Today, cyber risk is a top agenda item at the board level. With the cyber risk landscape id changing fast and attacks becoming more frequent, severe and systemic, the primary concern facing organisations is that security breaches to technology and physical infrastructure could lead to data loss, financial losses, regulatory sanctions, reputational damage and operational threats. The domestic cyber insurance market is slowly gaining traction, with India bracketed alongside the US and China as among the world’s most cyber attack-prone countries.

Although the cyber insurance market is still miniscule, Indian corporates have started to show interest in such products and have realised the prospective threats emanating from cyber hacking. Cyber security continues to be a major issue in India with 76% organizations hit by online attacks in the last year, as compared to 68% incidents across the globe, reveals a new global survey from security firm Sophos. The survey, ‘7 Uncomfortable Truths of Endpoint Security’, reveals that IT managers are more likely to catch cyber criminals on their organization’s servers and networks than anywhere else. In fact, IT managers discovered 39% of their most significant cyber attacks on their organization’s servers, and 35% on its networks.

Only about 8% were discovered on endpoints and about 19%, which is almost double the global average, were found on mobile devices. In other key findings, 97% IT managers admitted that security expertise is one of the greatest issues in India, and while 92% Indian IT managers wish they had a stronger team in place to properly detect, investigate and respond to security incidents, 89% believe cyber security recruitment is a challenge.

Given India’s fast-growing affinity towards technology and its services, it is important that the country’s businesses take more active steps towards cyber security.

As we accelerate towards becoming a trillion-dollar digital economy, building the right framework for cyber resilience and security is critical for the country. The government on its part has taken a number of initiatives in this direction; however, the involvement of each citizen and all organizations to make it a collective and coordinated movement is must for the success of the cyber secure eco system. India currently ranks 15th in a list of the world’s least secure countries with respect to cyber security. The global survey ‘7 Uncomfortable Truths of Endpoint Security’ conducted by Sophos, an endpoint security provider has found that 76% of Indian businesses were hit by cyber attacks in the past year, the highest after Mexico and France. In its global survey, Sophos said that more than 18% threats discovered in India are on mobile devices, almost double than the global average, while only 7.9% were discovered on endpoints. 39% threats were discovered on the organisation’s servers and 34.5% on its networks. 76% of Indian businesses were hit by cyber attacks in the past year, the highest after Mexico and France. More than 18% threats discovered in India are on mobile devices, almost double than the global average, while only 7.9% were discovered on endpoints. 39% threats were discovered on the organisation’s servers and 34.5% on its networks.

Server security stakes are at an all-time high:

Server security stakes are at an all-time high with servers being used to store financial, employee, proprietary, and other sensitive data. Today, IT managers need to focus on protecting business-critical servers to stop cyber criminals from getting on to the network. They can’t ignore endpoints because most cyber attacks start there, yet a higher than expected amount of IT managers still can’t identify how threats are getting into the system and when. 14% of IT managers who were victim to one or more cyber attacks last year can’t pinpoint how the attackers gained entry and 17% don’t know how long the threat was in the environment before it was detected. The survey emphasises the need to have better endpoint detection and response capabilities. On average, Indian organizations spend 48 days a year (four days a month) investigating potential security incidents. It comes as no surprise that IT managers ranked identification of suspicious events (22%), alert management (19%) and prioritization of suspicious events (13%) as the top three features they need from EDR solutions to reduce the time taken to identify and respond to security alerts. The survey polled more than 3,100 IT decision makers from mid-sized businesses in 12 countries in Colombia, Brazil, UK, France, Germany, Australia, Japan, India, and South Africa.

Key India-specific survey findings:

  • Most cybercriminals are detected at the server (39%) or on the network (35%); 8% are found on endpoints
  • More than 18% threats discovered in India are on mobile devices, almost double than the global average
  • 92% Indian IT managers wish they had a stronger team in place to properly detect, investigate and respond to security incidents
  • 89% IT managers surveyed believe cyber security recruitment is a challenge
  • 97% IT managers admitted that security expertise is one of the greatest issues in India
  • Three – fourth of Indian organisations admitted not being able to take full advantage of implemented EDR solutions
  • 67% Indian organisations plan to add Endpoint Detection and Response (EDR) capabilities to fight cyber attacks
  • After Mexico and France, Indian businesses most hit by cyber attacks

Cyber risks will soon be bigger risks than natural disasters

Cyber risks will soon become bigger risks than natural catastrophes for the insurance sector. He has recommended that the industry build a comprehensive, common global scale to assess cyber-related incidents. It would be very helpful to have measurement and modelling tools. Unless we can model, it’s very difficult for us to provide coverage. We have scenarios but not modelling tools. According to the report, cyber security experts and top executives in the financial sector as well as representatives from the European Central Bank (ECB), the Federal Reserve and the central banks of Canada and Japan had convened in Paris to assess the risk. Cyber security threats are a “major and systemic risk” to the financial sector as attacks are more frequent and public action on cyber-attacks in the sector is “sub-optimal.”

 $600 bn a year:

While the cost of cyber risks has been small until now, the panel agreed it was only bound to increase. The cyber risk could exceed $600 bn per year “in the worst-case scenario.” That compares with the yearly cost of natural catastrophes, which he said is about $230 bn. The cyber risk “would dwarf it. So it gives you a size of the risk. Still, “the demand for cyber risk coverage well exceeds the supply and this is an issue,” calling for a ‘re-balance’ of the situation. The lack of aggregated data monitoring incidents is partly responsible for the shortage of coverage. The sector needs to coordinate and also to partner with authorities “to build databases and a taxonomy to share information,” or a common vocabulary for policy makers and companies to use in assessing cyber-related impact on the financial or industrial sector. Cyber security is a shared responsibility and companies must invest to have better protections and understanding of the risk. As computer systems around the world are bleeding from the onslaught of computer virus ‘WannaCry ‘, authorities in India are still trying to assess the damage done by the ransomeware-worm. As IANS reported that police computers across 18 units in Chittoor, Krishna, Guntur, Visakhatpatnam and Srikakulam districts of Andhra Pradesh were infected, there is no definite word on the extent of this cyber attack in India yet. Take a look at how India Inc has dealt with cyber attacks so far. While the full impact of the recent attack remains unclear, how India Inc has fared in similar situations in the past warrants a look.

Social media platforms are cyber criminals’ preferred choice

Social media platforms like Facebook and WhatsApp are emerging as new Public Square for criminal deception by cyber criminals. A study ‘Current state of Cybercrime -2019’ released by RSA Security has found that social media fraud increased by 43% in 2018. According to the RSA report, cyber criminals are increasingly relying on Facebook, Instagram, WhatsApp and other legitimate social media and messaging platforms to communicate with each other and sell stolen identities, credit card numbers and other ill-gotten gains. The increasing volume and growing frequency of cyber attacks across India have failed, though, to stir Indian companies into action. Two out of three companies spend less than five per cent IT budget on bolstering their cyber defences.

Legitimate platforms ease illegitimate transactions

The report says that ‘given the ease of use, absence of fees and other benefits of these social media platforms, continuation of this trend in 2019 should come as no surprise. Trade in stolen identities would gain greater momentum with more stores likely opening on legitimate platforms to sell this type of data. According to researchers, fraud in the mobile channel has grown significantly over the last several years, with 70% of artifice originating in the mobile channel in 2018. The RSA study has found that frauds from mobile apps increased 680% between 2015 and 2018. The use of rogue mobile applications to defraud consumers was also on the rise. While one out of five cyber-attacks was attributed to rogue mobile apps in 2018, RSA identified an average of 82 rogue mobile applications a day last year across popular app stores. The report states that 65 per cent of the cyber crimes were for illicit financial gains. Corporate rivalry follows in the list of motives, with 54 per cent cyber attacks meant for malicious damage to business operations, whereas 46 per cent fall under corporate espionage.

Interestingly, 18 per cent attacks are acts of war or terrorism from other countries, via the digital world. India emerged as the third most vulnerable country in terms of risk of cyber threats, such as malware, spam and ransomware:

Frauds via mobile channels are popular amongst cyber criminals

The popularity of the mobile channel for fraud will continue through 2019, especially as cyber criminals keep finding ways to introduce tactics and technologies such as phishing and malware to the mobile channel. Digital transformation will continue to unfold for both legitimate businesses and the cybercriminals who target them for fraud. It says that during 2019 it expects the following three trends  to evolve further and grow even more prevalent as organizations continue to leverage the mobile channel to deliver new digital services to customers.

Cybercrime trends in 2019

  1. Growing use of mobile to commit cybercrime
  2. Adoption of legitimate digital platforms for illicit activities
  3. Use of advanced technologies both to commit and to fight cybercrime

Cybercriminals are using Blockchain for their advantage

The RSA study points out that it reported last year on the use of a blockchain-based domain name system (DNS) to host sites such as stores that sell credit card information or other stolen data. Unlike traditional DNS addresses, which are subject to oversight by governing organizations like ICANN, blockchain based DNS addresses have no oversight. That makes it harder for law enforcement to interfere with their operations, including taking down sites, and that makes the popularity of blockchain among cybercriminals likely to grow. This is one reason RSA anti-fraud experts are predicting more fraud websites will be utilising blockchain domains in 2019. Cybercriminals are exploiting this trend, both by taking advantage of the increasing difficulty of authenticating identities and by taking advantage of digital technologies themselves. Indian companies have been hit again and again by computer viruses.

Digital transformation is proving to be a double-edged sword

As the digital transformation of both business and cybercrime continues, organisations must be increasingly vigilant and increasingly well-equipped technologically, to protect themselves from sophisticated attacks. In this way, digital transformation becomes both a critical contributing factor in the problem of growing cyber risks today—and a critical resource for solving it. IT managers need endpoint detection and response (EDR) technology that exposes threat starting points and the digital footprints of attackers moving laterally through a network.On average, Indian organizations that investigate one or more potential security incidents each month spend 48 days a year (four days a month) investigating them.

Senior executives are the weakest link in the cyber security chain

A new report ‘Are you the weakest link? How senior executives can avoid breaking the cyber security chain’ from The Bunker, a UK cloud security firm, finds that despite their high-ranking positions, senior executives are reportedly the weak link in the corporate cyber security chain. According to the report, many senior executives ignore the threat from cybercriminals and often feel that security policies in their respective organisations do not apply to their unique position. The report finds that cyber-criminals often target this known vulnerability and finds the senior executives guilty of a bit of grandiosity who disregard cyber security threats and policies.

The top five mistakes with respect to cyber security

  1. Not realising they are a prime target for cybercriminals
  2. Viewing cyber security as the responsibility of the Information Technology Deptt.
  3. Believing security threats are external and not internal or accidental
  4. Thinking a cloud provider is responsible for backup and security of all information
  5. Failing to use cloud hosted email securely

 

Most executives make these five mistakes, according to the report. Senior executives fail to realize that they are prime targets for cybercriminals, which is potentially a result of their view that cyber security is an IT responsibility that doesn’t have anything to do with their executive positions.

IT security has now become the remit of all individuals, especially those in the highest positions of each department and senior executives need to take ownership for IT security best practices in their day-to-day behaviour. Another common mistake among senior executives is that they believe cyber security threats are attacks that happen to the business by some external malicious actor rather than being the result of internal threats or accidents. Many top executives also reportedly believe that a cloud provider is responsible for the backup and security of all information, though they fail to use cloud hosted email securely.  However, cybercriminals know that top executives often have privileged access to company information, so hackers intentionally target their personal accounts. Professional hackers and adversaries will usually do a thorough investigation into a senior executive or board level director, including full analysis which could entail in-depth monitoring of the company website and associated social media accounts. Reviewing corporate policies, with a focus on people, premises, processes, systems and suppliers will provide valuable insights into which areas to improve, and by championing a ‘security first’ corporate culture, organisations and their senior executives will be well positioned to avoid the high financial costs, reputational damage and unexpected downtime that could result from a cyber-attack or data breach.

Are ‘silent’ cyber-risks really silent?

Allianz Global Corporate & Specialty’s winter/ spring 2019 edition of Global Risk Dialogue speaks about ‘silent’ cyber exposures – those not covered by traditional property and casualty (non-life) policies and create a great deal of uncertainty for customers, brokers and insurers, alike. In the past few years, cyber risks have gone mainstream. For the first time in the eight-year survey, cyber incidents are the top global risk in the Allianz Risk Barometer 2019, tied with business interruption (BI). Cyber incidents can trigger not only extensive financial or disruptive losses but, potentially, physical damage, BI, product recall, bodily injury or even have caused life-threatening consequences.

Cyber risk goes mainstream and evolves rapidly

The nature of cyber risk is evolving rapidly and constantly with hacker attacks becoming more sophisticated, targeted and far-reaching. The 2017 WannaCry and NotPetya attacks highlighted the risks and potential damage across all business areas causing significant concern around cyber risks in traditional property-casualty policies. Companies increasingly are exposed to large-scale, multi-vector mega attacks using advanced attack tools, often outpacing the maturity level of corporate IT security systems. Besides cyber-crime, often it is technical failure, IT glitches or human failure which causes massive system outages or data losses. ‘Silent’ cyber scenarios could include a hacker attack on a transit system causing a train derailment or a malware-infected, GPS-linked navigation system incorrectly guiding a ship. Another silent risk might include a hacker creating significant disruption by opening the floodgates at a hydroelectric dam, likely causing significant downstream flood damage and potentially triggering property policies. In such cyber- or tech-driven incident scenarios, it is often unclear whether or not traditional policies would cover the potential losses, as most don’t intend to cover cyber risk. Most traditional policies were designed when cyber hadn’t yet emerged as a major risk and don’t even explicitly mention or consider cyber risk. Such ‘silent’ or ‘non-affirmative’ cyber exposures lead to inadequate protection of customers with a lack of certainty and transparency for all parties involved – customers, brokers and insurers. A new insurance approach is required to effectively counter new risks posed by cyber and to remove coverage uncertainty for customers.

New Allianz Underwriting Strategy for Cyber

Group-wide, Allianz is reviewing cyber risks in property and casualty policies in commercial, corporate and specialty insurance segments and has developed a new underwriting strategy to address ‘silent’ cyber exposures, ensuring that all property and casualty policies will be updated and clarified in regard to cyber risks. A Centre of Competence for Cyber will be established for the entire company. Allianz will make it clear how cyber risks are covered in traditional policies and for which scenarios a dedicated cyber insurance solution is needed. The new strategy will also respond to growing concern from regulators and rating agencies about cyber exposures in insurers’ portfolios.

What will change?

For policyholders, the set-up depends on the line of business, as well as the market and regulatory environment. If unclarified, cyber exposures with clear definitions of when cyber risks are and are not covered in traditional policies will be specified in policy wordings. There is no one-size-fits-all approach. A comprehensive solution for all products – while extremely challenging – is best for everyone involved. This keeps specific cyber expertise in the lines of business where they’ve traditionally been underwritten and also benefits customers by providing certainty about the products they’ve bought. Policyholders will choose among several options to tailor cyber risk coverage to their individual needs and risk profiles – ranging from ‘now-affirmative’ coverage in a traditional P and C policy to an endorsement embedded into a traditional policy to a specialist cyber insurance policy. In many cases, cyber event definitions will be added to existing wordings (e.g., property offers a dedicated cyber BI extension).

Better response to regulators and rating agencies

The new strategy will help Allianz better measure its cyber exposure and respond to regulators and rating agencies. With these efforts, Allianz aims to be able to better manage the cyber aggregation risk in its PC portfolios to deal with large-scale cyber loss scenarios that could potentially affect multiple policyholders at the same time. Today’s business environment is global and highly-interconnected, increasing an organization’s probability of cyber threats. Organizations must remain secure, vigilant, and resilient to both minimize risk and optimize new opportunities. Given India’s fast-growing affinity towards technology and its services, it is important that the country’s businesses take more active steps towards cyber security.  As we accelerate towards becoming a trillion-dollar digital economy, building the right framework for cyber resilience and security is critical for the country. The government on its part has taken a number of initiatives in this direction; however, the involvement of each citizen and all organizations to make it a collective and coordinated movement is must for the success of the cyber secure eco system. India currently ranks 15th in a list of the world’s least secure countries with respect to cyber security, according to a study conducted by security portal Comparitech.

Nowadays Cyber Crime is a serious issue in India. Indian government is aware of this and have established separate department called Cyber Crime Police Department, which tracks the hackers and their cyber crime activities. According to RBI’s Information Technology Framework for the NBFC Sector, it has become mandatory for the non banking industries to incorporate Information Security framework bench marked to best practices. The focus of the proposed IT framework is on IT Governance, IT Policy, Information & Cyber Security, IT Operations, IS Audit, Business Continuity Planning and IT Services Outsourcing. These directions are categorized into two parts, those which are applicable to all NBFCs with asset size above Rs. 500 crore (Considered systemically important) and NBFCs with asset size below Rs 500 crore. The legislature is, at last, responding to the danger with an arrangement to make another tri-benefit organization for digital fighting. The Defense Cyber Agency will work as a team with the National Cyber Security Advisor. It will have in excess of 1,000 specialists will’s identity dispersed into various developments of the Army, Navy, and IAF. As per reports, the new Defense Cyber Agency will have both hostile and cautious limit. The Defense Cyber Agency is viewed as an antecedent of a digital direction. After reports that Russia interfered in the US decisions by hacking machines and making purposeful publicity on the web and the ongoing ransomware and other digital assaults being credited to North Korea, digital fighting is picking up the significance.

Insurers are lobbying the IRDAI to allow them to hold a 100% stake in InsurTech start-ups in India .Existing rules prevent insurers from acquiring a stake of more than 10% stake in such start-ups due to which they are unable to access the propriety software developed by these companies. Many insurers are still using legacy software at the back end and are unable to compete with tech-savvy firms as they leverage technology in various areas of their operations from fraud detection to cross-selling of insurance plans. Insurers, as an industry, have made a presentation to IRDAI to allow them to own a 100% stake in these companies. On the other hand, there are comments that the insurance companies are not doing enough to cater to Internet -savvy millenials who form one-third of India’s population. But some progress is noted. Earlier, the IRDAI said that it is working on creating a regulatory sandbox to support InsurTech. It goes without saying that IT will be hands-on in getting your cyber security initiative off the ground. Your IT team should be up-to-date on the latest security best practices and should help provide insight on how to best convert your goals into a functional plan suitable for your organization’s internal systems. As per the report, India continues to be second most impacted by spam and bots, third most impacted by network attacks, and fourth most impacted by ransomware. 

REFERENCES:

  1. https://www.thehindu.com/news/national/india-third-most-vulnerable-countryhttps://www.businesstoday.in/technology/news/wannacry-ransomware-attack
  2. https://www.irdai.gov.in/Defaulthome.aspx?page=H1
  3. https://scroll.in/pulse/861096/interview-we-need-a-medical-regulator
  4. http://www.mondaq.com/india/x/781972/Financial+Services/International+Financial+Services+Centres
  5. Newspapers & Journals.

Authored By:

Jagendra Kumar
Ex. CEO,
Pearl Insurance Brokers
JAIPUR

Author

Byadmin

Leave a Reply

Your email address will not be published. Required fields are marked *