To insure or not? Cyber insurance helps recover losses from cyberattacks

In 2023, India ranked third globally in terms of the number of phishing attacks after USA and the UK. About 33 per cent  of all phishing attacks in India were targeted at the critical infrastructure industry. 

 

• In October 2023, hackers breached the ICMR database and stole about 815 million Indians’ personally identifiable information (PII) details, and did an exfiltration of the same to the dark web. 
• In Dec 2023, hackers breached BSNL and stolen ‘critical information’ of about 30,000 optical fibre landline users’ data and network characteristics and made it available on the dark web. 
• The Computer Emergency Response Team-India (CERT-In) has reported that the RailYatri app has encountered forty-two incidents of data breach in the past five years, and that this data was on sale on the dark web. 
• During the G-20 summit in 2023, cyber-hackers like Ganonsec, Jambi Cyber Team, and Hacktivist Indonesia attacked the official website of the conference with 16 lakh Distributed Denial of Service (DDoS) attacks per minute. 

 

According to a Checkpoint report, an Indian organization on average has experienced 2,807 attacks each week during the first quarter of 2024, a 33 per cent increase in cyberattacks in the first quarter of 2024 over the corresponding period last year. 

 

 

By 2025, it is estimated that the number of internet users in India will grow by 15.7 per cent and reach 900 million people as compared to 821 million in the current year. This will push organizations in India to increase adoption of AI, digital business decentralization, and dependence on supply chain with cloud services. The growth of the internet will also provide a great impetus to the digital India mission, leading to the growth of digital public infrastructure (DPI) in India such as Aadhaar, DigiLocker and UPI-based payments.

 

On studying the daily vulnerability notes of (CERT-In), it follows those that all software, network and hardware commonly used by organizations and individuals are at risk. So, banking, financial services, IT, healthcare, and e-commerce sectors are going to be prone to cyber-attacks. 

 

Most organizations in line with briefings, such as those from CERT-In, National Critical Infrastructure Protection Centre (NCIIPC) and sector-specific inputs from RBI and Insurance Regulatory and Development Authority of India (IRDAI), resort to use of security technologies (like firewall, antivirus, intrusion detection system, and end point detection response system), vulnerability assessment, and penetration testing (VAPT), along with IT audits and regular security training. This helps in most cases to reduce or deter the probability of cyber-attacks. But in most cases, a smart attacker may still be able to outwit the IT security technologies and launch a cyber-attack. 

 

The cybersecurity market in India has grown to $6.06 billion by 2023. The use of technology helps to prevent and detect cyber threats and threat surface. As a next step, organizations resort to transferring the residual risk to a cyber-risk insurer.

 

In India, cyber insurance is provided by Bajaj Allianz, ICICI Lombard, SBI Insurance, and HDFC ERGO for individuals and companies. The cyber-risk insurers cover cyber threats, business interruptions, cyber frauds and cyber-attacks (such as identity theft, phishing and email spoofing, damage to email reputation, cyber extortion, replacement of hardware, cyber bullying, cyber stalking, smart home coverage, online shopping, malware attack, IT theft loss, multimedia liability, online sales, network security liability, privacy breach , data breach, privacy breach by third party, liability arising due to underage dependent children, theft of funds due to unauthorised physical transaction). With premiums ranging between approximately Rs 2,000 to Rs. 5000 per month, cyber insurance offers an affordable means of securing comprehensive protection against cyber-attacks.

 

In 2020, the Insurance Regulatory and Development Authority of India (IRDAI) had set up a working group to study cyber liability insurance. The main objective was to provide suggestions to popularise cyber insurance in India. The working group had provided their recommendations regarding framing of cyber risk insurance policy, the process for claim settlement, and steps to increase the awareness about cyber insurance.

 

With the passing of the Digital Personal Data Protection Data (PDPD) Act, in 2023, the government of India intends to focus strongly on stringent protection of citizens’ data. So cyber insurance policies can cover organizations and data fiduciaries against losses arising from violation of DPDP norms. Thus, cyber-risk insurance helps to provide a supplementary financial tool after the initial investment in IT security tools. Cyber risk insurers can help to make good the loss arising from a cyberattack. 

---

The writers are, respectively, a faculty member and PhD students at IIM (Lucknow). The views expressed are personal    Disclaimer: These are personal views of the writer. They do not necessarily reflect the opinion of www.business-standard.com or the Business Standard newspaper