lockdown.

Post the lockdown, as more and more individuals are using digital means to process payments, this has led to increased cyber threat exposure, especially to new users, the elderly or less tech-savvy. While opting for a cyber-insurance cover, individuals need to match the policy coverage with their needs and select the sum insured according to their exposure.

Many insurance companies in India offer cyber security insurance at a reasonable premium. The sum insured can range from Rs 1 lakh to Rs 1 crore. The number of cyber insurance claims has steadily risen over the last few years. Business interruption is the main cost driver behind cyber losses, accounting for around 60% of the value of all claims analyzed, followed by costs involved with dealing with data breaches.

 

During 2020 Google said it has had to block over 11,000 government-sponsored potential cyber-attacks per quarter. Recent years have seen critical infrastructure, such as ports and terminals and oil and gas installations hit by cyber-attacks and ransomware campaigns.

In India, very few law firms have virtual private networks (VPN) and cloud solutions so that basic security is taken care of even in a WFH environment. The draft of National Cyber Security Strategy 2020, that envisages creating a secure cyberspace in India provides for a watertight mechanism to ensure the protection of one’s data.

The rights provided under the Bill are on par with the rights provided under the GDPR. Apart from dealing with rights concerning one’s data such as the right of access, right of erasure, right of correction, right of data operability etc., it also has specific provisions on the transfer of data, including data localization requirements and restrictions on cross-border transfer of data thereby ensuring a holistic protection of one’s personal data and information.

Hence, we hope that the Bill will strike a balance between data privacy and fostering digital innovation simultaneously. As India gears up to become a digital economy, with its thriving ICT and ecommerce sectors, coupled with the rise in remote working and people spending more time online, data breaches and security threats have increased manifold.

At present, India does not have a comprehensive data protection framework when compared to other countries. The IT Act and the SPDI Rules only offer minimal protection with respect to personal data and sensitive personal information. All of this makes it critical to implement an overarching data protection framework that adequately deals with data privacy and security.

Businesses that bear sensitive customer information, finance, banking, health care service providers, IT services etc must take a dedicated cyber insurance policy. Businesses, regardless of its service or service, chiefly depend on IT infrastructure to perform their day to day operations and businesses. Any event of compromise with IT security can bring about enormous data and business loss, expensive lawsuit etc. As a result, to safeguard business functioning and its operations, enterprises must decide on a comprehensive cyber risk insurance policy.

******************

Leave a Reply

Your email address will not be published.