Risks associated with the use of Information Technology systems that affects the confidentiality, availability or integrity of information and Information system caused by criminal as well as non-criminal activity. Cyber risks can be characterized by interdependencies, potential extreme events, high uncertainty with respect to data breaches, risk of change which affects the reputation, cyber defamation, etc.,
Costs and adverse effects caused by cyber risk
- Cost of cyber risk is huge as it hampers the reputation of the organization and may lead to severe turbulence times in the smooth functioning of the organization which is prone to cyber risks or the organization which is not adequately equipped with cybersecurity and information security systems in place.
- Effect of cyber risks with anyone such organization may disrupt the activities of the other organizations in the industry and the industry may face a sudden slump in the actual growth and involve heavy costs in streamlining the efficiency in place.
- It will lead to unhealthy practices to combat the situation and end consumers may have to bear the costs
How and Where do we find data on cyber risk?
- Most empirical research is based on data breach information after the sudden spurt in the digital transactions and online platforms
- Identity theft and data theft may disrupt the effective functioning especially in case of Insurance companies, Banks and financial institutions. Data theft and data breaches have often lead to instances of siphoning of funds and the real-time customer is not aware and technical aspects are out of the common layman understanding.
- Data breach information are now spearheading with the cyber risks in other industries as well
- The rise in Digital transactions and speculations in the various cryptocurrency markets may invite data theft and data breaches
How can we model cyber risk and cyber insurance?
- Cyber risks can be modeled with different levels and layers in the organization based on the requirement and risk-prone exposure of the cyber-attacks. The cybersecurity provider and the organization availing the services of such organizations both should be under the protection of cyber insurance policies in place and ensure transparency in the service contracts.
- The cyber insurance premium will be justified based on the layer of protection and organizational data value at each stage of different functions of the organization
- Organization outsourcing a few activities can be more cautious and ensure strict adherence to the data protection policies
- The digitization volumes can quantify the cyber risks and cyber insurance can indemnify in case of unknown cyber threats and malware attacks
- Cryptocurrency and blockchain technology can be evaluated to analyze the effect of cyber risks and thereby cyber liability insurance can be formulated for such scenarios.
- To create a uniform notification and disclosure requirements, impose fines and enhance the ability for victims of data theft to seek compensation
- ensuring consumer confidence in the certainty of cyber insurance coverage and enhance efforts to increase sales.
Micro-perspective: How should cyber risk management be organized?
Risk management there are special features for cyber risks
- Standard tools and instruments should be used with clear encryption and data accessibility rights
- Institutional commitment to data confidentiality
- Effective crisis management and training across the levels of all the departments
- Risk communication with internal and external stakeholders,
- Continuous monitoring by implementing special and surprise cyber audits in systems
- Focus on mitigation and cyber risks control and prevention.
- Focus on retention of risks and risks classification such that it does not increase the overhead costs because of risk policy
Macro- perspective: is there a threat to the global economy?
- Ensuring the inter-regulatory hurdles do not affect placing efficient cyber risk management in place.
- Implementing strict legal actions on violations of cyber risks management policies
- The government should initiate an action plan to facilitate the smooth implementation of cyber risks management and security policies.
- Strong contractual disclosures by the entities providing as well assuming the cyber and information security should be formulated.
Cyber insurance market: what is the status Pricing and challenges?
The stand-alone cyber insurance market reached an estimated USD 3.5 billion in written premiums in 2016, of which approximately USD 3 billion was written on behalf of US-based companies and USD300 million was written on behalf of European companies (for comparison, gross written premiums in G7 countries in 2015 were USD 373 billion and USD 230 billion in the motor vehicle and fire/property insurance lines, respectively (residential and commercial) (OECD, 2016)). Some estimate that the market could more than double by 2020, mostly due to growth in Europe. Similarly, the developing Asian economies may also explore the large markets of cyber risks.
Figure 1: Estimated stand-alone cyber-insurance take-up rates by sector (Marsh clients)
Figure 2: Potential coverage for Cyber Risk in Traditional policies
Figure 3 Share of Stand Alone Cyber Insurance Policies covering different types of loss
Figure 4 Potential coverage for Cyber risk in traditional policies
In India, as internet usage grows and the government pushes to link everything from bank accounts to mobile phones with the Aadhaar biometric Identification, the risks of cyber-attacks may increase. Bajaj Allianz General Insurance Company Ltd.’s cyber liability insurance (Cyber Safe Policy) provides cover against online and social media attacks, data breaches, identity theft, and extortion and bullying, a company statement said. A buyer should be of 18 years or more and must own a digital device like a mobile phone with access to the internet. It won’t cover personal opinion, images or videos shared by the user on social or other digital media platforms.
The Cyber safe plan will Insure buyers for Rs 1 lakh to Rs 1 crore, covering legal and counseling costs, travel bills for appearing in court, compensation for a loss from data theft and data restoration refunds. The company, which has received regulatory approval is yet to decide on other details. The premium starts from Rs 657 to Rs 8,000 plus depending on the age, internet usage and risk profile of the customer,
It will also cover financial loss resulting from email spoofing and phishing, losses, and expenses related to defense and prosecution cost related to identity theft, IT theft loss, restoration cost to retrieve or reinstall Data or Computer Program damaged by the entry of the Malware.
Pricing of Cyber Insurance
- The pricing of cyber Insurance product against reputation attacks and cyber defamation should be adequately analyzed
- Past data attacks and breaches can substantiate the pricing of the product
- Pricing of cyber insurance may vary based on the different layers of protection
- Consequences of indemnity and subrogation of risks to be ascertained when
- pricing of risk should provide incentives to reduce the risk to the extent that the
investments in risk reduction will lead to reductions in premium
- Cyber risk is a relatively new peril and there is limited historical data on which to base the pricing of insurance premiums and probabilities on the uncertainty of exposures towards probable cyber risks.
- Lack of sufficient cyber data to enable accurate underwriting
- The continuous evolution of risks that undermine exposures predictability of future cyber risks
- Buyers often don't understand cyber risks or their insurance options
- Even though the quantitative measurement is still emerging and raises significant challenges, accounts of the frequency and scope of reported cyber incidents regularly find a significant growth in both the numbers of incidents and the share of companies they affect.
- Being and indemnity based product there will be significant variations in terms and conditions of the insurance product, types of losses covered, submit and deductibles applied, as well as the time basis for claim eligibility.
- The complexity involved in ensuring appropriate coverage for cyber risk, along with the mismatch between the coverage available and some of the types of losses commonly incurred with other insurance products
How and What can the industry do to prevent cyber risk and support cyber insurance?
To prevent cyber risks:
- Develop standards and unified systems on place
- Common language and good practices of
- Scenario analysis and drawing experiences from previous historical cyber risks
- dialogue with internal and external stakeholders and experienced professionals
- follow-up on technological development and research and continuous assessment of information security system efficiency.
- further, facilitate and develop analytical and modeling skills to ensure cyber risks protection as well as cyber risks preventions and effective control systems
- secure own systems with technological support and improvements
To support cyber insurance:
- Collect and develop data pool
- Formulate insurance and reinsurance pool
- Analyze existing policies and ensure proper and efficient business and claims handling systems in place
- policyholders to understand and quantify the risk that they face in order to determine the amount of coverage that they require
- Regulatory interventions on the distribution of such products can be formulated based on proficiency in the subject matter of cyber risks.
- Design and develop new adequate cyber insurance products/policies and provide for customization as per the changing risks requirement
- Regulatory bodies facilitating Future research directions on cyber risk and cyber insurance
Conclusions: The Regulatory Body and The insurance industry should be more proactive in creating better-educated consumers and create enough awareness and thereby encourage more businesses to implement risk-management training programs. enhancing direct outreach efforts through effective marketing and advertising policies. Insurers offering Cyber insurance products can help to support the intermediaries and distribution channel by providing risk awareness and loss control materials covering special training sessions and awareness programs by cybersecurity specialists and risks professionals. Standardization in the terminology of contract wordings of the cyber insurance product could help avoid the potential for coverage disputes along with the lengthy and costly litigation that might result in the future. In the long run, standardization should lower the chances for potential coverage disputes that raise claims management costs for insurers,
References and the analysis was drawn from:
- Participant as a media partner for Explore exhibitions & conference InfoSec Intelligence conclave 12-13 Oct 2017, Bengaluru, Karnataka India (YouTube Videos)
- https://www.oecd.org/ Cyber Insurance
- https://www.bajajallianz.com/General Insurance
- Marsh (2016), Benchmarking Trends: Operational Risks Drive Cyber Insurance Purchases, Marsh LLC, March 2016
- Marsh (2015), Benchmarking Trends: Operational Risks Drive Cyber Insurance Purchases, Marsh LLC, March 2015
- Risk Management Solutions, Inc. and Cambridge Centre for Risk Studies (2016), Managing Cyber Insurance Accumulation Risk, Risk Management Solutions, Inc. and Centre for Risk Studies, Cambridge University, http://cambridgeriskframework.com/getdocument/39
Jaswanth Singh G
Insurance Domain Consultant (InsureTech) and Faculty for Insurance, Financial Services & Pension Studies
Article Published in February 2018 Edition of The Insurance Times