Cyber Insurability Index.. to measure how good are you for Cyber Insurance

image_pdfimage_print

Cyber Insurability  is defined as ” A measure of maturity of an organization for a Cyber Insurance Company to provide a Cyber Insurance Cover”.

The perspective is from the Cyber Insurance Company which has to assess the proposed Insurer, accept an underwriting proposal and quote a premium.

Cyber Insurance proposal normally consists of two key elements. First is a cover for “Own damage” and the second is the cover against “Third Party Liability”.

The own damage liability is more controllable than the third party liability which depends on whether the affected third party can successfully make a claim for damages.

If a company does not use or store the personal data of third parties, their exposure to third party liability risk is low. The risk that an Insurance company takes may therefore be dependent on the “Type of Information Asset insured”.

We can roughly say for the purpose of understanding that the “Cyber Insurability of an organization which does not use, transmit or store third party liability” is high. The exact amount for which an organization is insurable may however depend on the value of assets possessed by the Company.

In an organization where Cyber Insurance is sought only for its own information assets namely the hardware, software and corporate data residing there in, the insurer’s concern is limited to the efficiency of the DRP/BCP and the reputation loss that the organization may undergo on account of an attack.  For example, if there is an E Commerce website which is under DOS attack and closed for say 3 hours, then there is a loss of business for 3 hours besides a marginal reputation loss. If the DRP/BCP System of the organization is efficient, the loss can be reduced further. However, there is some ability to control the loss and contain it within a  set of its existing customers.

On the other hand, if the attack involves “Loss of Data” then the question of valuing the loss becomes important. Here the presence or absence of third party data becomes very important to determine the value of the  loss. If there is no third party data, the possibility of any claim from third parties is zero.

The loss of corporate data could be the business data or data which constitute “Intellectual Property”.  Loss of Intellectual Property can be valued and also defended subsequently by litigation. Hence it is also controllable. Loss of corporate business data may lead to reputation loss or weakening of its business competitiveness. There is an element of uncertainty of such damage but an Insurance company may consider such damage as “Discretionary” and “Vague” and reject recognizing an insurable component for “Likely reduction in market share on account of compromise of the Corporate business data”.

As compared to the above, if the Insuree possesses third party personal information, any loss arising there of would create a potential litigation from a large section of the customers. The exact loss estimate becomes difficult since each person may make claim for a different amount and the claims may arise at different points of time in the post data breach scenario.

In situations where there is a regulatory authority which can step in on behalf of the data subjects and impose a fine or collect damages on behalf of the community, it may be possible for the regulatory agency to fix some norms to determine the total liability which becomes a subject matter of Insurance. The individual liabilities also may be limited by the insuree obtaining legally binding contracts from the data subjects limiting the potential damage either to a fixed amount or to a maximum amount. In such cases the losses may be determinable. If no such contractual bindings are there, the potential loss may be open in terms of value as well as time.

The business practices that an Insuree organization follows therefore may have impact on the liabilities that the Insurer has to undertake in the event of a data breach.

This difference is what we may call as the “Cyber Insurability” of an organization.

An organization may be considered Cyber Insurable if its liabilities can be determined with some degree of certainty when a mishap occurs and not so if it is indeterminate.

Obviously, every organization will have a certain “Degree of Certainty and a degree of uncertainty” and hence we cannot measure the Cyber Insurability as a binary property.

We need to therefore develop a “Cyber Insurability Index” that measures the ease with which different organizations may be assessed for its ability to determine the insurance risk.

The Cyber Insurability Index may have two dimensions. One is the index across the other insurance subjects which measures how Company A is more easily insurable than Company B or vice versa. The other dimension is how a given company over the years moving up over a period of time on its own measure of Cyber Insurability.

May be we can call this Inter Company indexing  and Intra Company indexing.

Inter company indexing will depend on the nature of the industry, its potential to be a target for cyber attacks, its location, size, information security culture etc. This can be based on the study of the environment of threats and vulnerabilities affecting a given type of activity. This may be done as an industry level analysis even without a specific study of a company.

For example, from the Cyber Crime studies released by most companies, it emerges that BFSI industry has higher risk in terms of insurance claims and also a high possibility of indeterminable losses that may be claimed by the clients of the company in the even of a data breach.

Intra Company indexing may indicate how the company is improving or declining in its standard of bringing in some kind of control on the potential loss that may occur on account of a breach. This will include information security measures undertaken by the company from year to year, the changes in the industry environment, emergence of new technology in the industry etc. This will be a subject matter to be determined by a “Cyber Insurability Audit” of a company.

When a company is first audited for the Intra Company Cyber Insurance Index, the audit can try to measure the changes that has occurred in the last one year that contributes to making the Insurance liability more determinable and show the current status as an indication of progress or deterioration over a period of one year. This would be a good indicator to be incorporated in the annual report of a company.

For example, if I say the CII-Intra of Company X is 120, it means that there was a 20% improvement in the status (an indication of how much more the company is palatable to an insurance company) in the last one year. If I say the CC-Intra for Company Y is 70, it may mean that the uncertainties in the company from the point of view of a Cyber Insurance Company has increased.

Each subsequent year the index can be re worked with a reference to the base year.

These are some of my preliminary thoughts that I place before the audience for a feedback and further refinement.

Naavi

Also published at www.naavi.org

facebooktwittergoogle_plusredditpinterestlinkedinmail

Posted in Uncategorized | Leave a comment

India Cyber Insurance Survey Results To be released in January 2016

image_pdfimage_print

The first ever study of the Indian Cyber Insurance Industry-2015 throwing up the perception of the industry on what they want from the Cyber Insurers is ready for being released some time in January 2016.

The study undertaken by the undersigned along with a group of IS professionals collected responses from different professionals from the industry and academia has given a good insight into what the industry perceives about the Cyber Insurance policies.

Since the industry is in a nascent stage and the experience of how the industry functions is yet to mature, the results are more representative as a “Perception” or “Expectation” study and would be available for being expanded in the coming days into a “Status of the industry study.

The survey provides interesting insights into the prospects of the industry and what the Insurance companies need to consider to strengthen their products.

Though only 6% of the  respondents indicated that they have actual experience of the products, 72% said that they are willing to consider such products if a suitable product at a proper price is available. There is also an indication that if suitable product under proper price is not available, more than 54% of the respondents were not ready to jump in in the near future.

The study also provides valuable qualitative insights into what would be acceptable to the market in terms of conditionalities, exclusions, liability limitations etc.

The report is being issued in two versions. One will be a free version for public information containing the summary of the findings. The other would be a professional version with business insights meant for the industry users which may be nominally priced.

Await for more information  in due course.

Naavi

 

 

facebooktwittergoogle_plusredditpinterestlinkedinmail
Posted in Uncategorized | Leave a comment

Data Breach Notification Policy helps Cyber Insurance Industry

image_pdfimage_print

Data Breach Notification Policy is a mandatory policy under certain regulations such as HIPAA/HITECH Act and is being increasingly used by different regulatory agencies.

The essence of the policy is that when a potential data breach is discovered in a Company, the data subjects whose interests are adversely affected would be informed. Some times it is required to be notified to the regulatory agency and also to the media or placed on the website.

Obviously the companies which suffer a data breach are not happy with such a regulation since it adversely affects their reputation and future business flow. Also it will prompt litigation even in cases which would have normally not be escalating beyond a simple dissatisfaction. The Notification would therefore be like “Inviting Trouble”.

If there is a regulation that data breach notifications are mandatory, then there is no choice for the company. Cyber Insurers would look at it as a part of mandatory legal compliance.

When there is a regulation then probably the industry would have clarity on how to define a “Data Breach” for notification purpose and what procedure to be followed. But when there is no regulation, the Companies would most probably try to avoid notification.

In India where we donot have a Privacy law, the only reference to data breach notification is through the rules under Section 79 of ITA 2008 applicable to Intermediaries. Though there is a mandate under this rule, it is doubtful if it has been recognized and followed.

The Cyber Insurance Company is interested in the notification since it is a good practice and has some specific advantages.

One of the main advantages of the policy is that it instills a sense of discipline in a company for information security. Without the need to disclose the data breach, any company would be interested in brushing the problems under the carpet. If there is a policy then there will be a clear definition of how a breach can be recognized and what needs to be done if a breach is suspected.

The second most important advantage is that when smaller breaches get reported, the company would be hardening its security before anything big hits them. It works as a circuit breaker that defuses the risks instead of allowing risks to accumulate and explode.

For this reason, I advocate that Cyber Insurance Companies need to develop their own Data Breach Notification policies and impose it on the insurers even if there is no law to mandate it.

If a Company already has adopted a Data Beach Notification policy along with a Privacy Policy and Information Security policy, the insurability of the organization actually improves and it should have a positive influence on the insurance proposition.

A Prudent Cyber Insurance Company would be not only interested in imposing a data breach notification policy but also a more comprehensive information security policy of its own to safeguard the interests of itself and the insured organization. Though some companies would prefer to adopt the ISO standards of Information security rather than suggesting anything of its own, it is preferable that the Cyber Insurance companies do suggest some minimum information security standards before considering a proposal. In such a case, the data breach notification policy is one that they should consider.

Naavi’s Cyber Law Compliance Center offers a model Data Breach Notification policy that tries to address the concerns of the regulators without unduly humiliating the company reporting the potential data breach incident. The model policy can be adopted by any user industry if necessary with other associated policies.

In due course it would be necessary for regulators to develop requirements of their own which can be incorporated in such polcies. RBI, SEBI, IRDA and CERT IN are some of the regulators who should be considering mandating imposition of such policies in the larger interest of consumers whose interest they try to protect.

Naavi

facebooktwittergoogle_plusredditpinterestlinkedinmail
Posted in Uncategorized | Leave a comment

Cyber Liability Insurance..What it is?

image_pdfimage_print

In US it is stated that 46 of the 50 states have made Data Breach Notification mandatory. As a result when a data breach even occurs the company needs to conduct an in house audit and then send out notifications to all its customers who are likely to have been affected by the breach.

The cost of such notification itself is huge since in most cases the number of data lost runs to millions.

This data breach notification is recognized as one of the key drivers to the Cyber Insurance industry in US since these costs of data breach notification is a clear cash outgo for the company to be incurred almost immediately after a data breach comes to its knowledge.

Related Article in Computerweekly.com

In India, many companies are ignorant about whether there is any data breach notification obligation. Presently under Section 79 of ITA 2008, data breach incidents need to be reported to IN-CERT, though this is rarely observed and CERT-IN.

There is still however no specific obligation to notify the customers unless this is introduced as a part of the Section 79 notification on due diligence.

Recently Indian Press reported that two companies in Mumbai suffered extortion threats after some hackers threatened to reveal some illegal activities of the companies. This was also an incident of security breach in the company though we donot know if there was any customer information involved in the breach.

But  public do not know if this was reported to IN-CERT. In fact the Press have been helping the companies to keep their identity under wraps which also means the crime is kept under wraps.

Sooner or later the situation will change and data breach notification will become mandatory in India. Companies need to be prepared therefore for meeting the liabilities both in terms of costs involved in setting things right, notifying parties and also meet third party liability claims.

It is time they start asking themselves where they stand in this respect since some of these companies are also filing declarations under clause 49 of SEBI rules on listing which is similar to SOX guidelines.

Naavi

facebooktwittergoogle_plusredditpinterestlinkedinmail
Posted in Uncategorized | Leave a comment

Why Cyber Insurance seekers need to do better home work..

image_pdfimage_print

Naavi has been advocating that companies need to start using  Cyber Insurance in India though the current level of awareness as well as the penetration is low.

In these circumstances, the news that BitPay, a Bitcoin processor  could not recover its claim for a loss of $i.8 million despite having a Cyber Insurance policy since their claim was rejected by the Insurance company is disturbing.

At the same time, the incident highlights how lot of care is required before a Cyber Insurance policy is purchased and the purchaser should be able to analyze the policy terms in detail and avoid the kind of technical interpretations that were used by the Insurance Company in this case to reject the claim.

The details of the incident as reported in networkworld.com indicate as follows.

BTC Media had obtained a “Commercial Crime Insurance Policy” for $ 1 million from MBIC which stated

” “will pay for loss of or damage to ‘money,’ ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’: a. To a person (other than a ‘messenger’) outside those ‘premises’; or b. To a place outside those ‘premises,’ “

In December 2014, the CEO of the company was spearphished the company’s CFO and managed to get hold of his email credentials. This was used to spoof mails to the CEO and 5000 bitcoins worth $1.8 million were stolen.

The Company filed a claim under the Cyber Insurance policy which was declined for the following reason.

““The Policy requires that the loss of money be the direct result of the use of any computer to fraudulently cause a transfer of that property from inside the premises to a person or place outside the premises. ‘Direct’ means without any intervening step i.e. without any intruding or diverting factor. The Computer Fraud Insuring Agreement is only triggered by situations where an unauthorized user hacks into or gains unauthorized access into your computer system and uses that access to fraudulently cause a transfer of Money to an outside person or place. The facts as presented do not support a direct loss since there was not a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money. Instead, the computer system of David Bailey, Bitpay’s business partner, was compromised resulting in fictitious emails being received by Bitpay. The Policy does not afford coverage for indirect losses caused by a hacking into the computer system of someone other than the insured,”

Bitpay has now sued MBIC for breach of contract, bad faith, failure to pay and statutory damages and seeking $950,000 in damages plus court fees.

The litigation is likely to go for some time and in the mean time the industry will debate whether Cyber Insurance is reliable at all.

MBIC may be technically correct where as BitPay may feel that MBIC has misrepresented and cheated. The argument could be based on the nature of contract and what is implied and what is not.

The incident highlights one of the points I have been highlighting for a long time and that is that a company obtaining  Cyber Insurance Contract must be able to decypher the policy terms and map it to the risks against which it needs a coverage. Any ordinary information security professional would list “Phishing” of credentials of any authorized user as one of the threats that can manifest into a risk and result in losses. He would presume that “Cyber Crime Insurance” will cover this. But being a technical person and not able to understand the terminology used in the contract which distinguishes “Direct” and “What is not Direct” as also “What is a loss” etc., he is unable to find out what the policy is really covering or not. While the CFO or even the legal department is able to understand this part, they may not know the anatomy of all Cyber threats. Thus neither the CFO/Legal team nor the IS team understands the nature of this “Techno Legal Contract” leading to problems of this nature.

Naavi and his group of professionals who are working on the India Cyber Insurance Survey will find out the views of the professionals in this matter and present it to the public shortly. (If you still want to participate and provide your feedback, rush to https://fs22.formsite.com/SBYrSa/form2/index.html)

CEOs and CFOs  should realize that all Cyber Insurance contracts are considered contracts of utmost faith and it is the responsibility of the proposer to disclose what risks he wants to be covered and ensure that the Insurer has not excluded the risks that he requires to be covered in the policy document. This requires the company to take the advise of a suitable consultant on his behalf other than the Insurance Company representatives and also the broker who is more inclined towards the Insurance company than the insured or is not fully conversant with all the legal nuances.

If proper care is taken then the kind of problem that BitPay is now facing should not have arisen.

Naavi

Related Articles:

networkworld.com

ibamag.com

facebooktwittergoogle_plusredditpinterestlinkedinmail

Posted in Uncategorized | Leave a comment

After Cyber Extortion.. What to do?

image_pdfimage_print

Here is an interesting article on how a Company should respond after a Cyber Extortion demand.

How to Deal With Cyber Extortion — Before and After It Occurs

Once a company or individual becomes a victim of cyber extortion, the number of good options dwindles quickly. Rather than react after the fact, corporate leaders need to have a response plan in place so mitigating the risk of cyber extortion schemes can be the main focus.

The author of this article suggests a comprehensive plan that should include

  • A list of stakeholders to be informed.
  • Predetermined and defined lines of communication that will speed information sharing.
  • Appropriately trained and informed leaders empowered to make decisions during an incident.
  • A process for the continuous updating of information technology systems and security policies (at least quarterly) to keep pace with changes in business and technology.
  • Established relationships with law enforcement (local, state and/or federal) to reduce the chance of a slow, confused response.
  • PreventionCompanies can also take a number of steps to lessen the likelihood that they will fall victim to cyber extortion or extortion:
    • Identify all potential internal and external threats by:
      • Monitoring social media.
      • Staying on top of public forums related to your business.
      • Identifying employees who may want to harm your company.
    • Audit computer networks to identify and assess vulnerabilities. Questions include:
      • Are software patches being applied in a timely fashion?
      • Does the network have segmentation so that an attack in one area won’t impact others?
      • Are there access controls in place for your data?
      • Are network logs collecting sufficient detail and maintained for a long enough period of time to allow for proper historical investigation?
      • Do you know where all your endpoints are and are network topology maps up to date? This especially is important because networks are dynamic, with companies continually adding and removing servers and distributing new devices to employees.

Refer here for the detailed article: Source Cyber Security Today

facebooktwittergoogle_plusredditpinterestlinkedinmail
Posted in Uncategorized | Leave a comment

Cyber Extortion Case.. If the Company had a Cyber Insurance…

image_pdfimage_print

(This debate is related to the case of Cyber Extortion booked in Hyderabad as reported here by TOI. In order to debate the academic issues involved in a Cyber Insurance contract, we are trying to discuss some of the issues involved, starting with what the Company should do now and how the incident is likely to roll out in different dimensions, assuming that there was a Cyber Insurance cover taken by the company. The discussion is hypothetical and for education purpose only.)

The incident came to light when the MD of the company tried to log in to the Company’s data base and was confronted with a message “Pay US$1000 to get your data back and do the payment in Bitcoins”.

No information is available on whether a bitcoin wallet number was provided or any communication address was provided.

(P.S: It is possible that the extortionist may send another message in which the details of payment destination may be provided, which will be an opportunity to trace the offender. Now that the issue has got into public knowledge, we anticipate that the offender will simply walk off and will not pursue the extortion. It cannot be ruled out that the extortionist could be an insider and may not risk being identified if the extortion attempt is continued.)

The MD would most likely call the CISO over phone and inform him of his inability to access the account. This then becomes an “Incident” which has to be recorded (Action 1)  in the incident management register and tracked to conclusion. This would be a requirement under the Cyber Insurance contract.

Simultaneously, the Cyber Insurer needs to be informed (Action 2) of the incident though the full implications of the incident are not known at present and would be known only after an internal assessment.(Action 3).

Reporting to the Police (Action 4) could be one of the requirements of the Cyber Insurance policy itself. Even otherwise it is a duty of the company since there is an apparent commission of a cognizable offence under ITA 2008 (section 66) as well as under IPC.

There is one issue however in this case. Once the complaint is filed with the Police, they need to investigate and the investigation has to start with the company’s assets only. The internal evaluation also has to be done simultaneously on the same assets. Even the Cyber Insurance Company may poke its nose and say that they will appoint a forensic consultant to give a report. The three agencies all of whom have a stake in the investigation has to therefore come to an agreement on how to proceed with further investigation. This would be the first major task (Action 5) which the CEO need to undertake so that evidence is not lost by negligent handling of the investigation.

Since the issue has become a law enforcement responsibility, any tampering with the evidence from here afterwords could become an offence of its own as “Tampering of Evidence” and hence there has to be a clear understanding between the law enforcement and the company in this regard.

The next task for the CEO is to review (Action 6) the Cyber Insurance policy to find out if the incident is covered under the policy.

Simultaneously the CISO can find out (Action 7)  and report (Action 8) if the inability to access the company’s data base is restricted to one user or to many and also if there is any data back up from which the data can be restored.

(P.S: If a data back up is available, CISO need not rush to back up the data before tying to find out the vulnerability that caused the breach since the data may again be encrypted and if the hacker has gained privileged access to critical data, he may do further damage. How the data back up needs to be done is dependent on the BCP of the Company. If the data only relates to corporate information and not personal or sensitive personal information of customers. Since this is an ice cream manufacturing company, possibility of such customer data having been compromised may be less).

The next action point is for the CISO and his Cyber Forensic team and I hope such professionals will start adding their views to this debate on where the investigation has to start…

… To Be continued…

Naavi

facebooktwittergoogle_plusredditpinterestlinkedinmail
Posted in Uncategorized | Leave a comment

Cyber Extortion.. How will Cyber Insurance parties look at it?

image_pdfimage_print

Today, Times of India has reported a Cyber Extortion attack on the Managing Director of a Company in Hyderabad. Typically in such cases, the data of the Company is hacked and encrypted. The authorized persons who try to access would be confronted with a message to pay a ransom for getting the decryption password. In this particular case, the ransom amount demanded is $1000/-

Refer TOI report here

Let us pick up this case as a hypothetical case study by assuming that  this Company had obtained Cyber Crime Insurance.  We shall then discuss some of the possible developments.

I request readers to send their views on “If you are the MD who is the victim of the Hyderabad incident, and your company has a Cyber Insurance policy, what would you do now”

(…To Be continued)

Naavi

 

 

facebooktwittergoogle_plusredditpinterestlinkedinmail
Posted in Uncategorized | Leave a comment

“Why am I not in this business still?”

image_pdfimage_print

Cyber Insurance is a term which is not found in the The Insurance Act 1938 which governs the Insurance industry in India. The Act defines besides “Life Insurance”,  “General Insurance” services  such as   “Fire Insurance”, “Marine Insurance” and “Miscellaneous Insurance”  .

Cyber Insurance is a business which comes under “Miscellaneous Insurance” which also covers “Motor Insurance”, “Burglary Insurance”, “Employee Fraud Insurance”, “Fidelity Insurance” etc.

While Life Insurance, Marine Insurance, Fire Insurance and also Motor Insurance are well developed parts of Insurance business where there is a huge actuarial data, Cyber Insurance is a relatively new form of Insurance in which there is little experience available in the industry. Out of the 28 licensed Insurance companies operating in India, hardly 5 or 6 companies offer Cyber Insurance.

At a time when the business systems in the country are adopting e-commerce in a big way and companies are building data assets with huge investments, there is a general feeling that there must be a good demand for insuring such assets from losses. Hence  the business prospect for Cyber Insurance should be very attractive.

However, when we try to quantify the business prospects for Cyber Insurance, there is lot of uncertainty. First of all the demand for Cyber Insurance comes from the fear of loss which is related to

a) Loss of data through technological failures in a Company

b) Loss of data through frauds and cyber crimes in a Company

c) Loss arising due to third party claims following a data loss from an intermediary company.

The Cyber Insurance policy will have to be structured either for these specific losses or as a comprehensive policy including all causes.

The second factor that impacts the Cyber Insurance business is the value of assets building up in the hands of the users. If we ignore the asset build up in the form of hardware which can be covered under other conventional policies we need to look at the value of “Data” as an “Asset”.

Any technology person will vouch for the fact that the quantity of data building up in the society has increased many folds during the last two years. The “Big Data” industry says that between 2009 to 2020, the quantity of data being produced would grow by around 44 times.

The growth is so large that in order to measure data, we are trying to familiarize ourselves with new units of measurement beyond Gigabytes, to Terra bytes, Peta Bytes, exa bytes, Zetta bytes and so on.

Whatever be the value of data, the sheer volume presents a growth picture that is mouth watering for any businessman.

The value of a unit of data itself is not remaining static. Perhaps it is also increasing. Nearly 70% of the data is being created by individuals and most of it is handed over to companies for use, value addition and safe custody.

With laws such as HIPAA, GLBA, Data Protection Act, ITA 2008 etc, the intermediaries are required to protect the data and ensure protection of privacy rights of individuals. With increasing awareness of such laws and better enforcement, the liability that a company has to bear on account of third party data loss is also exponentially increasing.

Of course the cost of data produced within the company is also growing with increased cost of production due to increasing manpower costs and real estate cost.

With such developments, the value of data as an asset representing “Prospective Insurable Assets” is growing at an unimaginable rate.  We can therefore expect that the gross market for insurance business will grow at 200% to 300% per annum for the next several years.

The last factor that determines the market for Cyber Insurance is the rate of premium. This is one area where we can see a reduction as the market matures and competition grows. However increasing levels of Cyber Crimes may tend to keep the rate from falling alarmingly and any way the crazy growth in the volume of data assets will ensure that the gross premium potential will be growing in tandem with the data volume growth.

In this background, any shrewd business entity would consider that Cyber  Insurance is a gold mine ready to be harnessed. There is no need to look for quantification of the demand which is much more than any individual company can handle.

For records sake however, we may recall a recent study released by PWC titled “Insurance 2020 and beyond-Reaping the dividends of Cyber Resilience” which puts the Cyber Insurance market based on premium at around $ 2.5 billion today and set to grow to around $.7.5 billion by 2020.

It is difficult to cull out the statistics for India separately, but considering that the nation is looking at “Digital India” project with Smart cities, increased e-Governance, etc, the growth prospect in India could be higher than the average global figure represented by the PWC study.

According to the PWC study,

“some 90% of cyber insurance is purchased by US companies, underlining the size of the opportunities for further market expansion worldwide.

In the UK, for example, only 2% of companies have standalone cyber insurance.

Even in the more penetrated US market, only around a third of companies have some form of cyber coverage.

There is also a wide variation in take-up by industry, with only 5% of manufacturing companies in the US holding standalone cyber insurance, compared to around 50% in the healthcare, technology and retail sectors”

It is difficult to see many other business opportunities where the growth prospect is of this order.

So, if you are already in Insurance business but not in Cyber Insurance it is time to ask yourself  “Why am I not in this business still?”

If you are little more adventurist, but not in the Insurance industry at present, it is time to think of entering this specialized field where competition is low but prospects are mind boggling.

Let’s explore more on this in subsequent articles..

Naavi

 

facebooktwittergoogle_plusredditpinterestlinkedinmail
Posted in Uncategorized | Leave a comment

Open Letter To Mr Modi on Cyber Insurance

image_pdfimage_print

18th September 2015

To

Sri Narendra Modi , Honourable Prime Minister, Government of India

Sub:  “Cyber Insurance For All Netizens of India

 Dear Sir,

One of the distinguishing features of the Governance model adopted by your Government is its reliance on technology. “Smart Governance through E-Governance” is the recognizable face of this Government.

In pursuance of this policy, you have adopted the “Aadhar” as the core citizen identity and linking every welfare programs of the Government to this e-identity of the Citizens. In a way you are converting every Citizen to a Netizen. With the ambitious projects such as “Smart Cities” and “Digital India” in the anvil, the dependence of the society on technology is only going to increase.

I am fully in support of this push for using of technology for development and have been advocating such a policy for a long time as documented at www.naavi.org. I had also advocated a “Charter of Demand for Netizens” which included several initiatives including “Digital ID for all Citizens of India” and “E Consumer Protection”. I request you to kindly take some time to look into these suggestions.

I firmly believe that success or failure of your Government will be hugely influenced by the success or failure of the E-Governance model which you are adopting and hence no stones should be left unturned to make it a success.

However, I always keep recalling how Mr Chandrababu Naidu lost an election despite his many good E-Governance measures in Andhra Pradesh and this should be remembered as a lesson for people like you who want to do good things but the society may not be fully ready for absorbing the long term thoughts.

 Cyber space has its fair share of risks and any society dependent on Cyber technology is open to the adverse effects of cyber attacks from cyber criminals, cyber terrorists and Cyber war capable nations.

It is therefore a certainty that such cyber attacks will have to be faced by the society from time to time. Measures to prevent an adverse fall out  therefore should be considered as inevitable.

We know that Cyber risks are an essential evil that has to be endured with, but politicians in the opposition will easily use any adverse attack as a consequence of “Anti People Policies” of the Government.

For example, in case there is a Cyber attack on the Indian Banking system and 10000 customers lose their money in their JanDhan accounts, opposition will say that it is a scam and all the money has been misused by BJP politicians. In a charged atmosphere that may follow, the perception battle is more likely to be won by the opposition than the Government.

If therefore your Government needs to insulate itself from the risks of being blamed for Cyber risks, you need to go an extra mile to ensure that citizens don’t lose out of cyber attacks.

In this context, I suggest that there is a need for a policy of “Cyber Insurance for All” as a means of protecting the Netizens from the vagaries of Cyber risks.

“Cyber Insurance” is a protection against financial losses arising out of cyber crimes such as “Phishing”, “Identity Theft”, “Denial of Services”, “Hacking” etc. It includes frauds involving cloning of credit cards, debit cards, ATM cards,  Aadhar data, etc. It includes mobile related frauds which will be one of the biggest threats of the future where a large number of victims will each lose a small amount making it impossible for them to invoke any traditional legal remedy such as approaching the Courts.

Just as “Drip Irrigation” is essential to fight the vagaries of failure of rains in the agricultural sector, “Cyber Insurance” is essential to fight the risks of cyber attacks in the Digital environment.

In the Motor Insurance area there is already a concept of Mandatory Third Party insurance. A similar policy is required in the E Commerce and E Banking area.

Of late, RBI has issued many licenses for Payment Banks and Small Banks as well as new generation Banks. These will all be heavily technology dependent and the customers will hold all the risks. Hence RBI should be persuaded to mandate that all new Banking licensees introduce mandatory Cyber Insurance for its customers.

Kindly don’t be swayed by any argument that Cyber risks are not “insurable” since it is too huge a risk to be covered or that no insurance company may be interested etc. Presently, insurance companies are doing a profitable cyber insurance business but are restricting it to companies and not extending it to individuals. They are milching the higher end of the market and are avoiding the lower end because they feel it is expensive to manage. They need to be persuaded and incentivized to provide the retail cyber insurance policies.

If the Rs 12 per year accident insurance policy for a cover of Rs 2 lakhs against accidents is commercially feasible, the individual cyber crime insurance policy that protects the individuals against any loss say to the extent of say Rs 10000/- to Rs 25000/- per incident must be also feasible.

I therefore suggest and also urge you to adopt  the “Cyber Insurance for ALL” as a new policy of the Government to support its Digital India initiative.

Regards

Yours faithfully

 Na.Vijayashankar (Naavi)

Founder: www.naavi.org

facebooktwittergoogle_plusredditpinterestlinkedinmail
Posted in Uncategorized | 1 Comment