Why cyber insurance is a lifeline for enterprises

While some businesses still believe they’re “too small to be hacked,” Tata AIG’s Najm Bilgrami politely disagrees. The company has redefined the sector with its latest product, CyberEdge, which not only insures against cyber risks but also offers a comprehensive ecosystem of prevention, response, and risk improvement services.

Najm Bilgrami, Senior VP & National Head, Financial Lines at Tata AIG, delves into the transformative journey, evolving challenges, and the impact of cutting-edge solutions on businesses navigating an increasingly perilous digital landscape.

Can you provide an overview of the growth trajectory of Tata AIG’s commercial lines of business over the past few years?

I’d like to focus on the liability line of business, particularly cyber insurance. Tata AIG was the first to introduce cyber insurance in the Indian market in 2014. Now, after a decade, we’re launching a new product with significant enhancements to address the evolving nature of cyber risks.

Cyber risks fall under the liability line of business, which addresses new-age risks. This includes policies such as Directors and Officers Liability, Professional Indemnity (also known as Errors and Omissions), and Employment Practices Liability. These products address issues like discrimination, retaliation claims, and the impact of movements like #MeToo.

Cybersecurity is a journey, not a destination. Unlike other risks that can be mitigated once and forgotten, cybersecurity demands constant attention and investment.

Cyber risks are dynamic and have become a major concern globally. Reports like Allianz’s Barometer and PwC’s Risk Manager Survey highlight cyber as the largest emerging risk, surpassing traditional risks like natural disasters, terrorism, and inflation. Insurers, reinsurers, and risk managers agree that cyber exposure now poses the greatest threat to organizations.

How has Tata AIG innovated in cyber insurance?

Beyond indemnification, we focus on risk mitigation and improvement. Our new product offers a comprehensive ecosystem of pre-placement, post-placement, and incident response services. A key feature is the “First Response Cost Cover,” tailored for small and medium enterprises (SMEs).

This cover includes:

•             24/7 hotline access during emergencies.

•             Partnerships with Norton Rose and Indian law firms for legal assistance.

•             Forensics support to assess breaches.

•             Crisis management services for reputational risk mitigation.

SMEs, which lack the robust cybersecurity infrastructure of larger organizations, are increasingly targeted by threat actors. Our policy’s flexibility (24, 48, or 72-hour response options) ensures immediate assistance without deductibles, helping SMEs manage incidents without incurring upfront costs.

How does the Digital Personal Data Protection Act, impact businesses and cyber risk management?

The DPDA is a game-changer, raising awareness about data exposure and privacy. In India, data breaches previously lacked the legal consequences seen in markets like the US or EU. The Act mandates stricter obligations for data handling, consent, and deletion, increasing the legal liabilities for organizations.

This will likely lead to more regulatory investigations. Our policies cover professional fees for regulatory representation and administrative fines (subject to legal insurability). Indian insurers, who haven’t yet seen major claims linked to privacy laws, may soon experience a shift as businesses adapt to these regulations.

Are you collaborating with stakeholders to develop cyber insurance standards in India?

Yes, Tata AIG identified cyber risks as a key exposure in 2014 and launched solutions addressing legal liabilities and damages. Our policy framework is designed to evolve with the market, ensuring businesses are protected against both existing and emerging risks. We engage with industry bodies, regulators, and other stakeholders to align our products with the evolving regulatory landscape, ensuring comprehensive protection for our clients.

Which sectors have you seen adopting cyber insurance in India most rapidly, and what key factors drive their interest?

When we started offering cyber insurance around 2014, IT companies were the earliest adopters, particularly those dealing with Europe and the US. This was driven by contractual requirements, as companies in these litigious jurisdictions often mandated their vendors to have cyber insurance.

Next, we saw the financial sector, including banks and other financial institutions, take a keen interest. As one of the most regulated industries, they were pushed by regulators to explore cyber insurance solutions.

However, the landscape shifted significantly during and after the pandemic. Threat actors began targeting industries that were previously not their focus, such as manufacturing and pharma.

The Digital Personal Data Protection Act is a game-changer, raising awareness about data exposure and privacy. The Act mandates stricter obligations for data handling, consent, and deletion, increasing the legal liabilities for organizations.

For example, manufacturing setups became easy targets because of the high dependency on operational technology (OT) systems. Hackers often encrypted their systems and demanded ransom, paralyzing their operations until payments were made. This evolution in threat patterns has driven broader adoption across non-IT sectors.

What are the key challenges or barriers to broader adoption of cyber insurance in India? How is Tata AIG working to overcome them?

The primary barrier is lack of awareness—both at an individual and corporate level. Many companies are still unaware of the risks or underestimate their exposure to cyber threats.

Additionally, adoption remains limited to tier-one cities and industries like IT and finance. Non-IT sectors often perceive cyber risks as irrelevant. However, incidents have proven otherwise. For instance, a real estate builder once faced a ransomware attack that encrypted 96 computers. Despite initial assumptions that their business operations weren’t data-dependent, the attack severely impacted them.

From an insurer’s perspective, challenges include limited historical data to price, these policies accurately and ensuring that minimum cybersecurity standards are met by policyholders. To address these, Tata AIG has developed incident response services and collaborates with security experts to assist companies during breaches.

We also anticipate that the new Digital Personal Data Protection Act will play a significant role in driving awareness and adoption.

Could you share a case study that illustrates the impact of cyber insurance solutions?

One example involves a company with operations in India and the US. The US subsidiary was compromised, and due to network interconnectivity, the threat actor gained access to the Indian operations as well. This lateral movement impacted their facilities in Hyderabad, Delhi, and Chennai, resulting in significant business disruption.

Another case during the pandemic saw multiple pharma companies targeted. In such cases, hackers not only stole sensitive data but also caused business interruption and extortion demands. Cyber insurance proved crucial in managing response efforts, mitigating losses, and ensuring continuity.

How do you engage with regulatory authorities like IRDAI and CERT-In when managing the aftermath of an incident?

Post-incident, we actively engage with regulatory bodies like IRDAI and CERT-In. CERT-In provides technical assistance in mitigating and understanding the scope of breaches, while IRDAI helps ensure compliance with regulatory frameworks.

We also work closely with incident response teams and law enforcement agencies to address the situation comprehensively, ensuring minimal disruption to our clients.

Can you elaborate on the role of law firms in navigating cyber incidents for global companies?

We have partnerships with renowned law firms like Norton Rose. Today, many companies operate subsidiaries across regions such as the US, Europe, and other parts of the world. In the event of a data breach affecting both Indian individuals and, for example, European citizens, the company must comply not only with India’s DPDP Act but also with the GDPR in Europe.

Law firms with a global presence are uniquely positioned to advise companies on which regulators need to be informed and within what timelines. Additionally, these communications often have legal implications—reporting incidents can expose companies to liabilities. Expert legal counsel ensures these communications remain privileged, minimizing potential exposure. This makes the role of panel law firms critical in such situations.

How does AIG’s CyberEdge differ from other cyber insurance offerings in the Indian market?

Most traditional insurance policies focus solely on indemnity—reimbursing the insured for losses after a claim. CyberEdge goes beyond that. It provides a holistic cyber risk solution, encompassing risk mitigation, risk improvement, and incident response services.

For example, our policy includes:

•             Risk Mitigation: Employee training and cybersecurity assessments to identify and address vulnerabilities.

•             Risk Improvement: Offering cybersecurity ratings and guidance on addressing areas like patch management and updating end-of-life technologies.

•             Incident Response Ecosystem: Comprehensive support post-incident, ensuring insured entities can effectively manage and recover from cyber events.

This proactive approach sets CyberEdge apart, addressing not just financial losses but also operational resilience and long-term risk management.

What advice would you offer to businesses in India looking to invest in cyber risk management, compliance, and insurance?

I always emphasize that cybersecurity is a journey, not a destination. Unlike other risks that can be mitigated once and forgotten, cybersecurity demands constant attention and investment.

If you think implementing a firewall today will protect you for the next decade, you’re mistaken. Threats evolve daily, and staying secure requires continuous monitoring, adaptation, and improvement. Businesses must stay ahead of threat actors who operate in real-time, ensuring their defenses remain robust and up to date.

Najm Bilgrami

National Head, Financial Lines, Tata AIG General Insurance

aanchalg@cybermedia.co.in