Cyber Risk in India – A Perspective

One of the most prominent risks faced by corporates worldwide today is the risk of cyberattacks or cybercrime, which is ahead of environmental, terrorism, or asset bubble risks.

Recently, a host of global MNCs have fallen prey to cyberattacks, like Bank of Montreal (BMO), Paypal, Equifax, Xoom Corporation, Heartland Payment, and others. The recent attack on Cosmos Bank and Union Bank of India has proved that such threats are extremely high as organized crime groups persistently target cyber assets with increasing sophistication.

Fact Check:

World Economic Forum’s Global Risks Report 2019 has flagged many incidents of data fraud and large-scale cyber-attacks as among the biggest risks in terms of likelihood and impact. 

Oliver Wyman has reported that a single attack on a computer processing or communications network could end up causing economic damages worth $50 billion to $120 billion. The cost of cybercrime alone could cross $1 trillion globally by the end of 2022, which is far more than the record $300 billion of damage due to natural disasters in 2017, the report adds.

According to a Marsh report, over 32% of our clients mentioned cyber as one of the top five risks, but most confirmed that they do not have a perfect understanding of their cyber preparedness.

INDIAN RISK TRENDS:

As per Symantec, India ranks third among nations facing the most cyber threats.

Discussions are driven by the government’s push for digital adoption, which included cashless transactions and capturing personally identifiable information (PII) in the Aadhar (unique identification number) database. A lot of manufacturing firms relying on Industrial Control Systems (ICS) and Connected Devices (Industrial IOT) are worried about business interruption risks caused by a cyber event – whether targeted towards them or more widespread.

The exploitation of corporates comes in many forms. Personally-identifiable data is stolen by hackers, software skimmers, and through the exploitation of web-based, mobile applications. More sophisticated schemes have targeted confidential information used for securities trading. Individuals with direct access to networks and data can pose similar threats.

If not internally, vulnerabilities may emanate from vendor points in the supply chain that compromise defences with the introduction of malware or misuse or user credentials. More malevolent actors may seek to disrupt markets and threaten the operability or integrity of the financial sector.

CURRENT REGULATIONS:

The current regulation regarding data protection laws pertains to the Data Privacy Rules for Indian Companies: the IT Act 2000, which includes the following:

• Unauthorized access to a computer, computer system, or computer network — compensation of up to INR 10 million.
• Punishment for disclosure of information in breach of a lawful contract — 3-year imprisonment and/or a fine of INR 500,000.

The current government is in the process of enacting a new data protection law, the India Personal Data Protection Bill, which is in line with the EU General Data Protection Regulation and pending approval of the Parliament.

The proposed Bill has the following major points:

• Restrictions on processing and collection of personal data
• Having the right to be forgotten
• Data localization
• Explicit consent for sensitive personal data
• Data protection authority
• Penalties: 2–4% of the company’s worldwide turnover; or between INR 5 crore and INR 15 crore.

INSURANCE MARKET

Cyber risk is pervasive and continues to be a persistent threat to result in financial damage and reputational loss.

Thankfully, the insurance market has developed solutions that can fill many of the gaps in traditional insurance and provide corporates with direct loss and liability protection for the risks created by the use of technology and data in day-to-day operations.

The cyber insurance solutions are designed to cover elements include:

• Privacy and Security Liability
• Business Interruption including extra expense
• Cyber Crime including extortion
• All associated 1st party cost (Forensic / Notification / PR / Defence Cost)
• Ransom payments
• Data restoration costs in case the data is lost

The Indian cyber market has seen a big upswing in the last 18 months. Some factors have been driving uptake of cyber insurance by Indian firms with global exposures, such as well-publicised data breach events in the US and the Western world and recent laws like EU General Data Protection Rules (GDPR) that are extra-territorial in scope with onerous provisions like fines up to 4% of a firm’s annual global turnover.

Initial consumers of cyber risk insurance were Indian corporates doing business overseas, mainly the IT/ITeS firms, since they had to confirm insurance cover to customer contract requirements. Other initial consumers include financial Institutions, especially banks, NBFCs, and payment processors handling customer data like credit card information which made them vulnerable to cyber-attacks and breaches. Of late, a lot of insurance companies, both life and general, have also purchased cyber insurance covers.

With a host of private and public sector insurers issuing the cyber polices, around 375 – 400 standalone cyber insurance have been sold in India, with a gross underwritten premium of $12-14 million.

The limits range from $1million to as high as $300million. The deciding factor for the limits to be purchased varies on the factors like:

• Type of Industry
• Revenues
• Exposure to Personally identifiable information
• Management’s outlook on cyber risk

DEMAND TRENDS

High limits

In the wake of stricter privacy laws across the globe, including EUGDPR combined with some catastrophic data breach events, in the likes of Equifax, etc., companies, mostly from IT/ITeS and Financial institutions space, are demanding very high limits of cyber insurance. With the Indian market not having enough capacity, brokers like Marsh have to approach foreign insurance markets for additional capacities.

White-Collar Frauds:

There is an increasing demand for polices protecting against cyber or white-collar frauds. Although there is a separate crime insurance cover for such losses, insurers have managed to combine the two to form an insurance solution.

Property Damage:

A company’s own property damage arising out of a cyberattack is currently not covered under the cyber liability insurance. Such losses are not even covered under the prevalent property insurance policies and hence there is high demand.

Others

There are few more such requirements raised by clients in India for which the insurance solution is not available. These are related to cover for pollution losses arising out of a cyber event, loss of intellectual property arising out of cyber-attacks, etc. Since cyber insurance is still evolving, we may see coverage for such losses in the future.