Published in Factordaily on 24th August, 2017
A company is hit by ransomware every 40 seconds somewhere in the world, thanks to the rise of ransomware-as-a-service model that is available ‘on demand’ to criminal gangs who increasingly target businesses. To date, 2017 has seen this trend play out in full force, with high-profile attacks such as Petya and WannaCry.
Ransomware is estimated to be a billion dollar plus industry, and the damages caused by it to industry is many orders higher. The losses from Petya on Danish shipper Maersk was estimated to be $200-$300 million. Losses from WannaCry alone were estimated to be around $4 billion.
While ransomware has been dominating the headlines, companies face plenty of other existential risks, as laid out in a recent report. Losses from a massive cloud service disruption could range from $4.6 billion for a large event to $53 billion for an extreme event; according to a report titled ‘Counting the Cost‘ published last month by global insurance market Lloyd’s and risk-modelling firm Cyence. In a mass software vulnerability scenario, the average losses range from $9.7 billion to $28.7 billion for large and extreme events.
India too has seen breaches of large magnitude in recent times. more than three million Indian debit cards were compromised in late 2016, reportedly affecting operations of all the major banks. In May this year, Zomato’s user data was dumped on the darkweb, and later pulled down by the hacker. Last month, Reliance Jio’s database was temporarily leaked online and an Ola employee was arrested for unauthorised use of the know-your-customer feature of Aadhar, the country’s unique ID project.
Anti-virus and internet security solutions provider McAfee estimates that cyber-criminal activity costs the global economy more than $400 billion. This is expected to increase five times to $2.1 trillion by 2019. Lloyd’s estimates cyber insurance to be worth between $3 to $3.5 billion globally with consulting firm PwC pegging it to be worth $7.5 billion by 2020.
But here’s the jolt: in India, the world’s second largest internet market by users, cyber insurance accounts for less than 1% of the global market.
More noise than size
The whole liability insurance market in India is about Rs 2,000 crore, estimates a New Delhi insurance broker. “Cyber liability, as a standalone product, is between 3 to 5% of that. So in the scheme of things, it is not meaningful yet,” says Kapil Mehta, co-founder of Securenow.
“The noise in the market is much more than the actual size of the market, as yet. Either their foreign clients are telling them that they ought to be buying this insurance, or they are concerned about these threats on their own,” Mehta says of Indian companies. “They do come, spend a lot of time asking questions, go through the underwriting process, but often not go through the purchase, because these insurances are complicated and come with a lot of ifs and buts. And they’re expensive.”
This specialist line of insurance, estimated to be a Rs 100 crore plus market, is growing rapidly, reckons Sushant Sarin, Executive Vice President, Commercial Lines at insurer Tata AIG General Insurance.
“We have seen a sudden and drastic spike in the number of engagements and queries… but conversions themselves have not moved up at the same rate,” says Kiran Lokhande, Head of Liability Underwriting, at Bajaj Allianz General Insurance. The uptake in cyber liability covers has been 10 to 15% but that doesn’t square up with the number of organizations that are exposed to the risk, he insists.
“The average policy premiums for a Rs 5 crore cover start from Rs 2.5 lakh onwards,” says Sarin.The premium is calculated based on the type of business, scale of the data an organization deals with, the nationality of the data subjects, the cyber security capability of the organization, the amount of insurance cover purchased etc. His estimate of the growth in the business is higher at 20 to 25%.
“Indian IT companies with global exposure, multinational corporations operating in India, are signing up for them, but typical ‘lala type’ Indian companies are reluctant due to the premium,” says Manu Dev Summi, Senior Manager at Delhi-based Corporate Risks India Insurance Brokers. (The ‘lala type’ companies he refers to are thrifty ones that typically come with a trader background.) The current offerings in the market are not helpful for claims in the range of Rs 5 lakh to Rs 10 lakh, he says, adding that he recommends these policies for clients who see a claim of Rs 50 lakh or higher.
As demand grows, the premium will shrink, the Corporate Risks’ manager is confident. “In the coming years, it will be possible that every Individual needs a cyber risk policy. So much of your personal data is on your mobile, and if it gets stolen, then you are faced with the threat of cyber risk,” says Summi.
While they are increasingly a necessity for businesses, cyber insurance providers are struggling to come up with products that can cover all the aspects, including investigation, liability, cost and insurance cover or claims, says Sanchit Vir Gogia, Founder & CEO of research firm Greyhound Knowledge group. “Cyber insurance is complex. A forensic probe is an expensive exercise, so who will bear its cost remains a question. Even the factors that determine business losses vary and importantly the definition of “business loss’’ remain highly ambiguous.”
Most companies are confused between cyber liability insurance coverage (CLIC) and the errors and omissions (E&O) insurance, Gogia said, citing data from an upcoming Greyhound survey, State of Cyber Insurance 2017. Some 68% of organisations surveyed mixed up CLIC and E&O with just 12% having clarity on cyber insurance. CLIC covers technology related losses, while E&O, also known as a professional liability insurance, protects against losses from negligence claims made by a client.
Buyers of cyber risk insurance services in India include banking and IT sectors and the average limits bought are around $5 million, with larger companies opting for up to and over $10 million limits. Some of the largest programs in the market can even range up to $100 million. Companies that provide cyber insurance offerings in India include ICICI Lombard, HDFC Ergo, Bajaj Allianz, and Tata AIG.
As insurance companies typically lack domain expertise in cybersecurity, they have started partnering cybersecurity firms and data analytics vendors. Symantec, for example, offers security analytics solutions for insurers to help them undertake cyber underwriting work and understand the probability of cyber attacks across a diverse catalogue of scenarios. California-based FireEye has global partnerships with insurance companies such as Ace Group and Marsh to mitigate cyber risk. Swiss Re, a reinsurer from Zurich, uses a cyber risk assessment platform provided by Cyence for its underwriting work.
“We recommend organizations undertake a Response Readiness Assessment which tests their ability to respond to cyber security incidents, as strong scores can translate into lower premiums,” says Subhendu Sahu, Acting Country Manager for India at FireEye.