Cyber risks and How an effective Cyber Insurance can be explored for mitigating risks:
Risks associated by the use of Information Technology systems that affects the confidentiality, availability or integrity of information and Information system caused by criminal as well as non-criminal activity. Cyber risks can be characterized by inter-dependencies, potential extreme events, high uncertainty with respect to data breaches, risk of change which affects the reputation, cyber defamation etc.
Costs and adverse effects caused by cyber risk
- Cost of cyber risk is huge as it hampers the reputation of the organisation and may lead to severe turbulence times in smooth functioning of the organization which is prone to cyber risks or organisation which are not adequately equipped with cyber security and information security systems in place.
- Effect of cyber risks with any one such organisation may disrupt the activities of the other organisations in the industry and the industry may face sudden slump in the actual growth and involve heavy costs in streamlining the efficiency in place.
- It will lead to unhealthy practices to combat the situation and end consumers may have to bear the costs
How and Where do we find data on cyber risk?
- Most empirical research is based on data breach information after the sudden spurt in the digital transactions and online platforms
- Identity theft and data theft may disrupt the effective functioning specially in case of Insurance companies, Banks and financial institutions. Data theft and data breaches have often lead to instances of siphoning of funds and the real time customer is not aware and technical aspects are out of the common layman understanding.
- Data breach information are now spearheading with the cyber risks in other industries as well
- Rise in Digital transactions and speculations in the various crypto currency markets may invite data theft and data breaches
How can we model cyber risk and cyber insurance?
- Cyber risks can be modeled with different levels and layers in the organization based on the requirement and risk prone exposure of the cyber-attacks. The cyber security provider and the organisation availing the services of such organisations both should be under the protection of cyber insurance policies in place and ensure transparency in the service contracts.
- Cyber insurance premium will be justified based on the layer of protection and organizational data value at each stage of different functions of the organization
- Organization outsourcing few activities can be more cautious and ensure the strictly adherence to the data protection policies
- The digitization volumes can quantify the cyber risks and cyber insurance can indemnify in case of unknown cyber threats and malware attacks
- Crypto currency and block chain technology can be evaluated to analyse the effect of cyber risks and there by cyber liability insurance can be formulated for such scenarios.
- To create uniform notification and disclosure requirements, impose fines and enhance the ability for victims of data theft to seek compensation
- ensuring consumer confidence in the certainty of the cyber insurance coverage and enhance efforts to increase sales.
Micro-perspective: How should cyber risk management be organized?
In Risk management there are special features for cyber risks, such as the following:
- Standard tools and instruments should be used with clear encryption and data accessibility rights
- Institutional commitment towards the data confidentiality
- Effective crisis management and training across the levels of all the departments
- Risk communication with internal and external stakeholders,
- Continuous monitoring by implementing special and surprise cyber audits in systems
- Focus on mitigation and cyber risks control and prevention.
- Focus on retention of risks and risks classification such that it does not increase the overhead costs because of risk policy
Macro- perspective: is there a threat to the global economy?
- Ensuring the inter-regulatory hurdles does not impact placing the efficient cyber risk management in place.
- Implementing strict legal actions on violations of cyber risks management policies
- Government should initiate an action plan to facilitate the smooth implementation of cyber risks management and security policies.
- Strong contractual disclosures by the entities providing as well assuming the cyber and information security should be formulated.
Cyber insurance market: what is the status Pricing and challenges?
The stand-alone cyber insurance market reached an estimated USD 3.5 billion in written premiums in 2016, of which approximately USD 3 billion was written on behalf of US-based companies and USD 300 million was written on behalf of European companies (for comparison, gross written premiums in G7 countries in 2015 were USD 373 billion and USD 230 billion in the motor vehicle and fire/property insurance lines, respectively (residential and commercial) (OECD, 2016)).
Some estimate that the market could more than double by 2020, mostly due to growth in Europe. Similarly, the developing Asian economies may also explore the large markets of cyber risks.
Estimated stand-alone cyber-insurance take-up rates by sector (Marsh clients)
In India, as an example, as internet usage grows and the government pushes to link everything from bank accounts to mobile phones with the Aadhaar biometric Identification, the risks of cyber-attacks may increase.
Bajaj Allianz General Insurance Company Ltd.’s cyber liability insurance (Cyber Safe Policy) provides cover against online and social media attacks, data breaches, identity theft, and extortion and bullying, a company statement said. A buyer should be of 18 years or more and must own a digital device like a mobile phone with access to the internet. It won’t cover personal opinion, images or videos shared by a user on social or other digital media platforms.
The Cyber Safe plan will insure buyers for Rs 1 lakh to Rs 1 crore, covering legal and counselling costs, travel bills for appearing in court, compensation for a loss from data theft and data restoration refunds. The company, which has received regulatory approval, is yet to decide on other details. The premium starts from Rs 657 to Rs 8,000 plus depending on the age, internet usage and risk profile of the customer.
It will also cover financial loss resulting from email spoofing and phishing, losses and expenses related to defence and prosecution cost related to identity theft, IT theft loss, restoration cost to retrieve or reinstall Data or Computer Program damaged by entry of the Malware.
Pricing of Cyber Insurance
- The pricing of cyber Insurance product against reputation attacks and cyber defamation should be adequately analyzed
- Past data attacks and breaches can substantiate the pricing of the product
- Pricing of cyber insurance may vary based on the different layers of protection
- Consequences of indemnity and subrogation of risks to be ascertained when pricing of risk should provide incentives to reduce the risk to the extent that the investments in risk reduction will lead to reductions in premiums
- Cyber risk is a relatively new peril and there is limited historical data on which to base the pricing of insurance premiums and probabilities on uncertainty of exposures towards probable cyber risks.
- Lack of sufficient cyber data to enable accurate underwriting
- Continuous evolution of risks that undermine exposures predictability of future cyber risks
- Buyers often don’t understand cyber risks or their insurance options.
- Even though quantitative measurement is still emerging and raises significant challenges, accounts of the frequency and scope of reported cyber incidents regularly find significant growth in both the numbers of incidents and the share of companies they affect.
- Being and indemnity based product there will be significant variations in terms and conditions of the insurance product, types of losses covered, sub-limit and deductibles applied, as well as the time basis for claim eligibility.
- The complexityinvolved in ensuring appropriate coverage for cyber risk, along with the mismatch betweenthe coverage available and some of the types of losses commonly incurred with other insurance products
How and What can the industry do to prevent cyber risk and support cyber insurance?
To prevent cyber risks:
- Develop standards and unified systems in place
- Common language and good practices of Scenario analysis and drawing experiences from previous historical cyber risks
- Dialogue with internal and external stakeholders and experienced professionals
- Follow-up on technological development and research and continuous assessment of information security system efficiency.
- Further facilitate and develop analytical and modelling skills to ensure cyber risks protection as well as cyber risks prevention and effective control systems
- Secure own systems with technological support and improvements
To support cyber insurance:
- Collect and develop data pool
- Formulate insurance and reinsurance pool
- Analyse existing policies and ensure proper and efficient business and claims handling systems in place
- Educate policyholders to understand and quantify the risk that they face in order to determine the amount of coverage that they require
- Regulatory interventions on distribution of such products can be formulated based on the proficiency in the subject matter of cyber risks.
- Design and develop new adequate cyber insurance products/policies and provide for customization as per the changing risks requirement
- Regulatory bodies facilitating Future research directions on cyber risk and cyber insurance
The Regulatory Body and Insurance industry should be more proactive in creating better-educated consumers and create enough awareness and thereby encourage more businesses to implement risk-management training programs. enhancing direct outreach efforts through effective marketing and advertising policies
Insurers offering Cyber insurance products can help supporting the intermediaries and distribution channel by providing risk awareness and loss control materials covering special training sessions and awareness programs by cyber security specialists and risks professionals.
Standardization in terminology of contract wordings of the cyber insurance product could help avoid the potential for coverage disputes along with the lengthy and costly litigation that might result in future. In the long run, standardization should lower the chances for potential coverage disputes that raise claims management costs for insurers.
Jaswanth Singh G
MBA (Finance) FIII (Fellowship – Insurance Institute of India Mumbai)
Insurance Domain (Insuretech) Consultant and Faculty for Insurance and Pension Studies