The World Economic Forum’s Global Risks Report 2018, co-authored by Marsh & McLennan Companies, ranks cyber attacks as the perceived global risk of highest concern to business leaders globally. The analysis suggests that the takedown of a single cloud provider could cause $50 billion to $120 billion of economic damage – a loss somewhere between Hurricane Sandy and Hurricane Katrina. While it’s not exactly apples to apples, the annual economic cost of cybercrime is now estimated to be north of $1 trillion, a multiple of 2017’s record-year aggregate cost of approximately $300 billion from natural disasters.
India’s central biometric identification (Aadhaar) programme has been compromised multiple times and sensitive data has even been published online by third-party service providers, hackers, and even by government websites in recent times. As per IBM Ponemon’s 2018 risk report, the average cost of a breach in India now stands at Rs 11.9 crore, with the average cost per lost or stolen record in India at Rs 4,552 and mean time to identify the data breach at 188 days.
Within hours of the General Data Protection Regulation (GDPR) taking effect on May 25, 2018, complaints have been filed against Google and Facebook Inc – and their apps WhatsApp and Instagram – forcing users to adopt a “take it or leave it” approach regarding privacy, with potential fines of over $9 billion. With the right to privacy as a fundamental right already having been established by the Supreme Court last year, the biggest worry for many Indian organizations is the impact of these new regulations on how they do business. With the EU GDPR and the draft Indian Personal Data Protection Bill, 2018, both including fines up to 4 percent of global turnover of the company, the demand for cyber insurance has seen a significant upward trend recently.
Indian firms operating in the EU, or providing services to EU markets, should, besides having the best-in-class cyber security infrastructure, also have a very robust breach mitigation ecosystem in place. Such a programme would include arrangements with forensic firms, cyberlawyers, PR agencies, credit monitoring agencies, and others. It is very important that the firm is well prepared to fight any kind of cyber-attack and equally well prepared in case the systems get compromised.
With the provisions of the draft Personal Data Protection Bill, 2018, many companies that hold an enormous amount of data, such as banks, fintech, and e-commerce players, will need to re-evaluate their processes, technologies, and contracts to ensure the entire ecosystem understands and abides by the new law.
Hackers are not the only threat – today’s businesses rely on the internet for services such as online marketing, administrative functions, inventory management, credit card processing, and distribution controls. Any intrusion that disrupts delivery of these services can lead to brand and reputation damage, regulatory scrutiny, stakeholder dissatisfaction, and financial losses.
Our experience while handling the cyber insurance claims indicates that human error/employee negligence is the single biggest cause of data breaches followed by hacker attacks, social engineering frauds, etc.
Indian IT/ITeS firms have been early adopters of cyber insurance to fulfil their contractual obligations and to cover their exposures around cyber liability. Next in line was the BFSI sector, with all major private and public sector banks, insurance companies, fintech firms, and others. Now we see a huge demand for cyber insurance emanating out of manufacturing firms, where the fear is cyber-induced business interruption losses and regulatory actions.
Today, many Indian firms are buying cyber insurance, with insured limits ranging from US$1 million to US$300 million. The early adopters and those with existing cyber insurance programmes are increasing their cover with some of them contemplating increasing the limits to US$500 million. If a firm already has a cyber-insurance cover, it is advisable that the firm review the cover in light of the evolving cyber-risks as, in our experience, the limits in most of them are on the lower side compared to the potential risk exposure.
Today, sophisticated cyber insurance covers can include cover for the firms’ loss of profits and business interruption caused due to a cyber-attack, even if the cyber-attack happens at a third party’s system. The cover can also include reputational loss of revenue, where firms hit by a cyber-attack suffer reputational damage and in turn loose customers and future business. Cyber-insurance can also cover costs associated with the voluntary shutdown of systems as a precautionary or mitigating measure following a cyber-attack and most importantly, affirmative insurance coverage for regulatory fines and penalties.
To protect corporate balance-sheets, risk advisory services providers can help model the probability and potential financial impact of cyber events on an organization, which can be used to decide what insurance limits are to be purchased.
A third-party and independent review of the cyber risks that focuses on five essential aspects of assessment, prevention, preparation, response/mitigation, and remediation holds the key to how resilient a firm is and how quickly it can bounce back after any breach event.