This article was first published by the Global Association for Risk Professionals on December 01, 2016;
On October 21, the National Payments Council of India confirmed one of the country’s biggest data breaches: a compromise of 3.2 million debit cards issued by leading banks including the State Bank of India, ICICI Bank, HDFC Bank and Axis Bank. It was a reminder that even as the Narendra Modi government has embarked on the Digital India campaign, cyber vulnerabilities and their costs to both the private and public sectors are significant and increasing.
Various studies show that the number of cybercrimes has been increasing substantially. As per data from the National Crime Records Bureau, it grew by 23 times over the 2005-2015 period.
ASSOCHAM-Mahindra SSG put the compound annual growth rate at 107% from 2011 to 2015.
An Ernst & Young report said that 40% of respondents from India highlighted an increasing level of concern around cyber breaches or insider threats over the last two years. In March 2016, Ravi Shankar Prasad, then Communications and IT minister of India, reported to the upper house of parliament that in the year 2014, cybercrime cases in India went up by 69%.
Countermeasures in Progress
The government has stepped up efforts to combat cybercrime. Programs include public education to spread awareness, and there is a proposal to set up a cybersecurity and e-surveillance agency. In addition, the Reserve Bank of India, Securities Exchange Board of India and other regulators have issue cybersecurity guidelines and are expected to beef them up.
Microsoft Corp. has launched a Cyber Security Engagement Center (CSEC) in the National Capital Region. Microsoft India Chairman Bhaskar Pramanik said that “CSEC’s mission is to help build a trusted and secure computing environment, a critical enabler for India’s digital transformation. It will work towards fostering deeper cybersecurity collaborations with public- and private-sector organizations.”
In announcing the commitment, Pramanik said, “Cybersecurity is crucial for Digital India. A data driven economy can flourish only when governments, businesses and individuals have access to hyper scale and hyper flexible cloud computing with the confidence that their data is secure.”
Even as such initiatives become more critical, the National Cyber Security Policy of 2013 has not yet been implemented. Coordination is essential to tackle the menace of cybercrime. During the recently concluded CyFy 2016, the India conference on Internet Governance and Cyber Security, organized by the Observer Research Foundation, in Delhi, Carl Bildt, former Prime Minister of Sweden and head of the Global Commission on Internet Governance (GCIG), told the Times of India that “as an emerging cyber power, India needs to engage seriously on issues of Internet governance.”
While it is taking time to devise and implement policies at the national level, there is a solution that businesses can consider immediately: cyber liability insurance. The product has been available in the Indian market for some time, and companies in the IT, IT-enabled services and health care industries are showing interest. Most banks, however, have not gone beyond buying the mandatory bankers’ indemnity coverage.
“Cyber liability insurance is becoming very important nowadays, especially in the backdrop of the rising number of instances of cybercrime and data breaches,” says Sushant Sarin, senior vice president–commercial lines, Tata AIG General Insurance Co. Ltd.
“We see that more and more companies are buying them,” he says. “Those companies which were the first movers are buying more cover, and those that have not bought it yet are starting to explore it.”
The “limit of liability” for which companies need to buy insurance depends upon various factors, such as the type and volume of data, origin of data, location where the data resides, sensitivity of the data, data security protocols, peer group benchmarking, etc.
“If the data originates from Europe or the U.S., the data privacy laws are stricter there, so more Insurance will be required,” Sarin explains. “Similarly, if the data is personally sensitive or creates financial vulnerabilities, the amount of Insurance required will be much more.”
Sarin says that the amount payable by an insurance company when a cybercrime or data breach occurs would depend upon such factors as how the data got out; costs of notifying customers about the breach; fines or penalties imposed by regulatory bodies; damages awarded by courts to affected customers; reputational damage, etc.
One reason why some companies have not yet bought cyber liability coverage could be lack of awareness about the products, or a misguided belief that their organizations are secure. Given the current level of cyber risks and the likelihood that they will only get worse, the ready availability of insurance provides a practical option.