Naavi has been an advocate of Cyber Insurance for a long long time. However, the market seems to be dragging its feet either because the insurance companies are too scared to touch the unknown risks involved or the insurance seekers are not pushing them for the service. To understand the status of the Cyber Insurance industry in India, a Cyber Insurance Status study titled “India Cyber Insurance Survey 2015” was undertaken. Some aspects of this survey has been briefly referred to on this site earlier. Now based on the results of the survey, a more detailed information is being presented in a series of articles to be published over time. Hope this will be useful to the community….Naavi
When the study was being planned, one of the discussions was whether we should call it a “Cyber Insurance” or “Cyber Crime Insurance”. Though ultimately it was decided that the nomenclature would not make any difference, the discussion highlighted the dilemma on what should be the driving force for a “Cyber Insurance Policy” and who should be the beneficiaries of such an insurance.
The survey obtained different responses on this aspect through multiple questions. However one of the direct questions asked was who should be covered in the Cyber Insurance policy.
The response was
–100% agree that corporates are to be covered
–Only 58% consider individuals are to be covered
–74% want Non Commercial organizations also to get cover
Most of the respondents were professionals working in organizations and hence it was natural that 100% of them wanted the insurance to cover the corporates.
However, it was significant to note that only 58% thought that Cyber Insurance should cover Individuals and 74% said that it should cover other organizations such as NGOs.
It was intriguing that 42% of the respondents who are also individuals in their own right and are exposed to personal cyber crime related risks did not consider that they needed insurance protection.
One of the reasons why such a self defeating opinion was expressed was that perhaps many did not believe that there could be a Cyber Insurance policy that can cover individuals.
A minority of them might have felt that if corporates are covered, individuals also may be indirectly protected.
There is no doubt that Cyber Risks affect both individuals and corporates and most of the times, individuals are affected through breaches at the corporate level.
However in the current status of digitization of Commerce and Governance in India, it is important to realize that individuals are getting exposed directly to Cyber Crime related risks and Organizations are using loopholes in law and their bullying strength to escape liabilities when the ultimate loss can be shifted to the individuals.
Naavi has been in the forefront of the fight for Netizen’s protection particularly in cases involving Bank frauds where the “Intermediary Responsibilities” under ITA 2008 have been invoked to argue that Banks and other intermediaries should pick up the liabilities arising out of cyber crimes such as Phishing.
The Government of India under the Digital India program has placed increased reliance on Aadhaar and JanDhan yojana which are exposed to high risk of mass security compromise. I have brought it to the attention of the Government including the PMO that in the coming days, the JanDhan Yojana could be the target of cyber attack since it not only can help the attackers to siphon off money, but also discredit Mr Modi before the next elections.
The risk is so daisy that political parties in India which have no qualms of supporting Pakistani terror groups even by falsifying records and blaming patriotic soldiers of the country as the kingpins of terror, may themselves attack the e-Governance systems and cause havoc. If this risk materializes, then the burden of such attack will be on the individual members of the public. Political parties may use mass attacks on e-Governance projects as a tool for their political gains unmindful of the damage that it may cause on the citizens like you and me.
It is for this reason that Naavi has strongly felt that Cyber Insurance should be a mandatory protection that Government should organize for users of JanDhan Yojana as well as the Mobile and Internet Banking customers.
When RBI wanted to consider new Banking licenses, even the RBI Governor was sounded out with a request that new licensees need to be mandatorily required to provide Cyber Insurance cover for their customers. Unfortunately, the sights of the RBI Governor Mr Raghuram Rajan was so far removed from safe E-Banking that there was no attempt to impose such responsibilities on the new banking licensees.
We can therefore say that both the Government as well as the RBI have for now rejected the need for individuals to be protected by Cyber Insurance and our respondents seemed to reflect the same attitude.
When it comes to coverage of risks in the corporate environment, while the “Own Damage” coverage refers to the loss suffered directly by an insured company, the “Liability loss ” depends on the loss suffered by the customers of the company. If these customers are directly covered by the insurance, then the liability of the company in which the breach occurred would automatically get reduced.
For example, if there is a group insurance scheme under which all the customers of a mobile banking application are insured to the extent of say Rs 5000/-, then when a breach occurs at the application owner (say a Bank) and individuals suffer a loss, the liability that the Bank needs to cover gets reduced to the extent the individuals are already covered.
Hence, if individuals are provided Cyber Crime insurance cover, it only acts as a sub limit in the coverage of the organization in which the breach occurred.
The reason why Insurance coverage to individuals are preferred is that such a cover will provide an opportunity to harden the security at the individual level since individuals will now see a direct benefit in following security practices mandated by an insurance company before the claims could be settled. After all, the insurance companies will have plenty of excuses to deny the claim if the individual has compromised on an of the security principles.
I therefore still advocate that Cyber Insurance should be extended to individuals to enable them take direct insurance at a low cost and also as a “Group” associated with any organization.
If any Insurance Company is innovative, they can encourage many self help groups to collectively insure themselves against defined Cyber Crime risks even outside the ambit of the Banks.
For example, as an administrator of a WhatsApp group on Information Security, I may seek cyber insurance for all my members using say mobile apps such as Paytm, Ola Money, iMobile etc. subject to a maximum of say Rs 5000/- per member per incident. I will simultaneously build awareness of the security requirements with all the members so that majority of them will follow the security practices.
I suppose this would be a manageable risk for the insurance company and can be priced with a nominal premium. In the process, it would also encourage all the members of the group to follow a certain discipline.
I am aware that individuals would like to be covered for much more than Rs 5000/- but this could be a good beginning to cover mobile related risks. At the same time, higher coverage can be provided outside the group insurance scheme.
Similarly, companies and educational institutions may encourage all their employees or students to obtain a group Cyber Insurance to protect themselves from losses arising out of Cyber Crimes outside the company’s own activities, undertaking to build awareness of security amongst its employees. Slowly the aggregation of such groups will provide a large base of insured Netizens and not only generate enough revenue to the Insurance company but also make the society more secure.
This is an illustration and many other strategies can be developed by self help groups and Banks to improve the security culture in the society using the insurability as an incentive. This will be beneficial both to the society and to the insurance company itself.
At the same time, I consider that it is the duty of the Government and RBI to mandate Cyber Insurance at the Bank level so that the risk of loss is reduced at the gross level. The Government has already instituted many insurance proposals for farmers and rural folk and RBI has reiterated the need for Cyber Insurance in its policy guidelines. What is now required for them to do is just take steps to implement Cyber Insurance also in such a manner that users of Digital India services will be protected from financial losses.
Hope the PMO is listening…..