Naavi along with some of his friends embarked upon a Cyber Insurance Status study in India titled “India Cyber Insurance Survey 2015”. Some aspects of this survey has been briefly referred to on this site earlier. Now based on the results of the survey, a more detailed information is being presented in a series of articles to be published over time. Hope this will be useful to the community….Naavi
When the exploration of the Cyber Insurance land was contemplated, it was known that knowledge about the concept of Cyber Insurance was low in the market. Hence the expectations of the study was set low. There was no surprise here to find out that the penetration of Cyber Insurance in India was low. Some of the reasons for such a status despite the growing Cyber Crime threats is analysed here.
Let us analyze one set of the responses which indicated as under:
92 % of the respondents who represented different IT user entities had no experience of taking Cyber Insurance.
54% of the respondents stated that they are unlikely to consider in the near future.
90% said that they will consider only if they suffer any loss in a cyber attack.
74% said that they will consider only of they have an attack on themselves.
72% said that they may consider if a suitable product at a right price is available and 80% said that they will consider if there is a mandate.
The respondents were all senior professionals from IT sector and included CEOs. For 54% of them to say they are unlikely to consider Cyber Insurance in near future was very disappointing.
The fact that 90% said that they will consider only if they suffer a loss indicated the dreaded syndrome of “Closing the stable doors after the horses have bolted”.
I can categorically state that many of the organizations may either not survive after their first attack or may get so badly battered that their survival after the attack would be an unending struggle. None of us know what is in destiny for us. But for us to take the Cyber Risks so lightly is nothing short of recklessness and readyness to commit harakiri.
I therefore strongly advocate entrepreneurs of all kinds to shed their complacence and take a look at the need for Cyber Insurance.
I also want to highlight here that the need for Cyber Insurance is more for the entrepreneurs than the Cyber Security professionals since the business risk lies mostly with the entrepreneurs and their investors. If a company faces a fatal attack, the Cyber Security professionals will easily walk out and settle in another company enriched with their experience. Their loss is for a limited time and can be overcome. But for the entrepreneur, loss of his dream project may be the end of the world.
Hence it is the Company promoters, Directors and Investors and Business Managers, who need to watch out for what I am set to say on Cyber Insurance through these columns.
Cyber Insurance is part of Cyber Security Management
Cyber Security professionals who understand that Cyber Security management consists of the four strategies of ” Risk Mitigation, Risk Transfer, Risk Avoidance and Risk Absorption” and “Risk Transfer” is achieved through Cyber Insurance should also need to watch out. After all they are senior professionals today and many of them will be owners of business in the Start Up revolution that is sweeping our country.
The first reason why a responsible professional is not keen on Cyber Insurance, is that there is less than needed understanding of what is “Cyber Insurance”. Let us therefore try to address this issue first.
Two Components of Cyber Insurance
Cyber Insurance has two major components. One is insuring self damage where losses suffered by the insured is covered by the insurer. The second is that when a Cyber incident occurs, the insured may suffer a liability to pay damage to an outsider. Cyber insurance also covers this as “Liability insurance”.
It is easy to understand this concept by looking at similarities or otherwise between Motor Insurance. In motor insurance, if an accident happens, the owner of the vehicle gets a compensation to pay for the repair of the vehicle. At the same time, under the motor vehicles act, if he is liable to pay damages to third parties, that is also covered.
Cyber Insurance is also like Motor Insurance and has the two components of “Own Damage” and “Third Party Liability”.
The “Cyber Incident” may happen due to many reasons. For example it can happen due to internal technical issues including physical issues such as electrical outage, flood, fire etc. It can also happen due to fault in the hardware or software. It can happen due to human failure such as negligence of employees. It can also happen due to malicious intentions of humans including insiders and unknown attackers from the wild. In such attacks there are also those which are categorized as “Zero Day Attacks” which essentially means that until such an attack is revealed , even the manufacturer of the software/hardware does not know that a certain Zero day vulnerability exists in the system which he has in good faith sold to the IT user who is today facing a liability situation.
Asset Valuation Issues
A quick glance at the various reasons that can cause a loss which may come under the umbrella of a Cyber Insurance indicates why Cyber Insurance is complicated and poses a challenge not only to the insured but also to the insurance industry itself in structuring a suitable policy.
For example, for insuring “Own Damage” one needs to value the Cyber Assets. While it is easy to value the hardware and purchased software, for which there is a cost and a depreciation, the value of internal software development needs to be arrived at on an assessment. Also a huge part of the cyber assets is in the form of “Data” which is acquired at a cost. The resident data should therefore be valued.
Now check back with your CFOs if there is a proper valuation of the cyber assets reflected in the balance sheets and whether your current asset valuation policies for the purpose of P&L is well suited for claiming insurance.
Most companies have a system of writing off all software purchases as “Expenses” though its beneficial use is spread over several years. Hence many soft assets continue to be used much after they find no mention in the balance sheets. As regards the hardware, it is often the practice to retain a nominal value of Rs 1 in the balance sheet even after the value is depreciated for a conservative reflection of the P&L. A similar approach is required for any software acquired at a cost so that no asset remains outside the radar. When a cyber event occurs and the company has to regroup, what is relevant is “Replacement Cost” of the asset and not the depreciated value represented in the balance sheet.
Of course it would be convenient for the insurance company if the insured is stating that what he has lost is of “Zero Value” on the books while it costs a bomb to replace. Insurance company may simply value the assets at book value and deny any compensation.
There is therefore the first hurdle of “Asset identification and Valuation” for the purpose of “Cyber Insurance” on which the industry has to reach a convergence. Perhaps the Chartered Accountants and the Institute of Chartered Accountants need to think if their asset valuation system needs to be reconsidered.
I would urge the Institute to consider valuation of IT assets on “Replacement Cost”. Depreciation may be considered as first tier, second tier and third tier. The first tier depreciation would be the writing off of the cost over the estimated useful period of the asset. The second tier depreciation could be the conservative approach where assets are depreciated faster than their useful life as a conservative practice. The third tier depreciation would be the equalization amount which arises due to the revaluation of the asset at replacement cost.
If accountants follow this system of representing the asset value, then analysts can pick up either the replacement value or the book value as they please. Insurance companies may use the replacement cost for evaluating the compensation while share holders and SEBI may look at the lower asset value as a conservative estimation of profits.
Where software assets are developed within the company, there needs to be a valuation process which is today mostly absent. Only service companies who bill their services to their clients have a good system of evaluating their operational costs. Others ignore the internal development cost which gets debited to the P&L as an expense. There is a need for maintenance of employee work record and assigning them to valuation of Work in Progress and later to the completed service. If this can be done, there would be a greater efficiency in the operation of many IT companies. This is of course the work of a Cost Accountant who can develop a system of valuing the service component which can be rightly priced for business purposes while at the same time providing the asset value for the insurance purpose.
Last item of asset is the “Data”. While the company can value “Data” on the basis of its acquisition cost, during a cyber incident leading to a liability and insurance claim, what is relevant is not the asset acquisition cost but the loss which the victim has suffered and has claimed from the Company under the legal rights given to him under law.
Dependency on Compliance
This “Liability” estimation depends on the “Legal Compliance” status of the company such as “Reasonable Security Practice” and “Due Diligence” under ITA 2008 and also the Privacy Rights granted under the constitution or other laws. Additionally the efficiency of our legal system where victims are aware of their rights and make adequate claim also will influence the losses which the company suffers and expects to be covered by the insurance policy.
Just as Liability insurance has a dependency on ITA 2008 compliance of the insured, the estimation of replacement value of soft assets has a dependency on the DRP and BCP status of the company. If a Company has an excellent DR and lost assets can be recovered in full without much cost, the replacement cost as well as the insurance liability will be reduced.
It is for this reason, that the survey has discussed in greater detail the Compliance status responses to which will be discussed in subsequent articles.
Declared Value of Assets
Practically, when an Insurance contract is written, the insured and the insurer have to identify the value of assets since it determines not only the liability but also the premium. The general practice is for the proposer to seek insurance based on the details furnished in the proposal form which will include the value of the assets to be insured. The insurer looks at the value and determines the premium.
Now it is possible that if the insured and the insurer is not on the same level of understanding, the contract may be vitiated by declarations that are made by the proposer which always works to the advantage of the insurer.
The insurance contract is considered as a “Uberrimae Fedei” contract or a “Contract of utmost faith” and in such contract the entire responsibility to make truthful declarations lies on the proposer. The insurance company can accept the declarations in good faith and later rescind the contract when a claim is made on the grounds that the proposer was aware of some adverse aspects which he did not declare during the insurance time.
The easily understandable example is when we take a health insurance and fail to disclose pre-existing diseases. While the insurer can accept the proposal, and charge a premium based on the declaration, if a claim arises, then the insurance company goes into an investigation mode and finds out that there was an pre-existing condition of the insured which would have altered the premium and risk and since it was not disclosed, the entire contract is declared invalid and claim denied.
A similar situation may arise in Cyber Insurance if the insured fails to declare earlier security incidents, weaknesses in its DR/BCP or other IS related issues. “Hiding Truth” is therefore not a good strategy at the time of insurance and this is a challenge for professionals since they might have hidden the truth even from their own management in the past. Hence a strong “Security Incident Management” policy and implementation is essential to write a robust insurance contract.
Another factor which insurers should remember is that in the event valuation of assets at the time of insurance is lower than at the time of the insurance claim, (When a re-assessment is made as a general practice) it may be considered as an event of “Under insurance” and the insurance company may decline to pay the full loss considering the shortfall as “Self Insurance”.
Hence it is important for the insured and insurer to agree upon a proper valuation system so that there will be no claim of “Under Insurance” or even “Over valuation” though there may be a natural appreciation or depreciation of the value for different reasons.
Need for Well Structured Policies
These complications are one of the reasons why perhaps 72% of the respondents to our study felt that they may consider Cyber Insurance if a suitable product at suitable price is available.
This also indicates what an insurance company needs to do now that it knows that 92% of the respondents are their potential customers who may consider such products.
If all the complications of asset valuation etc cannot be sorted out to mutual satisfaction, insurance companies will offer coverage with certain sub limits for different types of losses. Though this may not be a perfect solution for the insured, it represents a way forward for further refinement of the product.
(……Discussions To continue)
Earlier Article in the series: