[This is a continuation of our discussions on Cyber Insurance Survey-2015 ending with our previous article : …Who Should Get Insurance Cover?]
Last Friday (15th July), TATA AIG conducted a conference in Bangalore attended mainly by CFOs of different industries in Bangalore to promote their “Cyber Insurance” product. Cyber Insurance in India is being talked about for more than 5 years but companies have been hesitant to push the product aggressively because of the fear that Cyber Risks may be too hot to insure. Most of the time the Insurance companies have been tentative in their approach and are reluctant to discuss their policy offers in detail and in open. In this background, it can be appreciated that Tata AIG at least considered spending some marketing rupees on promoting their product though they hedged the marketing cost with their more popular D&O policy (Directors and Officers Liability Insurance) covering Director’s liabilities for negligence and omissions under the new Companies Act.
The interaction followed the familiar logic that “Cyber Risks are growing and Companies may be facing huge liabilities and existential risks like what Sony or Ashely Madison faced recently or some of the ransom ware threats faced by Indian companies and therefore they need to go for Cyber Insurance.
However, the meeting failed to address the most important aspect of “Cost of Insurance” and how it can be brought down. Obviously, as the Risk grows, companies would be willing to consider Cyber Risk insurance but unless the policy is reasonably priced, it is difficult to expect Companies to really cover their risks.
According to a recent press release from TATA AIG itself, the policy premia for a Rs 5 Crore limit range from Rs 5 to 10 lakhs for manufacturing industry, the education sector and for consulting, accountancy and similar professional services. This may go up to Rs 25 lakhs for financial services, health are and telecom industry. This indicates that in the industry segment where there is a need for insurance cover and also some acceptability of the cost the premia could be Rs 25 lakhs for cover of Rs 500 lakhs or nearly 5%. Can a Flipkart or Ola or even a Bank consider 5% as the cost of insurance is doubtful.
Secondly, incidents like Sony and Ashely Madison make good discussion point for creating the threat perception but it is difficult to believe that a Cyber Insurance policy would cover what was perhaps a Cyber War attack in the case of Sony or a patently illegal business of Ashely Madison. Such companies may take the insurance only for the sake of projecting their commitment to cover the risks but their claims are unlikely to be accepted when the d-day arrives.
When we conducted the Cyber Insurance Survey 2015 therefore we tried to get the perception about how the premia in a Cyber Insurance policy is determined.
Cyber Insurance policy being a hybrid policy that is having cover for both the “First Party Loss” and “Third party liability”, the premia could be “Asset Value Based” for the First Party loss and “Discretionary Based” for Third party liability. However, the Insurance companies are or transparent about their premium policy and hence insurers are not sure where they stand on the cost of insurance as well as the success of their claims if required.
During our survey, 82% of the respondents felt that the premium should be fixed on the basis of assets covered and equally 86% felt that it should be based on the liability basis. The respondents of the survey might not have been clear about whether the “Value of Assets” meant the total assets of a particular type that are being covered or the value chosen by the insurer and whether there is any agreement on how to value the “Data Asset” as different from the value of hardware and software. Should data be valued at “Potential Liability in case of a breach” or “Cost of Acquisition” is not an easy question to answer and there is no confirmation whether either the Insurers or the Insured have a clear understanding of this aspect.
The corporate respondents felt that discounts on premia should be based on the status of the security posture of an organization such as “Having been subjected to Compliance audits” and “Robustness of the Information Security Policy” followed by the company. On the other hand to what extent “Past Incidents” some of which might not have resulted in any liability should influence the premium fixation. More than 82% of the respondents of the survey had expressed the view that discounts should be provided for different IS audits to distinguish between two companies with similar risk profiles but different risk mitigation efforts.
TATA AIG only indicated that their proposal will be vetted by a team from KPMG which may make an assessment of the risk before quoting the premium. Greater transparency on such matters is needed before potential customers can give a serious thoughts. Similarly there was a need for TATA AIG to explain if they had faced any claim situation in India and if so of what type and how it was responded to. Without sharing of such information in generic terms, it is difficult for companies to take a view on the feasibility of Cyber Insurance.
I hope TATA AIG would in their future interaction with the industry try to be a little more transparent and let the companies develop some trust in the feasibility of Cyber Insurance. ..and of course 5% premium is considered usurious and it will be difficult for any company to set aside such a huge percentage of their resources for a potential liability cover.
Surely, the dilemma of the Insurance Companies on the enormity of the risks is understandable but they need a better understanding of the Cyber threats, Vulnerability management and the real rupee risks in India before trying to quote impractical premiums.
Hopefully the Insurance companies will realize that there is a huge market potential for Cyber Insurance in India and if they can quickly increase their risk assessment and risk pricing skills, there is a good business to harness. The other insurers such as ICICI Lombard and HDFC Ergo who also have Cyber Insurance policies need to take lessons from TATA AIG which claims to be the market leader at this point of time and structure their own offerings attractively.