Why Is Cyber Insurance Off to Slow Start in India?Security Practitioners Weigh In On Why Adoption Isn't Gaining Traction
Because a growing number of organizations in India are being hit by cyberattacks, the case for buying cyber insurance appears to be stronger than ever. Nevertheless, security experts say only a handful of the largest companies have made the investment in this insurance so far.
The reasons for the slow adoption of cyber insurance in India, security experts say, include an immature insurance market; resistance from CFOs and a lack of budget; and a lack of innovation by government policy makers.
"Many CISOs, especially from small companies, aren't turning to cyber insurance as the market isn't mature enough," says Jaspreet Singh, partner, advisory services, Ernst and Young. CISOs from smaller firms aren't able to make a strong case for cyber insurance to the board unless their peers also invest in the same, which becomes a vicious cycle, he says (see: Weighing a Cyber Insurance Investment.)
Why the Need?
Given the increase in cyberattacks targeted at the nation, the case of cyber insurance in India would appear to be strong. In recent cyber incidents, companies have lost not only money but their reputation as well.
With state-sponsored attacks seeing a sudden surge, some bigger companies in India have understood the need for insurance.
"For many big companies, cyber insurance has become a compliance issue," says Lopa Mudraa Basuu, an enterprise security and risk governance expert. "In the services industry, clients check if we have cyber insurance in place. Moreover, CISOs have to put in place proper risk assessment to get required budget for insurance."
The parameters taken into account by CISOs, Basuu says, are:
- Risk exposure;
- Budget availability;
- Scenario plotting.
An IT risk manager of a bank, who asked to remain anonymous, contends that for companies with global clients, cyber insurance is both a business and a financial need. "These two factors are important for my company. Frankly, it wasn't tough for me to convince the board to have a good cyber insurance in place," the risk manager says.
The European Union's General Data Protection Regulation, or GDPR, with its eye-popping penalty clause, has pushed large companies into buying cyber insurance, some security practitioners say. A chief risk officer at an IT firm in India, who asked not be named, says gaining support for beefing up insurance became easier after GDPR. "Though we always had cyber insurance, the fund assigned to it was miniscule. Post GDPR announcement, the management agreed to increase the budget for cyber insurance without me putting too much of an effort to convince them," the risk officer says.
What's the Hindrance?
So the question: Why hasn't the cyber insurance market grown bigger in India?
One factor is that CISOs often aren't the decision makers. "The decision is mostly taken by the CFOs who don't have a good hang of the risks," says Na. Vijayashankar, a cyber law expert. "Furthermore, CISOs aren't keen to admit the 'uncovered risks,' resulting in budgetary decisions to be based on the available surplus of discretionary expense rather than a considered budgetary decision taking into account total risk assessed."
Even for big firms, the awareness level isn't high across all sectors.
"A big food joint may not be as invested in cyber insurance as a bank or IT company. They feel for them the risk, in case of an attack, will not be as high as the premium paid for insurance," says Sriram Natarajan, chief risk officer at Quattro, a global services company. He also contends that insurance companies so far haven't been able to come up with innovative products for India.
Also, India currently lacks any formal cyber risk assessment policy. "Unfortunately there is lack of a strong assessment policy, regulatory guidelines, program and experience for threat assessment across industries for cyber risks," says Madhav Chablani, consulting CIO and chairman of the Cloud Security Alliance, NCR chapter. Because companies don't have a model to measure their losses effectively, they don't see the real need to invest in insurance, he says.
Furthermore, unlike the U.S., India isn't an insurance-savvy country, adds Vibhaw Kumar, senior vice president and head, liability and special risks, at Howden India, an insurance brokers company. "People in India buy motor insurance as it's mandated. So, cyber insurance will get popularized only when there are regulations around it," Kumar says. "GDPR penalties are also contributing toward an increase in demand."
Security practitioners also blame limited information from insurance companies for the slow uptake. "Apart from a handful of companies, cyber insurance in its current state is in the cradle, as it provides only marginal coverage of the total costs of a typical cyber breach," Chablani contends.
"Writing insurance policy needs a specialized and agile approach. The key here is the recording of forensic evidence, which can decipher between negligence and cyberattack exploiting loophole," Chablani says. "Yet proper understanding of the cost of error is required by underwriters before signing the policy. It's now a universal truth that whatever systems companies deploy to safeguard from cybercrime, attacks happen."
What's needed, Chablani says, is for insurers to consult with organizations before they underwrite a policy.
Singh argues that both insurers and companies "need a way to more accurately assess risk and determine a company's risk profile. Due to these opacities, Indian organizations are at a risk to properly on-board the correct insurance plans and hence mitigate the risks associated with cyber threats leading to either monetary losses or inaccurate coverage."
A Way Forward
Some security practitioners contend that many Indian organizations will not buy cyber insurance until premiums come down and insurers offer more innovative products.
"I am not sure what policies IRDAI has with regards to increasing cyber insurance in India," Natarajan says. "But it should come out with better policies and products. It has to think of ways to encourage more companies in this space. Then only will the market in India grow."