Studies indicate that cyber insurance sits atop all other security measures, which are prone to fail at some time or other, and there are expenses towards retrieving the system and meeting damages on account of litigation initiated by affected customers. Cyber insurance, especially for banks and financial services institutions, are expected to cover the main concerns and protect and business loss in case of a cyber-attack. Ideally it covers first-party and third-party liability.
In the July cover story in Banking Frontiers, Anurag Rastogi, member of executive management, HDFC ERGO General Insurance, says that the penetration of internet is growing at a rapid rate in India with smart devices being an integral part of our lives. “Owing to this and the increase in cybercrimes and frauds, there is a demand for cyber insurance among corporates as well as individuals in India and cyber insurance, therefore, is constantly evolving to cover the growing cyber risks across the globe,” says he. However, he admits while there is a rise in demand for cyber insurance, the adoption is still limited.
Rastogi says cyber insurance has become crucial for all companies, irrespective of their size. He says sectors and industries that have exhaustive data repositories like BFSI, eWallet service providers, eCommerce portals, telecom, technology companies and pharma/healthcare are the major adopters of corporate cyber insurance. According to him, the usual covers under corporate cyber insurance include covers such as losses arising from eTheft, eCommunication, eThreats, business interruption and others. The policies also cover third-party suits against the insured for disclosure, reputational conduct and content related liability claims. Forensic experts’ cost, notification costs in case of data breach, the cost for regulatory response and rewards expenses also gets covered under the policy.
Rastogi says the primary consideration while buying a cyber insurance policy should be taking stock of all the threats one may be exposed to online, so as to buy a relevant policy and suitable add-on covers. Besides these, both individuals and corporates need to be cognizant of the inclusions and exclusions under their policy. It is important to check the sub-limits for the risks covered, he says, adding one should also check the validity of the policy in order to do a timely renewal without break.
Individuals, according to him, must consider their exposure and their dependency on the internet. They must also consider their family’s exposure ie. the spouse and dependent children who access the internet. “In order to ascertain the sum insured, it is best to consider an individuals’ average spends online or the credit card/eWallet limit. The insurer will look at the individual’s past experience and loss history online if any. This is because any loss arising out of past acts will not be covered under insurance,’ says he.
Corporates, he adds, need to be mindful of the gravity of data that gets stored in the system, the geographical spread of the business (whether exposed to GDPR countries), compliance requirements such as PCI and HIPPA. Online presence of the company and outsourced activity also plays an important role here.
Like any commercial products, the premium for cyber insurance is calculated basis the exposure, says Rastogi, pointing out that the premium rates depend on factors like the scale of operations, limit of insurance cover being purchased, industry risk exposure, data liability exposure, claim circumstances if any and others. The premium rates are usually on the higher side for financial institutions, considering the risk exposure, in comparison to those in the manufacturing or the healthcare sector.
He is of the view that with the exponential increase in the rate of cyber-crimes, there is great potential in the Indian cyber insurance segment, which has grown by about 30-35% in the last one year. Over the last 4 years, large and mid-sized corporates have been purchasing commercial cyber insurance products.