• Sony Anthony, Partner |
  • Kailash Mittal, Partner |
3 min read

Over the last few months, the pandemic has significantly changed the cyber security threat landscape. This has resulted in technology playing a major role in re-defining the ‘new normal’ as businesses across the globe have become dependent on technology for running their day-to-day operations through a remote working model. With more employees working remotely businesses and organisations struggling to enforce practices such as endpoint encryption, disabling removable media, identifying unauthorised software, secure connectivity to office network etc.  

Cyber criminals are exploiting this opportunity to hack into organisations, exfiltrate data, cause network disruption etc. Over 8 billion data records were compromised in Q1 of 2020[1] and such incidents have only paved way for cyber insurance amongst organisations looking to minimise the loss due to cyber incidents and data breaches.

Cyber insurance policy is a risk transfer mechanism used by organisations to protect themselves from losses and expenses arising due to cyber-attacks. The cyber insurance market globally is estimated to exceed USD20 Billion by 2025[2]. In India, close to 350 cyber insurance policies were issued in 2018[3]. This is expected to increase as cyber security is becoming a board room agenda across businesses.

Some of the typical inclusions of a cyber insurance policy are:

  • Business interruption costs
  • Forensic investigation costs
  • Administrative fines
  • Cyber extortion expenses
  • Breach notification costs
  • Legal expenses.

Some of the typical exclusions of a cyber insurance policy are:

  • Fraudulent act or willful violation
  • Mechanical or electrical failures
  • Bodily injury
  • Property damage
  • Loss of Intellectual Property (IP)
  • Loss due to cyber terrorism/war.

While most insurance products are based on decades of aggregated and actuarial data, assessing cyber risks and pricing cyber insurance products has been a little challenging because of the evolving cyber landscape and lack of historical data for actuaries to work with. Organisations are also facing challenges to quantify the cyber risks and decide on a suitable cyber insurance cover. 

Industry leaders are now looking for a quantitative approach to assess their cyber risks along with adequate provisioning and close monitoring of key changes in their risk environment. They are looking to gain objective insights into the cyber risk profile posed in the near future, envisaging cost-effective mitigation strategies, procuring tailor-made insurance structures, to best protect against likely attacks and analysing the impact on risk tolerance, accepted risks and retained losses.

Some of the key areas organisations should keep in mind while they operate during this crisis are as follows:

  • Does your cyber insurance policy cover the types of attacks that have been most prevalent in recent times?
  • Are there any conditions as per your cyber insurance policy that you are required to comply with to ensure that the policy coverage applies?

Organisations should anticipate discussions with underwriters on issues like -

  • How the business will cope when a cyber-attack has taken place and how far does it impact them?
  • If there any financial troubles that may hinder the required investment in cyber security ?
  • Cyber security privacy policies and procedures
  • Work from home deployment models
  • Virtual private networks and other secure remote access.

All organisations need to understand the threat levels in this current environment and the risk that they will face with regards to the ever-evolving cyber setting, address key cyber security issues as well and find appropriate approaches towards covering these cyber risks.

Have future predictive attacks and defenses ready so that going forward in the post COVID-19 era, your organisation is cyber protected and cyber insured.

[1] Q1 Data Breach QuickView Report, Risk Based Security, 2020

[2] Cyber Insurance: Risks and trends 2020, MunichRE, 14 April 2020

[3] Cyber Insurance in India, Data Security Council of India, April 2019