A recent survey on cyber insurance conducted on 120 Indian Organizations by leading global risk management association RIMS, the risk management society, and a leading Insurance service provider JB Boda Group revealed some alarming statistics –
• 31.6% of the Organizations surveyed either did not back their critical and sensitive systems or did not have a disaster recovery site itself
• 69.7% of these organizations manage Personally Identifiable Information (PII) such as Date of Birth, PAN No., Account No., Aadhaar No. etc. while 38.15% of them managed Electronic Health Records
• 51.3% of the organizations surveyed did not have a formal IT risk framework in place
• 39.5% organizations had not implemented a formal policy to mitigate Business Email Compromise (BEC). 23.7% had not even started creating such a policy.
• 44.7% of the surveyed organizations had not yet appointed a Chief Information Security Officer (CISO)
• 46.1% rely on only their firewall in case a malware would escape their traditional antivirus software. 9.2% of the respondents did not even have a basic firewall in place.
• 31.6% of the organizations surveyed had never conducted external penetration testing
• 42.1% did not have a cyber-threat intelligence gathering function
The above statistics builds a strong case for organizations to secure themselves from the financial risks arising out of a cyberattack and an immediate need to focus on the development of cyber risk management strategies that could include cyber insurance. A good 57.9% of the organizations surveyed had not yet opted for a cyber insurance. This indicates a clear lack of awareness in the market as the adoption has not been as high as it should have been.
“Covid-19 pandemic has triggered digital transformation across Organizations, resulting into creation of a complex IT landscape for Organizations in the form of public clouds, unfamiliar home networks, external systems connected through APIs with a plethora of access points into their sphere of monitoring and vigilance. Cybersecurity has become a mission critical imperative. Adequate cyber insurance is the need of the hour. The cost of paying an annual premium is negligible for an Organization. However, the price to be paid after a cyberattack is heavy, which can damage an Organization’s reputation, financial stability, and its ability to remain a going concern,” said Gopal Krishnan K S, Director-Global Development (South Asia), RIMS (Risk & Insurance Management Society), leading global Risk Management Association.
It may be interesting to note that among the surveyed organizations, there are some which are yet to formalize a security function and appoint a Chief Information Security Officer (CISO). However, more intriguing is the fact that this important mandate is handled by different departments across the surveyed organizations. 15.79% of these organizations had an information security team to handle Cyber insurance cover and related functions. Another 15.8% said that it was their information technology (IT) team which managed this mandate. A few organizations said that it was neither of these departments which handled the Cyber insurance for their organization.
“This RIMS – JB Boda survey examines the state of cyber insurance today in terms of its awareness and adoption. It establishes startling trends and revelations on cyber insurance levels of companies; rather the lack of it. Cyber insurance is more critical than ever today and organizations that have adequate cyber liability coverage are likely to have an edge over their competitors in an increasingly digital world. The move from ‘work from office’ to ‘work from home’ to ‘work from anywhere’ increased the vigilance landscape of IT teams. Today Organizations might buy the best-of-the breed products and incorporate best-in-class practices, but cybersecurity related threats and vulnerabilities can never be eliminated,” said Gautam Boda, Vice Chairman, J B Boda Group.
As per data published in Feb 2021, Statista, India Inc. is likely to spend up to $3 Billion on Cybersecurity in 2022, which is up from the $2 Billion spent in 2019. As per IBM Security, Cost of Data Breach report, in 2020 alone, data breaches cost India an average of $2 million per such event, with the highest being $8.64 Mn, said the report.
“If you look at the survey, only 21.1% of the Organizations surveyed have implemented a BYOD policy, 59.2% has not, which can create multiple access points to the Organization’s landscape by spreading the attack landscape; In this era of continuous monitoring of systems, only 31.6% are yet to perform regular external penetration testing; 42.1% do not have a cyber-threat intelligence gathering function. All these factors make them highly prone to cyber-attacks and has a direct bearing on cyber-insurance,” said Dr Ram Kumar, Global Head of Cybersecurity Governance Risk and Compliance, Nissan Motor Corporation.
Of the 42.1% respondents surveyed, it is alarming to note that only 13.2% of the Organizations had a cover of Rs 50 crore or more. 25% of the surveyed organizations had a coverage of less than Rs 50 crore. In terms of the number of years for which organizations have had this cover, 61.9% chose not to answer which highlights upon the fact that these organizations are yet to get themselves adequately covered for a cyber-attack.
Agnidipta Sarkar, Group CISO, Biocon, said, “Cybersecurity today is no longer a technical but an Enterprise Risk. As there occur more attacks on utilities and industrial systems with Ransomware involved, it no longer becomes an IT related issue of an Organization but an issue on the table of a CFO and the company’s Board. Indian Organizations are yet to take it seriously enough to make it a discussion point across the Board room. As per the survey, 61.9% of the respondents could not answer, which department of their Organization is involved with the purchase of Cyberinsurance. Moreover of the remaining, only 6.6% of Risk Managers were involved in the cyberinsurance purchase is highly shocking.”
The survey was conducted towards the end of 2021. Organizations were surveyed on the basis of their size and IT landscape, their data practices, cybersecurity policies and practices, and awareness and extent of adoption of cyber insurance. Out of the total 120 Organizations surveyed, 22.2% were very large enterprises with 5001 employees or more; 11.1% were from large enterprises (1,001 to 5,000 employees or more); 22.22 from medium-size enterprises (101 to 1,0001 employees); 25.4% from small enterprises (10 to 100 employees) and 19.1% Micro-enterprises (1 to 9 employees). Revenue-wise, 41.3% of the Organizations surveyed earned less than Rs 50 crore of annual revenue; 14.3% of the Organizations earned revenue between Rs 50-Rs 100 crore; 22.2 % earned revenue between Rs 100 crore to Rs 1,000 crore and 22.2 % earned more than Rs 1,000 crore.