Information Security Professionals think that all the talk of Cyber Insurance is nonsense since the risks are so huge that any company that insures Cyber risks is doomed to fail. Is this negative thinking justified?.. Let’s explore
Cyber Insurance is a concept where an insured person or organization looks to claim recovery of loss suffered by him on account of an adverse cyber event. The adverse cyber event could be a financial fraud in case of an individual who loses money in his bank account. In an organization, it could be a denial of service attack that causes business loss or a hacking/data theft that leads to reduction in business competitiveness. In the case of “Intermediaries” who process third party data, the adverse event could be also a theft or compromise of customer data leading to liabilities payable to customers.
While an individual will be happy if some body can provide insurance cover against losses on account of Banking frauds, he does not know if such policies are available and if available, what is the cost. Some Banks are persuading their credit card customers to take such fraud insurance but the costs are unreasonably high and are meant to cover the liabilities that the Banks are expected to legally bear. Why should a customer bear the cost if the Bank makes a payment against a forgery?. So the individual does not know how he should approach the Cyber insurance. But he does expect the Government and the regulators who are keen on digital India, to do some thing to ensure that financial risks of common day to day activities does not increase. Hence there is a need for pushing the Government for a Cyber Fraud Prevention policy. Insurance companies are also not very keen on the retail market since it may be uneconomical for them to manage the business from the point of view of the administrative cost.
At the same time providing Cyber Insurance to corporate is considered a lucrative business for the Cyber Insurance Companies and this market is in a take off stage. There is however lack of statistical data of risks and hence the Cyber Insurance companies try to cap their liabilities by imposing several restrictions on the claims.
In fact the Information Security professionals generally dismiss the talk of Cyber Insurance since they think that the threats are so great that any body thinking of providing insurance to this sector is foolish. The more they know about the threats, vulnerabilities and the risks, the less confidence that they have on the feasibility of the Cyber Insurance proposition.
But what the IS professionals are not aware of is that the Insurance industry has seen risks of many types and devised its own ingenious ways of providing an insurance cover in an environment of uncertainty and still manage the risks.
For example, one way by which the Cyber Insurance companies manage their risks is to put a cap on their liability per claim or per incident with sub-limits of various types. Accordingly, in a DDOS liability, the Cyber Insurance may place a limit on loss per hour of disruption and total loss to not more than say 1 day disruption etc. (This may vary from industry to industry). Similarly, in the case of data loss situation there can be a loss per data limit and a total data loss in a single event and in multiple events during the policy period etc.
As a result even if there is a loss of Rs 5 crores as estimated in a data loss situation, and the Company has a policy of say 25 lakhs, the actual loss reimbursed in a given data loss or a given DDOS disruption incident may be only say Rs 5 lakhs. Thus the risk of 25 lakhs that the company has underwritten is spread over 5 incidents in an year and if not the first, the subsequent losses can be attributed to the insured not taking adequate security measures despite an earlier warning which may be a reason for rejecting a claim. As a result, despite underwriting a policy of Rs 25 lakhs and despite the insured suffering a loss of more than Rs 25 lakhs, the Insurance company may not really lose Rs 25 lakhs.
Some may jump to a conclusion that this is not fair. But what the insured need to understand that just as an IS professional manages his technology risks, the Cyber Insurance professional manages the financial risks and he has to have his shields. In the process, it becomes necessary for the IS professional to ensure that “Similar” security breach incidents donot occur repeatedly in his company and “Each security Breach” does not result in a run away loss and it is his responsibility to ensure that the company returns to its normal business within a short time. Essentially, having an Insurance does not allow the IS professional to be complacent. He has to be more responsible.
The Information Security Professional therefore have to appreciate that Cyber Insurers are ingenious enough to take only such risks that they can bear. In fact, it is the best of the Information Security professionals who will be assisting the Cyber Insurance companies in formulating policy conditions, conducting a pre-insurance evaluation and claim assessment. The best of the forensic professionals are engaged by the industry to find out the root cause of an incident and whether there is any ground to attribute the loss to the negligence of the Company. So, the Cyber Insurers are fully aware of the risks they are underwriting and taken necessary steps to meet their liabilities even when a Zero day attack creates havoc in the insured company.
It is clear therefore that the Information Security Professionals need to shed their bearish outlook on Cyber Insurance industry and appreciate that this is an industry which is set to grow rapidly in the coming years. In fact, Information Security professionals should be excited about the new career opportunities that the Cyber Insurance industry is opening up both in the prospective users of the Cyber Insurance products as well as the Cyber Insurance industry itself.