This article was first published by the Global Association for Risk
Professionals on December 01, 2016;
On October 21, the National Payments Council of India
confirmed one of the country’s biggest data breaches: a compromise of 3.2
million debit cards issued by leading banks including the State Bank of India,
ICICI Bank, HDFC Bank and Axis Bank. It was a reminder that even as the
Narendra Modi government has embarked on the Digital India campaign, cyber
vulnerabilities and their costs to both the private and public sectors are
significant and increasing.
Various studies show that the number of cybercrimes has been
increasing substantially. As per data from the National Crime Records Bureau,
it grew by 23 times over the 2005-2015 period.
ASSOCHAM-Mahindra SSG put the
compound annual growth rate at 107% from 2011 to 2015.
An Ernst & Young report said that 40% of respondents
from India highlighted an increasing level of concern around cyber breaches or
insider threats over the last two years. In March 2016, Ravi Shankar Prasad,
then Communications and IT minister of India, reported to the upper house of
parliament that in the year 2014, cybercrime cases in India went up by 69%.
Countermeasures in
Progress
The government has stepped up efforts to combat cybercrime.
Programs include public education to spread awareness, and there is a proposal
to set up a cybersecurity and e-surveillance agency. In addition, the Reserve
Bank of India, Securities Exchange Board of India and other regulators have
issue cybersecurity guidelines and are expected to beef them up.
Microsoft Corp. has launched a Cyber Security Engagement
Center (CSEC) in the National Capital Region. Microsoft India Chairman Bhaskar
Pramanik said that “CSEC’s mission is to help build a trusted and secure
computing environment, a critical enabler for India’s digital transformation.
It will work towards fostering deeper cybersecurity collaborations with public-
and private-sector organizations.”
In announcing the commitment, Pramanik said, “Cybersecurity
is crucial for Digital India. A data driven economy can flourish only when
governments, businesses and individuals have access to hyper scale and hyper
flexible cloud computing with the confidence that their data is secure.”
Even as such initiatives become more critical, the National
Cyber Security Policy of 2013 has not yet been implemented. Coordination is
essential to tackle the menace of cybercrime. During the recently concluded
CyFy 2016, the India conference on Internet Governance and Cyber Security,
organized by the Observer Research Foundation, in Delhi, Carl Bildt, former
Prime Minister of Sweden and head of the Global Commission on Internet
Governance (GCIG), told the Times of India that “as an emerging cyber power,
India needs to engage seriously on issues of Internet governance.”
Liability Insurance
While it is taking time to devise and implement policies at
the national level, there is a solution that businesses can consider
immediately: cyber liability insurance. The product has been available in the
Indian market for some time, and companies in the IT, IT-enabled services and
health care industries are showing interest. Most banks, however, have not gone
beyond buying the mandatory bankers’ indemnity coverage.
“Cyber liability insurance is becoming very important
nowadays, especially in the backdrop of the rising number of instances of
cybercrime and data breaches,” says Sushant Sarin, senior vice
president–commercial lines, Tata AIG General Insurance Co. Ltd.
“We see that more and more companies are buying them,” he
says. “Those companies which were the first movers are buying more cover, and
those that have not bought it yet are starting to explore it.”
The “limit of liability” for which companies need to buy
insurance depends upon various factors, such as the type and volume of data,
origin of data, location where the data resides, sensitivity of the data, data
security protocols, peer group benchmarking, etc.
“If the data originates from Europe or the U.S., the data
privacy laws are stricter there, so more Insurance will be required,” Sarin
explains. “Similarly, if the data is personally sensitive or creates financial
vulnerabilities, the amount of Insurance required will be much more.”
Possible Payouts
Sarin says that the amount payable by an insurance company
when a cybercrime or data breach occurs would depend upon such factors as how
the data got out; costs of notifying customers about the breach; fines or
penalties imposed by regulatory bodies; damages awarded by courts to affected
customers; reputational damage, etc.
One reason why some companies have not yet bought cyber
liability coverage could be lack of awareness about the products, or a
misguided belief that their organizations are secure. Given the current level
of cyber risks and the likelihood that they will only get worse, the ready
availability of insurance provides a practical option.
No comments:
Post a Comment