As India goes further down the digital path, the number of cyber attacks has increased exponentially. This is corroborated by a KPMG report, which states that incidences of cybercrime in India shot up drastically in 2015, with 72% companies in the country falling prey to online attacks. Similarly, a recent Assocham-PwC joint report on cybercrime, states that during the first 10 months of 2016 itself, more than 39,000 total incidents were reported. To mitigate the damages caused by these attacks, Indian firms are now extensively going in for cyber insurance policies. To get a perspective of the demand for cyber insurance in the Indian market, EC spoke to Anup Dhingra, Senior Vice President, FINPRO Practice Leader, Marsh India.
Some edited excerpts:
How is India as a market for cyber insurance? What are some of the key growth drivers?
The Indian cyber market has seen a big upswing in the last 18 months. Some well publicized data breach events in US and the Western world and recent laws like EU General Data Protection Rules (GDPR) that are extra-territorial in scope with onerous provisions like fines upto 4% of a firms’ annual global turnover, have been driving uptake of cyber insurance by Indian firms with global exposures. In a recent Marsh report, over 32% of our clients mentioned cyber as one of the top 5 risks, but most confirmed that they do not have a perfect understanding of their cyber preparedness. In India, the government’s push for digital adoption including cashless transactions and capturing personally identifiable information (PII) in the Aadhar database, is driving discussions. A lot of manufacturing firms relying on Industrial Control Systems (ICS) and connected devices (Industrial IOT) are worried about business interruption risks caused by a cyber event – whether targeted towards them or more widespread.
How has been the adoption of cyber insurance in India? Can you give us some indicative statistics to show the growth for cyber insurance in India for your solutions?
Cyber risks in no longer just a conversation item at company boards. Some of Marsh India’s clients, especially in the IT/ITeS space, have had cyber covers as part of their liability programs since the last 8 years. But the first standalone cyber policy was procured only in 2013. Today, over 40 of our clients purchase stand-alone cyber policies, and over 100 have this cover included in their broader liability programs. Many clients also seek fund transfer fraud cover, euphemistically called ‘Fake President Fraud’ cover.
Which sectors in your view are leading in buying cyber insurance policies in India?
Early adopters were Indian corporates doing business overseas, mainly the IT/ITeS firms. The next set included BFSI, especially banks and payment processors handling customer data like credit card information that can be easily commercially adopted. In a widening scope, a lot of insurance companies have also purchased cyber insurance covers recently. Currently we are helping many telecommunications firms, payment banks and wallets, as well as many traditional manufacturing firms, including pharma, who are keen on purchasing this. The purchase motivators for the early adopters were to conform to the insurance purchase requirements in client contracts, but the new buyers are focused on risk management and seek custom design solutions for loss of revenue post breach event, cyber extortion, notification costs to notify affected customers, and expenses for hiring cyber forensics, legal and PR experts etc.
How does premium get calculated for cyber insurance? Can you help us know some of the basic parameters that your firm undertakes for deciding the premium charged? For example, if basic security norms are not in place, does the premium become higher?
Premium depends on many factors, especially the firm’s cyber preparedness and resilience capabilities. Insurers sometimes insist on seeing a defined Information Security and/or privacy policy, Disaster Recovery Plans and/or Business Continuity Plans for the insured. Any past loss history including near misses and expenses incurred to investigate a suspected breach, are useful. Insurance limits sought and deductible levels (self-insurance for the small threshold of loss) also defines premium. Our clients usually choose policy limits between USD 5 – USD 100 M, with some large banks, technology firms and conglomerates seeking much higher limits as well. While averages could be deceptive, the mean rate for each USD 1 m. insured limit is USD 7,500 as of now.