Status of Cyber Insurance in India

Naavi has been one of the early proponents of Cyber Insurance in India. This site carries many articles in the past on the subject of Cyber Insurance (Refer here). Additionally, www.cyberinsurance.org.in  contains many of these articles in one place.

india_insurance_logo_2In 2015, Naavi.org initiated  a National survey titled India “India Cyber Insurance Survey 2015”, under “Mission Cyber Insurance” that we took up.   This survey was conducted with respondents being professionals in the Information Security domain and other professionals in IT companies and academics. The objective of the survey was to establish a bench mark of perception about Cyber Insurance in India which could be tracked later with similar surveys in the following years.

The survey gave good insights into the status of Cyber Insurance industry in India at a time none of the Indian insurance companies had actually introduced products offering coverage for liability arising out of Cyber Crimes. There were “Cyber Asset Insurance”, “Employee Fidelity Insurance”, “Errors and Ommission Insurance” which were often considered as Cyber Insurance. But real coverage of risks arising out of third party cyber crimes was not available. Few of the insurance contracts written at that time was basically on the reputation of the insured and did not take into account the “Risks” involved for which liabilities were to be covered.

The findings of the survey are available in a series of four articles here.

1.The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

2. The mystery land of Cyber Insurance-2: What is Cyber Insurance?

3. The Mystery Land of Cyber Insurance-3: Who should get Cyber Insurance Cover?

4. Cyber Insurance-4: The enigma called Cyber Insurance Premium

Naavi.org was not able to repeat the survey in the subsequent years to track the development. However, we are glad to know that DSCI has recently conducted a survey and released its report.

According to the DSCI survey,

    1. 350 cyber insurance policies have been sold till 2018, which is a 40% increse from overall base in 2017

    2. India’s yearly cyber premium market is around INR 80-100 crore (USD 11-14 million)

    3. IT/ITes and Banking & Financial services are the early adopters. The demand has increased because of Contractual requirements and GDPR. New demands from manufacturing, pharma,retail, hospitality,R&D and IP based organizations are observed.

    4. The premium amount ranges from USD 6500-8000 for a coverage of USD 1 million (0.65 yo 0.8%)

The report makes a mention that the threat surface in India is expanding due to increasing digitization . It is reported that India is the 2nd most affected country due to targetted attacks (for attacks between 2016-2018) and average cost for a data breach in India has gone up to INR 11.9 crores, an increase of 7.9% from 2017 with the average cost per record being Rs 4552.

During 2017-18 it is stated that the number of policies increased from 250 to 350 and  the coverage included First Party expenses such as  “regulatory Investigation and Fines”, Expenses regarding “Forensic IT Audit”, Stakeholder notifications, legal costs, credit monitoring, PR etc, third party liabilities as well as business interruption loss and Cyber thefts such as Fund transfer frauds, Cyber extortion etc.

Four insurance providers namely TATA AIG, HDFC Ergo, ICICI Lombard and Bajaj Allianz were indicated.

The challenges that confront the industry continue to be lack of awareness and understanding by the buyers and lack of acturial data for proper assessment on the part of the insurance providers.

Two of the companies namely HDFC Ergo and Bajaj Allianz were listed as companies offering personal Cyber Insurance. which was available from around Rs 50,000/- to Rs 10 crore. The Bajaj Allianz policy however offers a coverage with several sub limits for different types of losses. The HDFC Ergo policy offers a combined limit though the pricing is higher than Bajaj Allianz.

The survey also documents some strategic steps that may be taken to promote Cyber Insurance which we may discuss separately in subsequent articles.

A brief recount of issues listed for attention in the survey are as follows:

Government/Regulatory Bodies

-Creating awareness and ecosystem skills in cyber insurance policies

-Incentivizing SMBs through direct intervention or providing procurement benefits

-Providing Toolkits and Checklists

-Creating an ecosystem for cyber insurance to mitigate risks & improve resilience

-Mechanism for Data Breach Notification

-Creation of Cyber Incident Data Repository

-Promoting actuarial science for better modelling of cyber risks

Technology Firms

-Establish sector-specific cyber risk assessment framework

-Innovate to oer tailor-made products & services for cyber risk evaluation, forensics, incident response etc.

-Fortify capabilities

Brokers

-Spread awareness on essential coverage – create toolkits & checklists

-Support SMBs and startups, who wish to buy insurance policies

-Clearly articulate provisions under cyber insurance, and other insurance policies

Insured/Buyer

-Engage with a technology firm for cyber risk evaluation

-Before buying, important to create a ‘Cyber Insurance Committee’ that has representation from Insurance Purchase Group, Offices of CFO, CEO, CIO/CISO, CRO and CMO, for better decision making

Carriers (Insurance Providers)

-Fortify technological capabilities or engage with third party to conduct pre-breach cyber risk assessment and post-breach assessment

-Digitize for data-driven decision making

-Prepare for comprehensive inclusion of data privacy & protection to cover regulations such as GDPR, India’a Draft Bill on Data Protection etc.

Provide value-added services – customization, free counselling, trainings etc.

-Clearly articulate provisions under cyber insurance, and other insurance policies

Overall, it is good that DSCI has recognized the importance of building awareness about Cyber Insurance in the industry. Hope the initiative will continue.

Naavi will continue his efforts in this direction both through the awareness building through www.naavi.org and www.cyberinsurance.org.in. CyberInsurance.org.in was actually meant to be a platform for all stake holders in the Cyber Insurance domain to come together though it is yet to achieve this objective. Hopefully there will be greater awareness of Cyber Insurance and keener interest in the days to come.

Naavi

This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.