Amid rising cyber-attacks, data breach, here’s how cyber risk insurance can help firms mitigate risk

Cyber Risk Insurance is an insurance product that helps the businesses hedge against the potentially devastating impacts of cyber attacks or cybercrimes.

Written by Guest

December 31, 2018 12:32 IST

Insurance Regulator, Irdai, Policy Holder, RBC, RBC Committee

Representational Image (Reuters)

By Gaurav Shukla

Cyber Risk Insurance

Continuous advancement in technology and hyper-connectedness of users and systems over the internet and social media have transformed business models, deepened existing customer relations and created opportunities for organisations to tap into potentially profitable markets. Whilst these improvements bring success to organisations, they also widen the scope for cyberattacks having serious implications on the working of an organization.

Recently, the infamous cases of cyber attacks such as WannaCry and NotPetya have compelled the organizations to be cognizant of the possible damages caused by notorious software agents and malware. With increased complexity and sophisticated nature of cyber attacks, it is imperative that organisations re-visit their risk management strategy and have risk transfer as one of the important pillars of it. Cyber Insurance is a means that can help organisations transfer the risk against cyber attacks.

Relevance of Cyber Risk Insurance

Cyber Risk Insurance, also referred to as the Cyber Liability Insurance Cover is an insurance product that helps the businesses hedge against the potentially devastating impacts of cyber attacks or cybercrimes. It enables organisations to mitigate the financial eventualities associated with Cyber Risks.

According to a Council of Insurance Agents and Brokers (CIAB) survey, while bigger companies are more likely to buy the insurance coverage, the majority of large organizations are still exposed to the risks associated to cyber attacks. Cyber Insurance products are yet to reach maturity and achieve greater penetration in the market due to lack of a standard mechanism to mitigate specific risks for an organisation, as other insurance domains do. The following figure depicts key challenges that limit cyber insurers’ outreach to the existing and potential buyers.

It is not only insurers that are marred with the lack of data or reliable predictive models to determine the value and viability of the cyber insurance, but the buyers are also equally uncertain about quantifying the risks and associated damages to buy the ‘right’ product(s). This leads to ambiguity on the type of coverage and the value of insurance they might need as well as the cost/ benefit associated with transferring of the risk exposure to insurers.

Cyber risk could be spread over a wide range of coverages—general liability, property, professional liability, business interruption, and crime policies, among other standard coverages. This complicates efforts to assess coverage needs, match policies with exposures, and compare alternatives. It also challenges buyers and their intermediaries to ascertain the best are of coverage for cyber-related expenses such as forensics, notification, credit monitoring, public relations, reputational risk, legal defence and settlement costs, crisis management, recovery costs, and regulatory fines.

In addition, the legal setting remains unclear to resolve any dispute that might arise between the insurer and the buyer. Since there is not much clarity on the law around it, the terms and conditions of an insurance product are yet to be tested and made infallible.

Key considerations for cyber insurance

Organisations must keep in mind a few of the below mentioned key points while dealing with Cyber Insurance

Establish the desired scope of cyber insurance coverage before deep diving into discussions with insurers. Conduct risk assessments to identify non-mitigatable risks that require coverage.
Thoroughly evaluate the available options of insurers and the policies offered by them. Identified threat vectors must be adequately covered against the evaluated business impact.
Identify various threats and attacks for the in-scope environment and estimate the varying costs that may be incurred in each scenario to best assess the required coverage. Consider both immediate as well as long-term impacts of various cyber attacks.
Ensure that the policy covers maximum (if not all) possible cyber attack scenarios. Have an in-depth discussion with the underwriter to ensure appropriate coverage. In addition to the assessed risks, the insurance must also address contractual requirements, if any.
Ensure the policy language is clear and unambiguous. A small difference in verbiage can lead
to a failed claim in future.

Conclusion

Clearly, there is a need to embrace cyber insurance as a measure of risk mitigation. However, the potential of cyber insurance as the tool needs to be understood and realized by both the buyers and insurers. Having a holistic cyber risk management programs that span a buyer’s cyber risk lifecycle to complement traditional risk-transfer provisions, augmenting the risk awareness and standardizing the cyber insurance policy language are areas where buyers and insurers will have to work together to maximize the benefits of cyber insurance products.

Author is Partner, Deloitte India

Get Live Share Market updates, Stock Market Quotes, and the latest India News and business news on Financial Express. Download the Financial Express App for the latest finance news. .

This article was first uploaded on December thirty-one, twenty eighteen, at thirty-two minutes past twelve in the night.