Several companies are considering taking cyber insurance to seek protection against huge financial losses, especially after the prevalence of large-scale cyberattacks including the recent ones on SolarWinds and the U.S. Colonial Pipeline
(Subscribe to our Today’s Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
Large-scale cyberattacks, like the recent SolarWinds and U.S. Colonial Pipeline attacks, have highlighted the growing threat of high-profile hacks on Internet users worldwide. According to the World Economic Forum, cyberattacks top the list of human-caused risks globally, and research firm Cybersecurity Ventures has predicted cybercrime may cause damages worth $6 trillion by the end of this year. Several companies have turned to cyber insurance to seek protection against huge financial losses.
What does cyber insurance cover?
A typical cybersecurity insurance, or cyber risk insurance, is designed to help businesses hedge against potential cybercrime including ransomware, malware and denial-of-service (DDoS) attacks. Some policies may also cover losses incurred by other methods of hacking such as cyber stalking, e-mail spoofing, phishing, and cyber-extortion that may compromise a network and expose sensitive data. The claims could also include the cost of privacy investigations or lawsuits following an attack.
Additionally, individual and corporate plans should also cover the cost of hardware, like in a case where a cyberattack causes a computer burn-off due to extensive CPU utilisation or heat dissipation system failure, Joydeep Roy, Global Health Insurance Leader at PwC told The Hindu.
Cyber insurance policies generally don’t cover potential future lost profits and loss of value due to theft of intellectual property, according to Rohan Vaidya, Regional Director of Sales-India at CyberArk.
“Any person connected to the Internet must consider taking cyber insurance,” according to T. L. Arunachalam, Director of Cyber and Emerging Risks Practice at Bharat Re-Insurance Brokers. This applies to both individuals and businesses that conduct transactions online through banking or have any form of internet presence, he told The Hindu.
How much does a policy cost?
Companies generally opt for policies falling in the range of ₹40 crores to ₹200 crores as sum insured, and the typical premium is around 1-4% of the sum insured, Rohan said.
The cost of a cyber insurance policy depends on several factors. Premiums are likely to be high for companies in certain sectors like pharmaceuticals, healthcare, hospitality, and banking, as they hold sensitive customer information and are prone to vulnerability, according to Arunachalam.
Cyberattack preparedness will also determine the cost of a policy. If a company has weak cybersecurity defence systems and incident response techniques, the Probable Maximum Loss (PML) is likely to be higher, therefore pushing up the premium of the policy. “It makes sense for companies to invest in tools and/or subscribe to professional services to strengthen its cybersecurity policy, architecture, defence & decoy systems as well as the crucial element of swift and expert incident response mechanisms,” Joydeep noted, indicating the cyber insurance cannot be a substitute for inadequate cyberattack prevention practices. “The seriousness towards possible cyberattacks and the determination of a company to defend its data and resources will also play a part in determining the premiums and claim payments of cyber insurance,” he added.
While cyber insurance has been a talking point in India since the past few years, only about 15-20% of Indian companies are actively considering securing their risks through insurance, Arunachalam said. “The percentage of companies already insured will be much lesser,” he stated. However, automation, Internet-of-Things and the current work-from-home situation is likely to give a boost to cyber insurance adoption in India in the coming years, CyberArk’s Rohan noted.