Cybercrime costs to hit $10.5 trn by 2025: How insurance may save your biz

Every day, news about cyber attacks floods our screens. Since the pandemic, these attacks have doubled, with major incidents affecting millions, particularly corporates. Take the case of Equifax, a US credit reporting agency, which faced penalties exceeding $1 billion after a significant data breach in 2017 that compromised the information of around 150 million consumers.

Financial impact?

Cybersecurity Ventures predicts that global cybercrime costs will grow by 15% annually over the next five years, reaching a staggering $10.5 trillion by 2025. This is a significant increase from $3 trillion in 2015. These costs encompass various damages, including the destruction of data, theft of money, intellectual property, personal and financial data, and even the cost of business disruptions and legal investigations. It's clear that the financial and reputational consequences of cyber incidents are severe.

 

Who needs cyber insurance?

"Cyber insurance is crucial for any organisation that uses digital systems and holds sensitive information," explains Evaa Saiwal, Business Head - Liability, Cyber & Financial Risk at Policybazaar. This includes all kinds of businesses, from small startups to large corporations, as well as government agencies, healthcare providers, educational institutions, and non-profits. Even individuals who handle sensitive data, such as financial advisors or consultants, should consider it. Essentially, anyone at risk of cyber threats like data breaches, ransomware attacks, or phishing scams should think about cyber insurance to protect against financial and reputational damage.

How does cyber insurance work?

Najm Bilgrami, National Head - Financial Lines at TATA AIG General Insurance, explains, "Cyber insurance provides coverage for losses resulting from cyber incidents. Insurers often help mitigate the impact and offer resources to address the consequences effectively." Here's a breakdown of how it works:

Restoration assistance: Helps businesses resume operations quickly after an attack, reducing downtime and financial losses.

Damage compensation: Covers various damages from cyber incidents, supporting the company's financial stability.

Expert support: Provides immediate access to forensic experts, legal professionals, and PR specialists to handle the situation.

Critical response window: The first 48 hours after an incident are crucial. Cyber insurance ensures prompt, professional support during this period.

What does cyber insurance cover?

Cyber insurance typically covers direct costs related to responding to and recovering from cyber incidents. This includes data breaches, cyber extortion, business interruption, and legal liabilities from lawsuits. However, there are exclusions, such as deliberate acts by the insured, intellectual property loss, bodily injury, and damages covered by other insurance policies.

Here’s what’s usually included:

Expert costs: Expenses for IT specialists, legal counsel, and other professionals needed to manage the incident.

Data recovery: Costs to restore lost or compromised data.

Notification expenses: Fees for informing affected parties about the data breach.

Regulatory compliance: Coverage for professional fees during regulatory investigations.

Business interruption: Compensation for income lost due to system downtime.

Third-party liability: Coverage for legal costs and compensation claims from affected clients or partners.

Cyber extortion support: Assistance with negotiations and payments in extortion scenarios.

What plans are available?

Cyber insurance plans vary, but they often include:

First-party costs: Covering business interruption and breach-related expenses like forensic investigations and legal fees.

Third-party costs: Protecting against claims and liabilities from privacy or network security breaches, multimedia liability, and reputational damage.

Cyber extortion coverage is also available, providing comprehensive support, including expert negotiation and potential ransom payments.

Insurance providers may offer additional options tailored to specific industries or emerging risks, such as social engineering fraud or incidents involving cloud service providers. Saiwal advises, "Policyholders should work closely with their insurance advisors to assess their unique risks and select appropriate coverage to protect against potential threats."

How do you raise a cyber insurance claim?

Raising a claim under cyber insurance can be a bit different from other types of insurance because each cyber incident is unique. Here's a step-by-step guide to help you through the process, based on advice from Najm Bilgrami:

1. Immediate notification: As soon as you suspect a cyber incident, contact your insurer's claims team immediately. The initial report should be submitted in writing, either via email or by calling the insurer's registered office.

2. Access to IT experts: Once you've reported the incident, you'll gain access to a network of IT professionals through your insurer. These experts can provide consultation and guidance to help manage the situation.

3. Local and global support: Your insurer's claims team, with local expertise and global resources, will support you. This means they understand the local cultural and legal landscape, while also having the backing of global resources.

4. Experienced claim handling: The insurer's experience with numerous claims allows them to spot emerging trends and potential issues. They can provide accurate estimates for settlements and help navigate the claims process smoothly.

5. Rapid response protocol: Quick response times are essential in a cyber incident to minimise damage. Your insurer should offer prompt assistance to help mitigate the impact.

6. Ongoing assistance: Throughout the claims process, from the initial report to the final resolution, you should receive comprehensive support from your insurer.

What’s the situation with cyber attacks in India?

India has seen a dramatic increase in cyberattacks, affecting businesses across the board, including startups. According to the Indusface Annual State of Application Security Report, Indian enterprises and government bodies faced over 5 billion cyberattacks in 2023 alone. Ranjeeth Bellary, a partner at EY India Forensic and Integrity Services – Cyber Forensics, points out that this number may be an underestimation, as many incidents likely go unreported or unnoticed.

The trends include:

Increased frequency and sophistication: Cyberattacks are not only more frequent but also more advanced, targeting all sectors.

State-sponsored attacks: There has been a noticeable rise in cyberattacks sponsored by states, posing serious risks to national security and critical infrastructure.

Vulnerability of startups and SMEs: Smaller firms, often lacking robust cybersecurity measures, are increasingly targeted.

How can firms protect themselves?

"To bolster their cybersecurity defences, Indian firms must adopt a proactive approach," says Bellary. Here are some key strategies:

Technical measures:

1. Robust security software: Install and regularly update firewalls, antivirus, and anti-malware software. Keep all systems and applications up to date.

2. Strong passwords and authentication: Implement strong password policies and multi-factor authentication (MFA).

3. Data encryption: Encrypt sensitive data both at rest and in transit.

4. Security awareness training: Train employees on cybersecurity risks and best practices.

5. Incident response plan: Develop a plan to quickly detect, contain, and recover from cyber incidents.

6. Forensic resources: Have forensic investigation and incident response capabilities, either in-house or outsourced.

EY suggests a few organisational measures:

1. Cybersecurity policy: Establish a clear cybersecurity policy for your organisation.

2. Security audits and risk assessment: Regularly audit your security measures and assess risks to identify vulnerabilities.

3. Cyber insurance: Obtain cyber insurance to mitigate financial losses from cyber incidents.

Additional considerations:

Cloud security: Ensure proper security settings and access controls for cloud services.

IoT security: Secure IoT devices and use mobile device management (MDM) solutions for all devices.

Compliance: Stay compliant with relevant regulations and standards, such as the Personal Data Protection Bill.