At an age when cyber security is of utmost importance, Mansi Thapar, Head – Information Security, Jaquar Group writes about mitigating risk in an era of ever changing risk landscape, laws and regulations and uncertainties.
What is Cyber Insurance?
Insurance products designed to help businesses hedge against the potentially negative effects of cybercrimes such as malware, ransomware, DDoS attacks, or any other method/manner used to compromise a network and sensitive data.
Do we need it?
The Answer to this question lies within your organisation. It depends on many factors like organisational risk appetite, size, budgets, threat model, potential liabilities etc. Sticking to our usual MO – its best to be on the side of caution. According to one study 66% of SMBs would not survive a data breach on their own. Also, the cybercrime industry (yes, it’s an industry) has never been more profitable and impact of security breaches is not only monetary but involves reputation loss, legal issues, loss of IP etc
What are the Key Drivers?
- Increasing Digitalisation of businesses especially by movement towards Saas,Paas,Iaas cloud models, IOT, social media, mobile thus increasing the threat landscape
- Evolving threat landscape involving ransomware, malware etc
- Increase in cyber security awareness
- Demand from Board/Management
- Apprehensions around implications of various data privacy laws like GDPR and India Data Privacy Law (when it will come into effect)
- Third party requirement like customers, partners
What are the Key Challenges?
Challenges for Insurance Provider
- Lack of actuarial data on cyber-attacks inhibits robust risk assessment
- Damages owing to cyber extortion, reputational loss, and rapidly evolving data and privacy landscape makes it difficult to quantify comprehensiveness and adequacy of cover
- Cut throat competition on premium amounts
- Gap between buyer’s expectations for cover and what a carrier has to actually offer
- Buyers’ reluctance on sharing data that can help carriers evaluate risks
Challenges for Buyers
- Lower awareness on cyber insurance
- Enterprises finding buying and claim processes to be tedious
- Lack of understanding on which insurance policy to purchase
- Inadequate knowledge on how the pricing works for cyber insurance as no or little expertise available in the market
What Questions/Checklist to Ask as a Buyer
- Engage with a third party(broker/tech provider) to self-evaluate, upgrade, identify the right set of carriers, and get better deals on premiums
- Before buying policies, create a ‘Cyber Insurance Cross-Functional Committee’ that has representation from Insurance Purchase Group, O_ces of CFO, CEO, CIO/CISO, CRO and CMO for better decision making
- What aspects are covered under ‘Cyber Insurance’? Is there any overlap with other traditional insurance?
- Does the policy cover pre-breach cyber risk assessment? Are there provisions for annual premium adjustments?
- Does the policy have a panel of suppliers for post breach cover – forensic companies, PR, legal etc.?
- Does the policy cover full limits for all coverage?
- Does the policy cover laws of foreign countries, where you have business, such as GDPR?
- Does the policy have a single retention and not separate retentions for each coverage element?
- What is the minimum waiting period for business interruption cover?
- Does the policy mention inclusion of GDPR coverage with full policy limits, to the extent insurable by the law?
- Are voluntary notification costs included in event management language?
- Does the policy include cover under rogue employees?
- Is terrorism specified in the policy, and what does it cover?
- Does the policy provide access to extortion advisors?
- Do suppliers have to be listed on the policy for coverage to apply?
- Is it possible to have firms added to the pre-agreed panel?
- What are the exclusions?
Authored By: Mansi Thapar, Head – Information Security, Jaquar Group