With Indian companies and organisations increasingly targeted by hackers, Praveen Gupta examines the importance of cyber cover and cybersecurity
“If there is any silver lining to the pandemic surge of the last few weeks, it is the apparent pause in the cybersecurity breaches in India,” commented The Ken ahead of the second wave of Covid-19 in India. “In the last few months, news of breaches has hit us like weekly movie releases, each with its own cast of characters and plots,” it added.
Interestingly, the first outbreak of Covid-19 was seen by Indian health insurers as an opportunity to rake in moolah. That was the only point where the graphs for health and cyber claims did not move in parallel. Cyber insurers and reinsurers were until such time happily releasing their complete arsenal as in the rest of Asia. Full-blown first- and third-party covers with other available optional coverages. Limits were for asking and premiums were getting competitive.
Then the cyber extortionists got going – putting India on the top of Asia’s most-hacked list, even ahead of Japan.
What does it mean for buyers?
The paranoia of Indian insurers was understandable as they suddenly started restricting coverage for cyber extortion and also became more mindful of the waiting period (time deductible) for business interruption claims. Retentions and premiums started rising to the tune of 40%-50% and the risk selection process became more detailed. Most underwriters now insist upon clients to share additional ransomware inputs, to help them better assess the risk.
Market capacity continues to shrink for larger programmes, while the smaller ones depend on the industry in which they operate. Segments like pharma and BFSI (banking, financial services and insurance) have seen players go conservative. Another interesting aspect is that due to several ransomware claims targeting the manufacturing industry, risk perception for manufacturers has moved higher up the risk barometer, say underwriters.
Hackers have started targeting supervisory control and data acquisition (SCADA) – a system of software and hardware elements that allows industrial organisations to control industrial processes locally or at remote locations. They also target industrial control systems (ICS) – control systems and associated instrumentation used for industrial process control.
Compared to the claims situation a year or two ago, both the frequency and severity of cyber claims have gone up dramatically. As regards the uptick in frequency, one should be mindful that the increase is despite several policyholders opting not to notify circumstances unless they deem it absolutely necessary. India does not yet have a mandatory reporting regulation, so many cyberattacks go unreported, despite clients having a cyber policy. This is due to various reasons such as reputational risk, third-party liability, etc. Despite ransomware being one of the major exposures, forensic costs account for the biggest chunk of the claims thus far.
While the overall frequency and severity of cyber claims has been spiralling, observers believe companies that are critical infrastructure for India are likely to be more frequently targeted. Be it e-commerce platforms, payment gateways, power grids, the Kudankulam nuclear power plant, or even the space agency (ISRO), India’s response to a cyber breach is predictable. Denial. As The Ken reports, India simply doesn’t have the necessary infrastructure to monitor threats and respond to incidents at the state and sectoral levels.
In the case of Mumbai’s power outage in September 2020, it points out, the centre’s admission came only when The New York Times broke the news in late February. It took Indian intelligence agencies 17 days to block the IPs belonging to the suspected command and control centre of a Chinese hacker group that US-based private cyber intelligence firm Recorded Future had handed over to them.
Alerts about attacks and perpetrators often come from external agencies and researchers outside India – from South Korea, the US, Russia and every other corner of the planet. Given the co-existence of public and private sectors, both remain vulnerable. While the chances of a private entity having cyber cover is more likely, it is estimated that while the corporate portfolio is growing in good double-digits since its launch in 2014-2015, there are just about 1,000-1,500 corporate cyber insurance policyholders.
The number shows how underpenetrated this product is and the growth potential is still huge. While there are no known fiduciary actions triggered by cyber breaches to date, the breach of passenger data at Air India may pose litigation risks for the airline, reports The Hindu.
Insurers are becoming increasingly discretionary when considering capacity deployment and are demanding extremely high cybersecurity standards. Cyber-resilient infrastructure or hygiene is, therefore, crucial for companies looking to purchase cyber insurance cover. To revamp cybersecurity at the national level, the country plans to streamline the scattered bureaucracy and fund the initiative with $2.7bn. The Ken points out that having a cyber strategy is only a starting point. It believes that besides stronger agencies at the top, India needs to create institutions to monitor and execute cybersecurity downstream.
Nowhere to hide
India has a growing number of unicorns and rising digital penetration despite the stark demographic digital divide. The Pegasus disclosure that recently hit the headlines brought to the fore what author Arundhati Roy described: “This is no ordinary spying. Our most intimate selves are now exposed.” As of now, there is literally nowhere to hide.
Where next in Asia, after India, the ransomware extortionists will train their guns is anybody’s guess. Given the ease and global nature, it could be anywhere else. The pandemic demonstrated how potentially every health policy could lead to a claim. The cyber pandemic, as it unfolds, could be even worse – as the attacker is likely to know you are insured and how much for!
David Piesse of DP88 and Guardtime has a recommendation: “You wrap a cryptographic blockchain layer around the internet to make it attributable, as was done in Estonia.” Is Asia listening?
Praveen Gupta, FCII is a Chartered insurer, former managing director and CEO