Need for cyber-security insurance

In the wake of WannaCrypto Ransomware, Sanjay Datta of ICICI Lombard explains why businesses should opt for cyber-security insurance

Cyber-Security Endpoint

Author

Sanjay Datta is the Chief – Underwriting & Claims for

Sanjay Datta is the Chief – Underwriting & Claims for ICICI Lombard General Insurance Company, which is a private sector general insurance company in India. He has over 24 years of experience in General Insurance and was a part of the start up team at ICICI Lombard in 2001.

At ICICI Lombard, he is responsible for underwriting and claims division across the organization. He heads customer service for all product lines of the business and spearheads underwriting discipline, operational excellence, product development and pricing across Wholesale and Retail products. He also drives the company’s foray for quality service delivery across all products.

We’re only halfway through 2017 and the security world has already been on a rollercoaster with plenty of attacks and breaches dominating the headlines. With new worms and viruses hitting the international markets regularly, the need to safeguard our digital equipment has only increased.

The latest in a series of new threats is Ransomware. A typical ransomware will lock the users screen or files and provide access only on payment of ransom via Bitcoins. This type of malware can spread via malicious e-mails or downloaded if the user visits infected internet sites. While this type of malware has been around since 2005, the number of attacks have increased drastically over the last couple of years. TrendMicro has reported a 752% increase in ransomware families in 2016.

Wannacry is one such ransomware which is distinguished by its self-propagating nature. Its’ worm like capabilities mean that it can spread over networks and servers without user intervention. It is usually downloaded from a spam e-mail or infected website and spreads through the internet. These attacks have been transcending all over the globe with highest occurrences in Europe followed by the Middle East, Japan, and several other countries in the Asia Pacific (APAC). According to Quickheal, India saw at least 48,000 incidents.

Apart from such malware, organizations worldwide face the risk of loss of customer data. Target, one of the largest retailers in the US, had 80 million customer data records stolen from them in December 2013. This breach has cost Target $291 million. Just this week, Target has agreed to an additional settlement of $18 million with customers.

In the past year, Yahoo has seen two much larger data breaches with 1.5 billion customer records being stolen from them. The anticipated costs of handling these breaches, resulted in Yahoo’s valuations coming down by US$ 350 million. Closer home, the 2016 Indian Banks data breach reported in October 2016 saw an estimated 3.2 million debit cards being compromised resulting in funds being siphoned off from customer accounts.

Cyber criminals are now breaching the defenses of BFSI institutions by using innovative technologies, which enables them to avoid detection. This means they can stay undetected on the company’s systems for long periods of time and understand how the company works and cause much larger losses to the company. A good example for this would be the Bangladesh bank heist, where the hackers were present in the systems for 2 to 3 weeks before they carried out the attack.

Such incidents throw into sharp relief, the challenges presented by technology for organizations. While technology provides organizations with the enticing opportunity to connect with customers and understand their needs like never before, it also exposes them to risks which are changing rapidly. Additionally, organizations can face the consequences of lax security at their vendors too.

While the security risk of employing cloud vendors has been a discussion point since their emergence, the risk can emanate from any vendor. Target breach started when the password of one of their heating-cooling vendor was compromised. Organizations are recognizing these issues and Cyber threats are now a board room issue and regulators are also waking up to these exposures.

Such risks cannot be tackled by investing in IT security alone. The need of the hour for organizations is to put in place robust governance mechanisms and implement procedures to ensure that they stay ahead of these risks. However, as per a KPMG survey, while 94% of businesses recognize cyber crime as a major threat, only 26% have undergone a detailed risk assessment or have a plan in place to handle such events. It is imperative that along with measures to improve security, they also look at insurance to safeguard them from unforeseen losses arising due to a security breach. The wisest option is to select a cyber-security insurance policy.

Though cyber risk is acknowledged as a critical threat to business today, the investments on cyber insurance remains small. The global cyber insurance market is estimated at $4 billion and should grow to $20 billion by 2025. The Indian cyber insurance market stands at INR 300 million ($4 million) currently and should expand to INR 750 million ($11 million) by 2020. While these forecasts convey a major uptrend, online data volumes are expected to grow by 50 times by 2020.

So given the technology related risks, the take up of insurance is lagging behind. More importantly, this new age risk is vastly different from traditional risks such as fire or marine loss. It does not remain confined to a pattern nor can it be entirely restricted by a defined set of preventive actions. Recent incidents of attacks like Wannacry help reinforce the importance of having robust cyber insurance policies in place.

For organizations, a cyber breach comes with major damage to reputation and loss of customer confidence. Under the Cyber insurance product, the principal cover under the policy is for damages and legal costs in connection with a data breach. This policy also pays for various costs which can help the company negate an impact on its reputation or its books of accounts such as costs of notifying customers, costs of hiring PR agencies, costs of a forensics investigator etc.

In case of a cyber extortion situation, like the WannaCry ransomware attack, the policy will pay the costs of a specialist engaged to handle such a situation as well as any reward offered by the organization to informants for arrest of persons responsible for such attack.

Another major threat facing organizations which have significant dependence on the internet to carry out their businesses are denial of service attacks. In case of an outage of services because of a cyber attack, the loss of profits can get paid under the policy.

Large Banks and IT Companies were among the first buyers of this cover in India. However, with the news of large data breaches around the world and within India, Cyber insurance has become a top priority for all types of companies. Requests from retailers, IT companies and e-commerce firms have also been seen.. Earlier only large companies were looking for terms, however now smaller firms have also started exploring these policies.

With the emergence of new cyber threats and the dependencies that most businesses have on the internet and intranet connectivity, such incidents have a large impact on the operations of organizations. Needless to say, in this unreliable technological age, having a Cyber insurance is a must.

Cloudera Altus eases data processing on public cloud
Now police officers can nab criminals using Staqu's new AI app