Demand for Cyber Insurance Growing in IndiaBut Some Concerns About Scope of Coverage Linger
Breaches tied to WannaCry and Petya, which affected about 48,000 computers in India, as well as other major breaches worldwide, are leading more Indian firms to purchase cyber insurance. But come companies still are concerned about the extent of coverage that's available.
About 220 companies in India have bought cyber insurance coverage so far, with gross underwritten premiums of approximately US$10 million to US$12 million, according to see: Marsh India, an insurance brokerage and risk management firm.
A majority of these policies were purchased in 2017, some insurance industry sources tell Information Security Media Group.
Cyber insurance products, which until recently were primarily bought by e-commerce firms and financial institutions in India, are now finding favor among manufacturing entities as well, some insurers and brokers tell ISMG. Manufacturers see the shift toward expanded use of internet of things devices to improve efficiency and productivity of operations as raising risks, leading to interest in insurance, they say. The growth of ransomware is also fueling demand (see: 'Demand rising for cyber cover in manufacturing sector').
"I have received many inquiries from large manufacturing firms who are actively working towards having cyber insurance coverage," says Tanuj Gulani, vice president, specialty lines and reinsurance, at Prudent Insurance Brokers. "The customer base is wider now, and there are definitely more inquiries for cyber insurance in order to brace themselves for a probable attack."
Why the Uptake?
Marsh India says more industries are taking up cyber insurance because they realize that data breaches are inevitable. Understandably, practitioners too are concerned about the growing cyber risks. According to the India Risk Survey 2017 done by FICCI [Federation of Indian Chambers Commerce and Industry] in collaboration with Pinkerton, information and cyber insecurity has become the number one risk.
"Currently, we are helping a lot of telecommunications firms, payment banks and payment wallets as well as traditional manufacturing firms who are keen on procuring this [cyber insurance]," says Anup Dhingra, private equity and M&A leader at Marsh India. "For these new sets of buyers, the focus is on risk management, and they seek solutions for loss of revenue post a cyber event, cyber extortion, notification costs to notify affected customers, and expenses for hiring cyber forensics, legal and PR experts."
Still a Tough Sell?
Nevertheless, cyber insurance can still prove to be a tough sell in India.
"It's not an easy conversation with Indian CISOs and companies," says Saiprasad Jammulapati, senior vice president, head of technology and cybersecurity strategy at Yes Bank. "The policies are crafted and designed five years in the past. There is a lag between what the policy covers and the real issues plaguing the industry."
Also, a lot of Indian buyers are seeking coverage for losses stemming from phishing attacks and impersonation, as well as a wider gamut of white collar fraud issues, and those typically are covered in separate commercial crime policies, Dhingra of Marsh says. "Only a few insurers in India are amenable to combine these two coverages to create a custom offering, as insurer product offerings have to be registered with the IRDAI and cannot be customized easily and immediately for each unique customer requirement," he says.
Some observers says there's still a huge gap between companies' expectations for what a cyber insurance policy should cover and what an insurer will actually offer.
Gulani gives an example. "Suppose company A plans to bid for a tender and the details of it is hacked by a rival firm B. This results in company A losing the tender. Now, company A expects cyber insurance to cover the tender amount, which can't happen," he explains.
"A few refusals from our end and their enthusiasm on cyber insurance takes a beating," he adds. "Getting a big company to understand the scope of the coverage is the biggest challenge I face. Cyber insurance will not cover everything."
The CISO's Role
Dhingra says that, contrary to popular perception, CISOs are generally not the first ones to show interest in cyber insurance. "As a broker, we first reach out to the insurance purchase group of a firm and introduce the product. In most cases this group rolls up to a CFO," he says.
"Post this, a meeting is usually fixed up with the CEO and CFO. It's only later that a CISO and technology teams get involved, depending on the managerial structure of a company."
Surprisingly, the CISO often is the toughest to convince that cyber insurance is a good investment, Dhingra contends.
He explains with an analogy: "Just like we don't want to hear anything negative about our child, CISOs do not want to hear about probable cyberattacks in their company. Many times ... when we are having a conversation with CISOs, they may get defensive and start saying, 'We have the best security in place, best firewalls or offensive and defensive strategies.' However, the presence of CFOs and CEOs helps us run the conversation."
Gulani notes that for CISOs, the decision usually comes down to a choice between buying insurance or new technologies. "Technically they are complementary to one another and not one vs. the other," he stresses. "Though the situation is improving, most CISOs are still difficult to convince."
But a CISO of a private bank, who asked not to be named, offers a different perspective: "I don't necessarily agree that CISOs aren't enthusiastic enough to take up cyber insurance. My company has one and it had my whole-hearted support. I am sure same is the case for my contemporaries from other banks."
Breach Notification: A Key Driver
A mandatory breach notification law in India would be a big driver for CISOs to acquire cyber insurance, some experts contend.
"We are already seeing CISOs participate actively along with rest of CXO group when we are discussing GDPR preparedness by Indian corporations," Dhingra says. "Cyber insurance does offer coverage for notification costs and regulatory fines and penalties, and many CISOs want to understand this aspect better."
Also, insurance brokers are increasingly collaborating with security firms to conduct end point analysis and demonstrate where the vulnerabilities are. "Many CISOs are excited with the prospect where superior systems and processes set by them are rewarded by the insurance firms with a lower price and better policy terms; it's a great validation of their work," Dhingra says.