- Cyber insurance, like any other insurance policy, covers any kind of contingency; however, the trigger is usually a cyber-related incident.
- The risk is industry-agnostic and is relevant to all businesses
- It is an indemnification-based policy but also goes a step beyond.
- Two buckets for liabilities are first-party losses and third-party losses.
In the last two years, we have seen some of the top companies be vulnerable to cyber-attacks, especially ones in industries we did not expect to be vulnerable to the risk of cyberattacks.
We have learnt that every company has to deal with and manage this risk. It is the reality of today. Therefore, it is no surprise that more and more people have been opting and demanding for a solution to cover this risk, which comes in the form of cyber insurance. It has been a growing trend in the insurance industry for the past couple of years and we can only see it getting bigger and bigger every year.
Hold on, but what is it? and is it relevant to your company and your audience? Well, to find out more about it we decided to talk to Bhishma Maheshwari. He is currently the senior vice president for Marsh India and has held the position of Senior Vice President FINPRO, Cyber Leader before that. With 15 years of experience in insurance broking and a peculiar interest in cyber insurance, we believe he is the perfect expert to teach us more about it.
Today we will be taking a deep dive to understand cyber insurance from the lens of a business owner or manager. What you should know about it and help you understand it better.
If this is the first time you are hearing about cyber insurance it will be useful for you to start with our article on it – Cyber Insurance In India: A Complete Guide Of What It Is And What It Include
Let’s get started.
So, what is cyber insurance?
Cyber insurance, like any other insurance policy, covers any kind of contingency, however, the trigger is usually a cyber-related incident.
So, any kind of cyber attacks, ransomware attacks, denial of service, unauthorised access of data, or any kind of phishing or social engineering kind of attack can be seen as an attack and/ or a trigger. Any kind of inswing losses from such an event is covered under cyber insurance.
It is largely a speciality line of insurance, falling under the liability line of business. It has become more and more prevalent in the last 5-6 years but more so, during the pandemic due to the working from the home era we are currently in.
You may ask why is there a need for cyber insurance, it is because this kind of risk is typically excluded from traditional insurance policies like property, marine or other general insurance policies. Click To Tweet
Who is it for?
There is a myth that cyber insurance is typically for businesses that are into online or digital. It is relevant for them but cyber insurance is important for any firm that holds any kind of data or works on a network. If you take these two things into account then you will realise that any and every firm in the environment has some or the other kind of cyber risk applicable to them. It is an industry-agnostic risk exposure applicable to all segments.
Over the last couple of years, we have seen that there are many firms that we originally thought are immune to cyber risk that have been impacted by cyber-attacks. Be it manufacturing, be it hospitality, be it healthcare, educational institutes, power and utility and others are all affected by it.
When we used to discuss cyber risk exposures with manufacturing firms or pharmaceuticals etc. they would question the relevance of cyber insurance to them. Most people used to think it makes sense for e-commerce companies, IT companies or other digital or data-based businesses. However, in recent times we can see that this risk is industry agnostic. In fact, if you see the data of the last two years in the Indian context, many of the major attacks have happened largely to manufacturing firms. These attacks have been on account of ransomware. This is what has been the trend.
While we talk more about corporates for such risks, it has become extremely relevant for individuals too. Simply because each one of us has smartphones in our hands and all our data is online. We do various activities like booking movies or flight tickets and more, therefore our identities are always under threat of identity theft. It is therefore important that individuals also take care of their privacy-related risks. This policy is relevant for individuals.
How does it help us?
Like any other policy that is also an indemnification-based policy, wherein if there is a loss to us and we have spent some money or where they have not been able to keep the data safe. However, cyber insurance goes a step beyond that. It also creates a good ecosystem of what to do in such situations.
If a corporate is under a cyberattack, the immediate step they will take is to contact third party vendors who ensure that these attacks are taken care of and fill those gaps through which such an attack has infiltrated. The other important task is to stop the attack from spreading.
Now, the companies that do such kinds of jobs are generally cyber security firms. All these firms will charge for such services and this policy covers you for those services too. If there is an attack the company knows who to reach out to ensure that the risks have been mitigated. There is a structure in place for the firm if it is ever in such a situation.
Sometimes, firms have to contact law firms because of the data that is compromised. Their costs are also taken up by the insurance agency. Similarly, there can be a requirement for credit monitoring firms or public relations firms or ransomware negotiation consulting firms.
Therefore, apart from indemnifying you from the losses this policy also creates an ecosystem and structure to recover from such losses.
Is a cyber insurance cover necessary for small businesses?
While larger businesses have big budgets, small businesses might not have those budgets as they need capital for growth. We cannot fully rely on insurance. You should think of cyber insurance as the 4th leg on a stool. If the technology processes and governance are the first 3 legs of the stool, insurance just adds to the financial stability of the risk management stool.
So cyber exposure is not something that you can spend your way out of, it is an operational risk that needs to be managed. One element of managing it is by ensuring that the residual risk is covered. After you have done all things possible, it is to ensure that you are financially secure against losses arising due to the residual risk.
So, my advice to small businesses is that while you should do everything else to manage the risk, invest in a good cyber insurance policy to bring in that financial stability aspect in your risk management strategy.
What does it usually cover? What to expect a typical cyber insurance policy to cover?
A typical cyber insurance policy is a kind of policy that covers a lot of risks.
We largely divide it into two buckets:
1) First party losses
Which are directly impacting the organisation
The expenses here are usually called event management costs, we spoke about this above. Forensics is one part of it, it also includes the legal expenses, the defence costs, the costs related to credit monitoring, public relations, etc. Everything that the firm has to spend to manage the cyber incident is the first party expenses, these get covered in it.
There is also something called “business interruption loss”. If the network is down due to a cyber event and the firm is unable to make revenue, the loss of profit that they would have earned during that time also gets covered under typical cyber insurance policies.
It’s very similar to the loss of profit policy, however, the trigger there is different. Here, it is a cyber event.
Any kind of extortion or ransomware demand that is made. Typical ransomware is where the data is encrypted and ransom is asked in order to get back the data. These are all ransom-related expenses.
If the data is lost during the incident and the company has to restore the data by involving other parties, the cost of that is covered under the policy.
2) Third-party losses
These come back to the organisation through a third party it is more of a liability situation.
Any firm using third party data which is being stored with them or where they are acting as custodians of the data. If that data has been compromised, the company that shared the data can come back and sue the organisation. The defence and the damages get picked up under this section.
Network security liability
Wherein your systems are being used as a conduit to get into your vendor’s systems or any other third party systems. Then those liabilities will also get picked up under third party liabilities.
Regulatory fines and penalties
This trigger has been created considering the kind of regulations that we are seeing emerge in regards to data privacy around the world. It has become very relevant that any kind of an action because of a data breach does get covered under this. Eg associated fines and penalties, associated costs of regulatory action gets covered under the policy.
Those are largely how the policies are customised. In some cases, we have also seen the loss of money is covered under the policy, wherein social engineering losses like phishing do get covered. However, that is largely an extension to the policy.
Overall, we can see in terms of the industry that insurers are more hesitant to insure risks if the risk is not up to the benchmark that they have. So, it is important that first, the firm invests in cyber security and second, they provide the kind of information that the insurer is looking for.
In many cases, we have seen that if the firm is not ready to share the right kind of information then the insurer is also not ready to provide them cover or provide a higher premium. However, I believe that with more information present the underwriters will be able to make decisions and offers based on the data provided. Which will help everyone in the long run.
Thank you, Bhishma for answering our questions with so much clarity and guidance. It is interesting to see how this risk will be covered in the coming years as we can already see the digital shift for more and more businesses every year.