As cybercrime becomes a daily phenomenon, corporate and insurance firms should work together to fight the associated risks
Cybercrime is back in the news, with the recent ransomware attack WannaCry that struck users and firms across the world. Impacting over 200,000 computers in more than 150 countries, it held people and organisations to ransom and at the mercy of cyber-attackers.
While this incident might have brought the topic back into the limelight, cybercrime is already a day-to-day phenomenon. More than 4,000 ransomware attacks occurred every day across the globe in 2016 — up from 1,000 attacks a day in 2015. Cybercrime damages cost the world $3 trillion in 2016; this figure will rise to $21 trillion, according to experts. Further, cyber malwares are spreading to smartphones and other devices.
Indian companies and users are equally at risk. At nearly the same time when the ransomware attack occurred, 17 million user records were stolen from a prominent Indian food portal, despite these being stored in an encrypted format. We have already witnessed one of the biggest ever breaches of financial data involving 3.2 million debit cards in India in October 2016.
Cyberattacks impact firms irrespective of industry and size. Globally, health care, financial services and retail have been the most impacted by cyber breaches. In case of India, the impact is cross-industry, irrespective of whether the sector is consumer-facing or not. Financial services, pharma, oil and gas, apart from information technology (IT), have been the key targets of cyberattackers. According to recent surveys, while Indian executives acknowledge cybercrime as a serious threat to their organisations, few companies have made it part of their board agenda. Three in four companies do not conduct a detailed cyber risk assessment nor do they have any cyber incident response plan in place. This indicates that India Inc is largely oblivious to the critical damage that cybercrime can inflict on business.
Having said this, some organisations, especially the larger ones in the banking, financial services and insurance and IT space, are ensuring that they build robust cyber security defences. However, these firms are exposed to another risk — their partners and vendors have inadequate or lax security controls. Cyber hackers exploit this weak link to tunnel into systems and networks of companies. Another cause of concern is data that resides on the cloud. The shared, ondemand nature of cloud computing introduces the possibility of new security breaches. A cloud environment faces threats similar to traditional corporate networks, but due to the vast amount of data stored on cloud servers, providers are potential targets for a cyberattack.
Though cyber risk is acknowledged as a critical threat to business today, investments in cyber insurance remain small. The global cyber insurance market is estimated at $4 billion and is expected to grow to $20 billion by 2025. The Indian cyber insurance market stands at ~300 million and should expand to ~750 million by 2020. While these forecasts convey a major uptrend, they may not be sufficient given that technology-related risks will only grow in size and frequency in the new tech era. More importantly, this new-age risk is vastly different from traditional risks such as fire or marine losses. It does not remain confined to a pattern nor can it be entirely restricted by a defined set of preventive actions.
Insurers have been gearing up for this new-age onslaught. They have been enhancing their roles by offering consulting, communicating and constituting futuristic solutions. Further, industry leaders are coming together through platforms such as the World Economic Forum to define and draft recommendations on mitigating risks in the tech and cyber-enabled era. The industry has already demonstrated that it can be a source of guidance in advance of a breach and post breach. For instance, having dealt with incidents of many ransomwares in the past, insurers were in a position to guide their clients during the WannaCry attack to take appropriate action and worked jointly with their legal, communication and security teams to respond effectively.
On the product front as well, cyber insurance has evolved with time. The first “internet insurance” covers were introduced in the late 1990s to address exposure to online content or software. They were offered as an extension under professional indemnity policies with smaller limits. With the enactment of data privacy law in the US, a stand-alone cyber insurance product was conceived. At present, the principal cover under the policy is for damages and legal costs in connection with a data breach. It also pays for various costs associated with the company, negating an impact on its reputation — that is, costs for notifying customers, hiring reputation management agencies and credit monitoring services for affected customers. In addition, the policy pays for cost of forensics investigation and expenses incurred in recreating any lost data. In case of a cyber extortion situation like WannaCry, the policy will pay the ransom as well as costs of a specialist engaged to handle such a situation. In case of an outage of services (denial of service attacks) due to a cyberattack, loss of profits are also covered.
As the cyber risk situation evolves, insurers are focusing on addressing business interruption losses caused by cyberattacks. Coverage for lost earnings due to customer attrition as a result of network breach is also being introduced. Further, as comprehensive legislations are put in place, insurance offerings are being aligned beforehand to meet regulatory requirements.
Cyberattacks are bound to increase in the future. It is up to corporate and insurance firms to join hands to work cohesively to fight these risks. For insurers, this presents yet another opportunity to add value to the ecosystem by taking up the risk manager position in the new-age innovation economy.
Source: Business Standard