Abstract
The penetration of the technology in our lives is so much that all our essential working is dependent on technology. The same is true with the banking sector. The banking has been made simple with the use of technology in all domain of traditional banking With the rise of digitization, comes the rise in threat of cyber-attacks. In the past few years we have seen numerous cyber-attacks on corporate as well as individuals. So protection of data is the need of the hour. This article touches on the concept of protection of data and introduces Cyber Insurance as a risk transfer measure.
Cyber Insurance- A Risk Transfer Measure
We are all aware of the saying necessity is the mother of all inventions. The saying in today’s context is somewhat changed. Rather putting it in the simpler form we would rephrase it as technology is the genesis of developmental advancement. We are now dependent on technology so much that our major time is invested in the gadgets that are the gift of this technological advancement. Without them our life seems to be dull and void. The penetration of the technology in our lives is so much that all our essential working is dependent on technology. The same is true with the banking sector. The banking has been made simple with the use of technology in all domain of traditional banking. Be it transaction, deposit, transfer of funds etc. all are totally dependent on the effective use of technology. With the advantages of being techno friendly we are also vulnerable to certain data theft and be victim of Cybercrime which can put any organization to reputational risk.
Now a days there are lot of instances of Cyber Extortion, Cyber Stalking, and Hacking due to which many advanced nations and Corporations are facing issues in protecting their data intelligentsia. There have been instances of cyber-attacks on the various banks in the past where cases siphoning off the money were attempted and our bank was also one of the victims.
With the rise of digitization, comes the rise in threat of cyber-attacks. In the past few years we have seen numerous cyber-attacks on corporate as well as individuals. Malwares like WannaCry, Ransomware etc., left the American and European nations perplexed as the most valuable of the lot – DATA, was made vulnerable and the cyber theft has resulted in hackers siphoning off money from the big corporate and left the database accessible to the hackers. This has raised the crime rate and a new type of war began which we can term as Cyber War or Cyber terrorism. Here, the terrorist organizations with the use of high end technology and algorithms attack the confidential government database and extorts a hefty sum from the nations for decrypting the same.
As the custodian of public’s money, Banks needs to build on the CIA Triad (Confidentiality, Integrity, and Availability) .Here most important factor is to protect the customer data. With millions of consumers transacting with banks online every year, it is a bank’s obligation to put mechanisms in place to stop the loss of Personally Identifying Information (PII), transactional data of its customers, and bank’s internal sensitive information. It is also the bank’s responsibility to respond in an efficient and effective manner in case of such losses. Cyber frauds are a fast emerging threat to most of the business entities and more so to financial institutions, including banks. Banks have been building suitable cyber defense systems to detect and prevent cyber-attacks and minimize, if not avoid, financial losses. For the Bank, the most valuable assets are its customer. For a customer it is the trust factor that plays a significant role in building long term relationships with any banking institution. So for the banks it becomes pertinent to identify the risk involved with online cyber frauds and as a matter of saving the institution from Reputational risk loss, adopt risk mitigation measures so that the banker- customer relation remains intact.
Cyber Insurance – a Risk Transfer measure
Business losses can occur by two ways i.e., Naturally occurring losses caused due to natural calamities, like fire , earthquake, floods etc. and the other human induced losses, caused due to malafide intentions or by certain acts of thefts be it physical theft or cyber theft . Though not natural, thefts and robberies are also considered unavoidable. Banks find ways of transferring the risk of loss due to such unavoidable events through insurance. So to mitigate the risk it is necessary to transfer the risk through cyber insurance.
Cyber insurance is a customized insurance offering comprehensive cover for third party liability and first party expenses a bank may incur arising out of unauthorized access or use of its physical and electronic data or software. Cyber insurance policies can also provide coverage for liability, costs and expenses arising from network intrusion, the spreading of a virus or malicious code, computer theft or extortion. Cyber insurance also provides cover for business interruption and the cost of notifying customers and regulatory investigations or actions in case of a breach, without the requirement for physical damage that is a standard trigger under property policies. The Reserve Bank of India highlighted the need for Indian Banks to obtain Cyber Crime Insurance in its Internet Banking Guidelines of June 14, 2001 to ensure that customers are spared from phishing liabilities.
Cyber insurance policies are designed to address many variables within the online realm and can include:
The liability of the bank arising from data protection laws
The management of personal data and the consequences of losing personal identifying information
Repair of banks’ reputation Notification and monitoring costs
Cyber extortion and network interruption.
Cyber Insurance is a comprehensive insurance solution for banks covering first-party costs and third-party liability risks arising from a cyber-event.
First-party Coverage
First-party covers provide protection to the bank in the event of a loss whether caused by itself or someone else. When a bank experiences a cyber-attack or a data breach, the following events/occurrences can be covered under insurance:
Employee Theft Coverage
Premises Coverage
Transit Coverage
Computer Fraud Coverage
Depositors’ Forgery Coverage
Forensic Investigation
Business Interruption
Computer Data Loss and restoration
Extortion
Third-party Coverage
Third-party coverage provide protection to the bank against the claims of third party. When a bank experiences a cyber -attack or a data breach, the following events/occurrences can be covered under insurance:
Litigation and Regulatory
Regulatory Response
Notification Costs
Crisis management
Credit Monitoring
Media Liability
Privacy Liability
In India, the concept is still at a very nascent stage. As per industry reports, there has been a 40 % rise in cyber insurance policies in 2018 as compared to 2017 which is indicating that customers are becoming more aware of the threats being faced by them in the cyber space and that the major threats that the corporations are facing is coming from cyber criminals and the integrity of the valuable data of their clients is being put on stake and risk. The major areas covered by the policy issued in India include:
IstParty Expenses
Privacy and Data Liability
Business Interruption
Cyber Theft
Some of the insurance companies providing cyber insurance services in India are Tata AIG, ICICI Lombard, Bajaj Allianz, HDFC ERGO and New India Assurance.
Barriers to Growth
Although the concept of cyber insurance looks appealing yet there are certain roadblocks to its full implementations for both insurer and the insured. The major problems are:
Lack of a Privacy Law in India
Industry specific Risk
Lack of historical data
Cost burden in adopting a cyber-insurance cover
Underlying complexity of calculating premium, assessment of third Party loses, detecting fraudulent claims
Difficulty to predict probability of occurrence and impact of the risk
Having to customize policy covers and premiums for each industry
Lack of predefined standards, metrics of cyber risk insurance
Ambiguity over the scope and coverage of policies
Absence of a single comprehensive insurance cover (presence of multiple covers and policies by different insurers)
The Future Course of Action
Looking at the barriers of growth of demand in the cyber insurance and understanding the gravity it is important that the onus of creating space for the cyber insurance in market lies with the stakeholders who are getting affected directly or indirectly. So stakeholder wise action points are as follows:
Regulators / Govt. Bodies
Creating awareness and ecosystem skills in cyber insurance policies by running awareness programs. Incentivizing various organizations through direct intervention or providing procurement benefits Providing Toolkits and Checklists
Introducing cyber insurance as a measure to mitigate risks through National IT and Security Policy.
Creation of Cyber Incident Data Register for referral purpose assessable to cyber cell and networking experts.
Promoting actuarial science for better modeling of cyber risks
Creating Crisis Response Team at national and State level by government and at corporate level by Private entities to meet any future cyber threats and instances.
Tech Firms
Setting up of sector-specific cyber risk assessment framework
Offer Industry specific customized products and services.
Brokers
Increase awareness about the product amongst consumers and user of IT products.
Clearly define the provisions of the cyber insurance policies to the customer so that they can have a clear understanding of the policy
Buyers
Regularly undergo cyber risk evaluation to understand system vulnerability
Creation of Cyber Risk Committee to have a better understanding of cyber risk
Conclusion
Though Cyber Risk Insurance is at a nascent stage in India, but looking at the instances of cyber frauds across the globe it is soon going to occupy a prominent place in the insurance market and will soon be most seek after insurance product. Many organizations at present are not adopting it as they find it inapplicable for their organization but it may soon become unavoidable. The need of the hour is to have a proper risk assessment of the threat and mitigate the same by adopting a comprehensive cyber insurance policy so that the CIA triad can be well established and the customer DATA can be well protected.