What is Cyber Insurance?
Insurance products designed to help businesses hedge against the potentially negative effects of cybercrimes such as malware, ransomware, DDoS attacks, or any other method/manner used to compromise a network and sensitive data.
Do we need it?
The Answer to this question lies within your organisation. It depends on many factors like organisational risk appetite, size, budgets, threat model, potential liabilities etc. Sticking to our usual MO – its best to be on the side of caution. According to one study 66% of SMBs would not survive a data breach on their own. Also, the cybercrime industry (yes, it’s an industry) has never been more profitable and impact of security breaches is not only monetary but involves reputation loss, legal issues, loss of IP etc
What are the trends?
- Standalone cyber policies more attractive than endorsements under other policies
- New coverages that renewal buyers are interested in – Cyber related Business Intel Fund transfer frauds/social Eng Data breach cyber extortion/ ransom
- Majority of newto-market buyers are Small (revenues <50 Mn) Mid-size companies (revenues 50 Mn to 1 Bn)
- Demand for expansive portfolio, pre and post breach support services, and risk assessment
- Coverages continue to evolve to address new regulatory changes
What are the Key Drivers?
- Increasing Digitalisation of businesses especially by movement towards Saas,Paas,Iaas cloud models, IOT, social media, mobile thus increasing the threat landscape
- Evolving threat landscape involving ransomware, malware etc
- Increase in cyber security awareness
- Demand from Board/Management
- Apprehensions around implications of various data privacy laws like GDPR and India Data Privacy Law ( when it will come into effect)
- Third party requirement like customers, partners
What are the Key Challenges?
Insurance Provider
- Lack of actuarial data on cyber-attacks inhibits robust risk assessment
- Damages owing to cyber extortion, reputational loss, and rapidly evolving data and privacy landscape makes it difficult to quantify comprehensiveness and adequacy of cover
- Cut throat competition on premium amounts
- Gap between buyer’s expectations for cover and what a carrier has to actually offer
- Buyers’ reluctance on sharing data that can help carriers evaluate risks
Buyer
- Lower awareness on cyber insurance
- Enterprises finding buying and claim processes to be tedious
- Lack of understanding on which insurance policy to purchase
- Inadequate knowledge on how the pricing works for cyber insurance as no or little expertise available in the market
What is the step by step process for Buying an Insurance?
What Questions/checklist to ask as a Buyer
- Engage with a third party(broker/tech provider) to self-evaluate, upgrade, identify the right set of carriers, and get better deals on premiums
- Before buying policies, create a ‘Cyber Insurance Cross-Functional Committee’ that has representation from Insurance Purchase Group, O_ces of CFO, CEO, CIO/CISO, CRO and CMO for better decision making
- What aspects are covered under ‘Cyber Insurance’? Is there any overlap with other traditional insurance?
- Does the policy cover pre-breach cyber risk assessment? Are there provisions for annual premium adjustments?
- Does the policy have a panel of suppliers for post breach cover – forensic companies, PR, legal etc.?
- Does the policy cover full limits for all coverage?
- Does the policy cover laws of foreign countries, where you have business, such as GDPR?
- Does the policy have a single retention and not separate retentions for each coverage element?
- What is the minimum waiting period for business interruption cover?
- Does the policy mention inclusion of GDPR coverage with full policy limits, to the extent insurable by the law?
- Are voluntary notification costs included in event management language?
- Does the policy include cover under rogue employees?
- Is terrorism specified in the policy, and what does it cover?
- Does the policy provide access to extortion advisors?
- Do suppliers have to be listed on the policy for coverage to apply?
- Is it possible to have firms added to the pre-agreed panel? What are the exclusions?
Who are the providers? (Indicative List)
Allianz Global Corporate & Specialty American International Group, Inc.
AON PLC
Beazley PLC Berkshire Hathaway, Inc.
Chubb Corporation Lockton Companies, Inc.
Munich Re Group XL Group Ltd.
Zurich Insurance Co. Ltd.
Tata AIG Insurance ICICI Lombard HDFC ERGO
Bajaj Allianz The New India Assurance Company Ltd
Sources – Data Security Council on India Report on Insurance
Zion Market Research; OECD Report; PartnerRe & Advisen Trends Report; Aon White Paper; Willis Towers Watson Wire Blog Information Security Newspapers and reports