A software developer works on a laptop computer at the Hevo Inc. power facility in the Brooklyn borough of New York, U.S. (Photographer: Christopher Lee/Bloomberg)

Insuring Against Cyber-Fraud? Easier Said Than Done

India is the 3rd most vulnerable country in terms of cyber-attacks and banks are among the most susceptible targets. But an attempt to insure banks against such attacks is proving to be tougher than expected.

The problem lies not so much in getting cyber-insurance products but more in ensuring that insurance companies have enough data to under-write such risks. Without that, experts fear, the market for cyber-fraud insurance may not develop as fast as it should given the rising risks appropriately.

Availability And Use Of Cyber Insurance

Insurance companies began introducing corporate cyber-insurance policies in India starting 2014. But only six Indian insurers, mostly private firms, have introduced such policies in the market.

Sanjay Kedia, country head and chief executive officer at Marsh India, told BloombergQuint that the present capacity of Indian insurers (six companies) stands at Rs 655 crore, with 60 percent of the market share with private insurance companies.

About 20 domestic banks have purchased cyber-insurance policies, shows data from Marsh India Insurance Brokers Pvt. Ltd. Several other banks have issued ‘Request For Proposals’ for cyber-insurance.

On average, the sum assured by these policies ranges from Rs 10 crore to Rs 700 crore, depending on the size of the bank. Since large banks have more branches and vulnerable end-points that are susceptible to cyber-attacks, the sum-assured is higher for them compared to smaller banks.

Under a standard cyber insurance policy for corporates, the sum-assured takes care of cyber-risks that banks could face like a data breach or network security issues. This reduces the financial costs and liabilities associated with cyber-attacks but doesn’t mean that chief information security officers can “can sit back comfortably,” said a cyber-security expert while speaking on condition of anonymity.

Underwriting Cyber-Risk

The problem lies beyond the availability and use of cyber-insurance.

Policy documents from some insurance companies list the types of cyber-attacks that are covered. These could range from identity theft, information technology theft or loss, malware, phishing, cyber-extortion, privacy and data breaches, among others. But those pricing these insurance products explain that cyber-attacks can come from anywhere, making it tough for insurers to underwrite the risk appropriately.

The issue is that we can’t build models around cyber-insurance as companies can be hit by any kind of cyber-attack, even after having all the necessary policies and technology in place. We underwrite cyber insurance based on the exposure a company faces to cyber-risks and not on data (of past incidents).
Sanjay Datta, Chief of Underwriting and Claims, ICICI Lombard General Insurance

Insurers conduct surveys prior to selling the policy, in order to understand the IT policies of a company or bank. They also try to ascertain the track-record of cyber-incidents at the company and the steps taken when a breach takes place.

“The problem is that we don’t have a formal data mechanism on incidents, so we worked closely on the pricing with a re-insurer that has had experience with these type of policies in the Asian market,” said Vaidyanathan B, Underwriting Manager, SBI General Insurance Company Pvt Ltd.

SBI General Insurance Company Pvt Ltd is currently working on building the back-end infrastructure to support its cyber-insurance policy with a full-fledged facility for incident management and forensics, he said. The company recently filed for approval of their cyber-insurance policy with the insurance regulator and hopes to launch their product by mid-March.

Queries sent to New India Assurance and Future Generali General Insurance did not elicit a response. Executives from HDFC Ergo General Insurance could not be reached for a comment.

Cautious Insurers

Given the lack of predictability, insurers are being extra-cautious to ensure claims are legitimate, even if this means a delay in eventual compensation.

One of the features of the corporate cyber-insurance policy is that insurers conduct independent forensic audits as part of their ‘services’.

Whenever a claim is filed, independent cyber-security experts are appointed by the insurer to verify and investigate the cyber-attacks. Insurance companies conduct cyber-security surveys with the company and at any point of time they can pull back the cover, said Akshay Garkel, Partner, Grant Thornton India LLP.

This is one reason why banks and companies should pick insurers carefully depending on the ecosystem they have in place to quickly assess and pay-out claims, said Kedia.

Improving Data Availability

To be sure, attempts are being made to improve availability of data around cyber-attacks, which will eventually make it easier to offer insurance against such risks.

In 2016, the Reserve Bank of India issued a circular on cyber-security practices for large banks. These rules were later extended to all scheduled commercial banks and cooperative banks.

One part of these rules is to ensure reporting of all cyber-attacks.

Some of these large banks have been running security operation centers since early 2000’s but with the RBI Master Directions Circular on Cybersecurity there is only more emphasis on monitoring and reporting of incidents actively. The liability to share the information is fairly stressed and mandated in the circular.
Akshay Garkel, Partner, Grant Thornton India LLP.

Garkel added that most banks are still trying to comply fully with these guidelines.

“Cyber insurance policies are entirely dependent on digital trails after which you must prove there was a financial loss. The information from clients does not come very easily, we have to guide them and get it ourselves in many instances,” said Sasikumar Adidamu, chief technical officer at Bajaj Allianz General Insurance Company Pvt. Ltd.

This lack of information is a problem not just for individual claims but also for the industry which needs this data to underwrite risk appropriately, said Kedia.

There is not enough data available for insurers and their actuaries to price the risk appropriately. The problem gets compounded due to the fact that a lot of cyber incidents are not even reported or under reported.
Sanjay Kedia, Country Head and Chief Executive Officer, Marsh India Insurance Brokers Pvt. Ltd.