CybersecAsia finds out why the high rate of cybercrime in the country has not prompted businesses to pool their risks.

In a vast geography like India, most cyberattacks go unreported owing to perceived loss of reputation and other factors.

Many companies have coughed up millions to retrieve the stolen data. In one major ransomware attack last year on an Indian sweetmeat manufacturer Haldiram’s, the attackers demanded an astronomical US$7,50,000.

All said and done, cyber threats are almost a daily occurrence in the country. Yet, the insurance industry has not gained much interest in pooling cyber risks. In FY 2019/2020, the non-life insurance industry received premiums of Rs 1.89 lakh crore, while the share of cyber insurance was a paltry Rs 200-220 crore.

Even as corporate cyber policies are being increasingly preferred in the recent times, individual policies are yet to find more takers in India.

Mitigating online risks

With cyber insurance remaining a relatively new and nascent concept in the country, CybersecAsia caught hold of a senior executive of Tata AIG General Insurance, Najm Bilgrami, to find out the background story.

Najm Bilgrami, Senior Executive, Tata AIG General Insurance

Bilgrami, who is the Deputy Vice-President & Head of Financial Lines, noted: “Cyber insurance is a risk management tool designed to protect a company against financial impact caused by cybercrime events such as network security breaches, data breaches, cyber extortion, malware infections or any other network and data incidents. It is a specialty insurance that protects businesses from Internet-based risks.”

Any business that uses a computer connected to a network or one that stores data electronically will benefit from cyber insurance, added Bilgrami. “Cyber insurance caters to start-ups, small- to medium-sized firms, large companies and multinationals. It secures manufacturing and services industry, including health, travel, leisure and hospitality, education, IT & ITES, banking and financial services, and retail, to name a few.”

Considering that cyber threats are constantly on the rise across the globe, what kinds of online risks are being covered by insurance players? Bilgrami said that good quality cyber insurance provides coverage for both first-party losses—which the policyholder suffers directly—as well as liability from third-party claims. In case of the latter, policyholders face losses from subjects whose personal or corporate data have been compromised.

First party coverage, according to Bilgrami, includes costs incurred by policyholders in responding to a cyber breach, for example, forensic costs; costs of PR support to protect one’s reputation; data recovery and restoration costs; etc. “Also included within first party coverage are business interruption loss and loss of funds, due to ransomware, etc. Third party coverage is to pay for defense costs and damages, arising from claims made by customers, vendors or those affected by a cybersecurity incident,” Bilgrami explained.

Cyber insurance challenges

Bilgrami explained that the cyber insurance sector is beset by many challenges. “One challenge is low awareness about cyber risk and cyber insurance. Very often, businesses come to know about insurance solutions only after they have suffered a cyberattack.”

Another challenge is that cyber risks are evolving and growing every day. To cover such a dynamic exposure is a challenge that the insurance industry has to rise up to. In a recent event, a reputed chain of hotels with a strong cybersecurity system decided to expand its business operations by acquiring another hotel chain. After the acquisition, the hotel chain was hit by a ransomware attack due to legacy malware that got transferred from the acquired hotel chain.

“Such incidents show how difficult it is to conduct analyses and underwrite the rapid change in cyber risk,” Bilgrami noted.

Insuring pandemic-driven cyber risks

Another challenge is the impact of remote-working on corporate cybersecurity. “With offices closed and people working remotely, networks are even more vulnerable. WFH is almost inevitably accompanied by relaxed cybersecurity, data privacy policies and procedures,” Bilgrami, noted, adding that, without the security that an office perimeter affords, remote workers are far more vulnerable to cyberattacks.

Finally, mis-selling and fraudulent claims are common in the insurance industry. The term ‘mis-selling’ means selling a product by giving a wrong picture of a product. It may include giving wrong information, unrealistic data, and not providing full details about the product. Although not unique to insurance, mis-selling is an unfortunate aspect that can and should be eradicated.

“As an insurer, we are raising awareness about cyber insurance policies through seminars, workshops with industry associations, and training for agents and intermediaries. By asking questions and checking with different intermediaries, customers, too, ensure that they are not given any wrong impression about cyber insurance,” Bilgrami concluded.