According to the National Crime Records Bureau (NCRB), cyber-crime zoomed 350% in the three years between 2010 and 2013. In a 2014 survey of 170 plus Chief Information Officers, Chief Information Security Officers and the like conducted by KPMG, 89% of the respondents felt that cyber-crime is a major threat, 51 % felt that their companies were easy targets for cyber-attacks and 49% had actually experienced such attacks. In December 2014 an Economic Times article quoting unnamed experts stated that India Inc. had lost as much as $ 4bn due to cyber-attacks of all kinds during 2013 and suggested that losses had increased by 30% in 2014. Yet Prudent Insurance Brokers estimates there have been only 50 or so dedicated cyber-insurance policies sold in India so far. The gap between risk perception and actual risk mitigation cannot be starker than this!
Cyber-crime is no longer the domain of the relatively harmless nerd seeking the thrill and fame of the exquisite hack, who damages little more than the ego of his corporate victims. Today the stakes are much higher and can even put lives at jeopardy. For instance, while the world was transfixed by the admittedly spectacular North Korean hack of Sony, very few people knew that a steel plant in Germany had lost control of its blast furnace. For some time hackers had sole control of tonnes of molten ore and thankfully disengaged without causing a horrific industrial accident that they were fully capable of causing at that time.
Another very dangerous recent trend is the increasing availability of mercenary hackers or hackers for hire. These services make it disturbingly easy for individuals and businesses to sponsor attacks, steal data & money, stop the operations & services of another firm and sabotage lives and businesses – all by remote control. In a recent report Gartner found that zero percent of large enterprises have formal plans to address aggressive cyber security business disruption attacks, probably lulled by the low frequency of large scale attacks. However, it foresees that by 2018, 40% of big firms will have such plans – underscoring the high threat perception for the immediate future.
In India the largest number of cyber-crimes for the year 2013 (later data is not yet available) i.e. 2144 in total were classified in the "others" category by NCRB. That's probably because these are crimes that are not easily attributable in the outdated lexicon of our penal code. Even so, as many as 2061 were attributable to fraud, illegal gain and money greed. Most of these have been about siphoning off anything between a few lakhs to a couple of crores from either bank accounts or leaky government schemes such as MNREGA. Interestingly, according to NCRB the bulk of cyber-crime arrests in 2013 took place in the 18 to 30 age group, followed by the 30 to 45 age group.
While Indian companies seem to be aware of cyber-crime, they have been slow to recognise its far-reaching impact (such as denial of service for days on end) and even slower to adopt adequate protection by way of proper insurance. Of the 50 or so dedicated cyber-risk policies that have been bought in India, a majority have been by technology and BPO firms; mainly because they have been mandated to do so by their contracted customers.
Banking, Financial Services & Insurance companies are also aware of these risks; Arbor Networks reports that last year 34% of Indian financial sector companies reported cyber-attacks & threats, up from 15% in the previous year. As a result, a few large banks have bought cyber insurance policies now with limits ranging between US$ 5 to 10 million. Other industries such as hospitality, retail and health-care do not even have sophisticated Professional Indemnities in place, leaving their balance sheets very vulnerable to the costs of a breach.
But traditional policies such as Professional Indemnity, Commercial General Liability, etc. are not really well geared towards protecting against the extensive and varied damages and costs of a cyber-attack such as the many third party costs related to hiring forensics experts for investigation, image managers to repair soiled reputations or software & security consultants to repair broken firewalls & processes. Nor do they cover the fines and penalties that a breached business might have to bear, that can be imposed by a regulatory or quasi-regulatory authority for negligence.
Cyber-risk is different for different industries so a one size fits all cyber-insurance policy will prove inadequate. Unlike in traditional policies, adequate protection or risk mitigation cannot be obtained without a high degree of individual customisation, perhaps the primary reason why India Inc. is so under insured when it comes to cyber-risk. But given the exponential increase in attacks over the years and the increasing severity of damages & losses caused by cyber-crime, specialised individual policies are the need of the hour. There are other benefits too, which are not available with traditional policies: having a cyber-insurance policy does not only mean financial protection for the payment of post-breach bills but the additional benefit of having the broker and insurer effectively managing the breach situation. Also, these policies usually come built in with the services of various experts such as forensics teams, credit monitoring firms, public relations organisations, etc. who will assist the insured in the various aspects of breach response which they would otherwise find overwhelming on their own.
In conclusion; while it may be difficult or even impossible to achieve total protection against cyber-crime, it is eminently possible to have total protection for the aftermath of a cyber-attack.
Gurpal Dhingra is a Director at Prudent Insurance Brokers Pvt. Ltd.