Mitigating or reducing risks due to cyber threats in an increasing work from home mode has indeed become essential.
Work from Home (WFH) is the new norm in the Covid-19 era. Thousands of employees are working in this mode to keep their company operations running. There are many benefits of this, but it does come with some pitfalls. Chief among these are exposure to very high level of cyber threats and hacking. According to Cyber Security experts, such cases have grown significantly. For the last few years, many insurance companies have been selling policies for cyber protection. While mitigating cyber risks in conjunction with security technology companies have reduced the threats, and although it has promoted better underwriting practices, but has not yet impacted the cyber premiums for the benefit of the end consumer. The reason can be that even today this portfolio is very small in comparison to other general insurance portfolios like motor, health and Fasal Bima.
During the discussion in a webinar organized by the Insurance Foundation of India recently, it emerged that a number of measures can be taken to mitigate/reduce risks in an increasingly WFH mode. However, the most important and simpler ones are that consumers (MSME’s or individuals ) should use licensed software, use good antivirus software, use a secured home network wi-fi which is encrypted and also that the router password should be changed every 15 days. Also, it is important to double check the email IDs and make sure they are from a reliable source only, and not to click or open spam or unsolicited emails.
One should avoid mails with headings like reward, prize, lottery and those originating from countries like Nigeria. Besides, users must always ensure a confirmation check on phone with the concerned person, and should never send any personal details or OTP to each and anyone. Free Apps asking for your personal data should be avoided as far as possible.
Mitigating/reducing risks due to cyber threats in a increasing work from home mode has indeed become essential and corporates, mainly MSME’s, should pay due attention to these aspects. “There are technical solutions like end-point security to block the copying of data in external USB drives, and there are legal agreements which can put liabilities of data leak on employees in a work from home environment,” says Anuj Agarwal, Chairman, New Delhi based Centre for Research on Cyber Crime & Cyber Law.
The end consumer is exposed to a number of key cyber risks due to the WFH mode during these Covid-19 times. One is of course that people are not connected to secured office network so they are more exposed to hacking. Secondly, these days a large number of cases are being reported to Police all over the country due to phishing emails and extortion/ransomware, the ransom of which is usually demanded in bitcoins. Also, with bring your own device (BYOD) becoming common these days, companies need to check and strengthen their IT policies.
“The corporates face increased risks due to a cyber attack. Most of them are covered under the Cyber Security Insurance Policy, such as Damage/Destruction of data, Forensic costs, as experts are required, Notification costs, Legal costs & expenses, Extortion/ Ransomware demand, Business Interruption and Delays, Introduction and propagation of malicious software. Also there can be claims from Third Party due to Breach of Privacy, Breach of Confidentiality, PCI-DSS, DDOS, and Fines and penalties due to violation of regulations,” says Oorjita Lath, Independent Consultant & Trainer specialising in Specialty/Liability Insurance .
All the major general insurance companies are aggressively pushing various cyber insurance products. There are two types of policies: one for the Corporate entities and the other one are for the Individuals (doctors, lawyers, consultants etc.)
“Broadly, the corporate cyber security policy covers both the First Party Losses including business interruption and defence costs and Third Party liability, which is the costs or damages that a corporate may become liable to pay to the third party due to a cyber attack caused to their network. Cyber security policy covers the cost for a business to recover from a data breach, virus or other cyber attack. Then, there are policies for individuals too, which majorly cover losses due to Identity theft, phishing emails and other social engineering,” says Lath. Individuals are buying this policy with a view to avoid losses due to net banking or misuse of credit cards. Our survey reveals that very few people are aware of this policy. Therefore, the number of policies sold are very few.
When we take up the cyber insurance products available in the country and the risk cover associated with WFH, then we find that almost all the cyber security insurance policies available for the corporates in India cover the major costs and expenses related to a cyber attack, these can be divided into:
1. The First party costs such as the forensic costs, cyber extortion payments, notification costs, business interruption- loss of profit and additional costs of working, public relation expenses, legal costs and expenses.
2. The Third Party Liability include cover for breach of privacy, breach of confidential corporate information, regulatory fines and penalties, breach of network security, propagation of malware or distributed-denial-of-service (DDOS), also the insurers are offering payment card industry data security standard (PCI/DSS) cover, etc.
Besides, there are Cyber Security Insurance policies for Individuals, which can be bought online, majorly covering identity theft, cyber extortion, cyber stalking, restoration costs for the data damage, financial loss due to phishing etc.
Companies having better IT certifications and standards are a better cyber risk for insurance underwriters than the companies not having these practices. Further, especially for MSMEs having licensed software usage policy is a must, companies having checks and risk management techniques adopted using IT experts will definitely be a better risk for Underwriters and may result in lower premium rates than their peers not following these practices.
“Reason for few MSME buying this policy is that elaborate forms running into many pages and with as many as 87 questions (of a particular company ) repel any small organization in filling up the proposal form to be submitted for getting quote from the insurance company. Simpler forms are the need of the day and it is foreseen that these will come out soon,” is the view of Chief Underwriter, Ria Insurance Brokers Pvt Ltd, a company specialising in this product line.
MSME’s are increasingly realizing the need for cyber insurance so the market demand has increased by many times leading to large-scale adoption of insurance cover for MSMEs. “These days all big and small companies should take this cover, since most of the work and data is online and therefore every company is prone to cyber hacking and attacks. In fact all the major Insurance Companies and Insurance Brokers have also opted for this cover, realising the risks associated with the Cyber-attacks,” says Lath.
According to a recent study, India is the second most affected country in the world, due to targeted cyber attacks. Also the average cost for major cyber-attack on a large company in India has gone up to around $1.7 M. Besides, insurers have been settling claims worth crores of rupees.
“Although the Cyber Insurance market has been increasing for the insurance companies very rapidly each year especially since 2016 onwards, however, with the risk increasing for the Insurers and a number of claims being settled due to legal costs, forensic costs and expenses and ransomware, the market is hardening and I do not foresee softening of insurance premium in the near future,” concludes Lath.
Let us see what happens in 2020-21.
(By S K Sethi, Founder and Chief Executive Officer of the Insurance Foundation of India and the Founder Director of Ria Insurance Brokers Pvt Ltd)