By: Sushant Sarin, Senior Vice President – Commercial Lines, Tata AIG General Insurance
In 2014, a hacker group which identified itself as the “Guardians of Peace” leaked a release of confidential data from the film studio of a reputed entertainment company. The data included personal information about the company’s employees and their families, e-mails exchanged between employees, information about executive salaries at the company, copies of then-unreleased films, and other information.
Today, cyber threat is ubiquitous. A quick look at newspaper headlines reveals that companies as big as global investment banks to smaller health insurance providers have all been hit by a cyber-attack, within the last three years. So, it is no longer a matter of if but when an organization is attacked – and how it defends itself.
Data privacy and therefore data security are the top concerns of companies globally. With India being ranked as one of the top 3 targets of cyber hackers, CEO’s in India too are searching for solutions to manage this risk. The purchase of insurance designed to deal with the liability exposures arising from these risks is an important way that companies around the world mitigate these exposures.
A recent ASSOCHAM-Mahindra SSG joint study revealed that Cyber attacks in India are growing at an astonishing rate of 107% with about 12,456 cases registered every month. The cyber attacks are more sophisticated than what has been observed in the past few years.
As recent Cyber attacks show; data (e.g. customer information, confidential trade secrets etc.) is more valuable than money or securities.
Cyber Liability in India:
According to the latest KPMG Cybercrime survey report; nearly 72% of Indian companies faced one or the other type of cyberattack in 2015. More than 250 respondents from the likes of CIOs, CISOs, CAEs, CROs, COOs and related professionals from across India participated in the survey. The report also states that 94% respondents indicated that cyber related liabilities is a major threat faced by organizations, 41% indicated that it forms part of the board agenda.
Another important revelation was that 54% of the respondents indicated that spend on cyber defenses is less than 5% of IT spend with only 2% organizations spending more than 20% of their IT budget on information security and cyber defenses. The need for insurance as a plan B is even more pronounced.
The Information Technology Act, 2000 [Amended in 2008] has several provisions [e.g. S 43 A – Compensation for failure to protect data (Inserted vide ITAA 2006)] which make a corporate responsible for data breaches; in both cases – i.e. when holding the information directly on behalf of customers or in case when acting as an intermediary.
The exposure arising out of a Cyber breach is broad, encompassing personal/sensitive information being revealed in public, breach of privacy, hacking attacks on company/individual systems to shut down/damage the processes, intellectual property being stolen, government systems being hacked to compromise national security etc.
The sources of cyber attacks could be various such as professional hackers, dissatisfied employees, cyber terrorists.
Cyber insurance helps clients mitigate their cyber risk. A cyber insurance cover not only acts as an insurance against any liability arising out of a data breach, but also helps in mitigation of such risk since the cover offers value added services such as a risk assessment call with forensic experts, an analytics report and/or a shunning device to block unwanted IPs.
Cyber Insurance is of significance to large corporates as well as start-ups, especially the e-commerce players in the country, whose revenue and reputation is solely dependent on their online presence, which needs to be closely protected.
Cyber risk will be one of the most important threats in the coming years. The Indian insurance market is seeing a significant increase in demand for cyber insurance covers as one of the most effective tools to mitigate the cyber risk with benefits far outweighing costs.
Cyber risks have increased dramatically over the last decade. The many recent high-profile data breaches and company surveys show that a majority of companies are not up to date when it comes to protecting company assets from the current risk landscape. Therefore, companies must improve their cybersecurity strategies to adapt to the new ways of accessing and storing information in order to keep pace with more sophisticated attackers.