“Indian firms are buying cyber insurance from $1 million to $100 million. The early adopters and those with cyber insurances are increasing their cover,” said Sanjay Kedia, country head and chief executive officer, Marsh India. He added companies with exposure to the European General Data Protection Regulation were proactive in expanding their cover as they could be fined as much as 4 per cent of their global annual turnover for failing to comply with insurance rules.
Earlier, only IT and banking companies would purchase cyber insurance, as their business in developed countries required them to comply with data protection regulations. But now, many manufacturing, pharmaceutical, automobile and ancillary activity, oil and energy, as well as utility companies were showing an interest in and purchasing customised cyber and commercial crime policies that cover a range of risks.
This is now a necessity, claim experts, as India is one of the top destinations for digital services, with the government pushing digitisation and an increasing smartphone and internet penetration. At the same time, India is also one of the top targets of cybercrimes — it was the third-worst hit country by WannaCry.
Government-owned companies, especially security installations and energy firms, are also realising they are exposed to state-sponsored actors apart from cyber fraudsters.
“With a surge in reports of organisations being duped by fraudsters online, such as the Bangladesh Bank heist last year, there has been 25 per cent increase in requests for crime insurance policies over the past few years. The premium for a Rs 25-crore policy would be about Rs 15-30 lakh a year, depending on the type of insurance,” said Sanjay Datta, chief underwriter — claims and reinsurance, ICICI Lombard.
There are, however, a few challenges in converting an enquiry for insurance into a sale. Sector players claim the biggest among these is the lack of a strong assessment policy across industries.
An EY report earlier this year had noted 55 per cent of Indian enterprises do not have a threat-assessment programme. The study also found 68 per cent of companies would not increase their security spending even if a direct supplier was attacked, and despite knowing suppliers have access to its systems.
“The cost of insurance goes up when insurance companies see a weak security system. Companies also do not have a model to measure their losses effectively and hence they don’t see the need to invest (in insurance). Yet, the cost of insurance cover goes down only when the volume of policies increases,” said Sivarama Krishnan, partner and leader for cybersecurity, PwC India.
He also noted that unlike health and vehicle insurance, there was no regulatory requirement for cyber insurance. So companies opting for it were doing so out of client requirement or a need to safeguard their brand.
At present, in India, insurance companies provide policies covering common cyber risks such as legal liabilities for data breach, loss of customer information, loss of revenue, ransom and certain kinds of incidental expenses related to cyberattacks, said Venkat Nippani, partner, Grant Thornton India LLP.
Premium for a policy covering loss of reputation may be about 3 per cent of the sum insured, compared to a policy for loss of operational time, which might be 0.3 per cent of the sum insured. The reason for the difference in cost was because while unavailability of systems can be measured, reputation cannot. As policy price rises, clients lose interest, said PwC’s Krishnan.