Tepid demand for cyber insurance policies despite steep rise in attacks

Experts see signs of change because of heightened awareness and increase in enquiries

The rise in cyberattacks against institutions appears not to have led to a concomitant increase in demand for cyber insurance policies.

Recently, services at the All India Institute of Medical Sciences (AIIMS), Delhi, were affected for over 10 days because of a ransomware attack.

According to experts, the heightened awareness of the risks stemming from cyberattacks has resulted in a manifold rise in enquiries, but companies haven’t been rushing to buy insurance policies.

The increase in awareness stems from the huge increase in attacks. According to government data, there were 674,021 cyberattacks till June, which translated to around 3,700 attacks a day. According to the Indian Computer Emergency Response Team (CERT-In), there was a 51 per cent increase in ransomware attacks in the first half of 2022.

“Banking, IT companies, and a small segment of manufacturers are proactive in taking coverage against cyber risks. Otherwise, the vast majority of entities, including state-owned entities, usually do not have coverage against cyber risks,” said Sanjay Kedia, country head and chief executive officer of Marsh India Insurance Brokers. This could change after data protection regulations are put in place, he added.

After the outbreak of the Covid-19 pandemic, the cyber insurance segment saw decent growth, albeit thanks to a low base, experts pointed out.

According to industry estimates, the Indian cyber insurance market grew 35-50 per cent year-on-year in the past two years. At present, it is valued around $400 million. 

“More corporates are now looking to get covered as far cyber risk is concerned, because they have gone up. Among corporations, financial institutions, which deal with a lot of data, tend to get covered against such risks. Claims have started coming in and, in some cases, we have faced some losses, while in others the companies have been able to thwart the cyber risk,” said Sanjay Datta, chief – underwriting and claims, at ICICI Lombard General Insurance.

Government institutions were generally self-insured and did not opt for such coverage. Listed public sector undertakings and some of Navratna companies had taken cyber coverage, but that was because it was a board prescribed policy, said an industry official.

According to Marsh Insurance Brokers, though, there were signs of change in the manufacturing sector, which did not consider cyber risk a major concern, and firms had started actively seeking such cover. 

Within this sector, pharmaceutical companies had taken the lead — almost all the major firms either had cover or were in advanced discussions with insurers.

Experts said the market for cyber insurance had hardened as insurers have revised their underwriting guidelines to focus on better risk selection. Insurance companies now ask additional ransomware questions, which dictate the pricing, coverage and capacity on offer. The uptick in ransomware losses has also led some insurers to run outside vulnerability monitoring using third party vendors for common vulnerabilities and exposures.

Cyber insurance policies cover ransomware attacks and the ensuing damages, including ransom payments; data restoration costs; forensic and other first-party costs; and loss of profit arising out of business interruption.