Companies in India are reporting more cyberattacks than any other country in the world. Cyber security incidents in India tripled to 3.5 lakh in July, August from Jan-March. “Work-from-home situations in a true sense tested the cyber resiliency of the firms and has brought forward the importance of cybersecurity as the topmost agenda item for these firms,” says Sanjay Kedia, Country Head and CEO, Marsh India Insurance Brokers. In a conversation with CXO Outlook, Sanjay Kedia talks about trend observed in demand of cyber insurance policy, inclusions and exclusions of cyber insurance policy in pre and post COVID – 19, sector that has observed increase in demand for cyber security insurance and much more.
COVID-19 outbreak has companies to have a re-look at cyber insurance covers. What are the trends observed in the demand for cyber insurance policy?
Since the beginning of the COVID outbreak, many companies have accelerated or expanded the adoption of telework due to the need for an extremely quick ramp-up of IT solutions to ensure business continuity. This has resulted in one of the largest work-from-home situations in history and as an outcome of that cybersecurity has got stressed to a level never experienced before by corporations around the globe.
It has in a true sense tested the cyber resiliency of the firms and has brought forward the importance of cybersecurity as the topmost agenda item for these firms.
Besides large IT companies, now there is also a growing demand for cyber insurance policies from smaller companies and manufacturers who feel the need to be covered against cyberattacks. There is not only a surge in inquiries for cyber insurance, but many companies are going ahead and increasing the limit of their existing cyber cover as they see a higher risk now.
With more people working from home, what types of threats companies are facing in the present scenario?
With employees, and others asked to function remotely under stressful circumstances, and infrastructure pushed to handle more activity, it presents more opportunities to cyber attackers since home networks are less secure. These threat vectors are employing phishing and social engineering techniques using Covid-19 as the hook. While organizations have rushed to establish remote working capabilities, the biggest challenge is migrating from a physical presence to a virtual one. While doing so, the major threats to be considered are:
- Network Availability and system outages
- Remote working/e-learning / telemedicine presents an expanded attack surface
- Phishing Exploits and Social Engineering frauds
- Relaxing of Privacy Policies and Procedures
- Potential Delays in Cyber Attack Detention and Response
What is the scope of coverage provided by cyber insurance policies in the market today? What are the inclusions and exclusions of cyber insurance policy in pre and post COVID – 19?
a) Cyber policies have many coverage modules, but all are designed to address three core types of costs, all stemming from the same basic scenario: you lose control of your critical data.
- Privacy Liability & Regulatory Fines
- Data Breach Costs
- Business Interruption & Extra Expenses
b) We can foresee claims during the COVID situation and policy to trigger under the below extensions:
- Network Business Interruption, to cover the insureds for loss of income arising out of an interruption or suspension of computer systems due to a network security breach, administrative error, or system failure.
- Breach Response Service will cover direct breach loss mitigation costs like IT forensics, notification, credit monitoring, and public relation efforts.
- Fines & Penalties following a privacy breach event or for failure to comply with other aspects of privacy laws & regulations would be covered under Regulatory Defense expenses
c) All liability policies have a list of exclusions build in and Cyber Insurance is no different. We foresee the following exclusions under a standard policy which can limit the coverages:
- Infrastructure exclusion – excluding failure of power, utility, mechanical or telecommunications (including internet) infrastructure or services that are not under the insured’s direct operational control
- Business interruption coverage may be limited – some policies only cover business interruption from external cyber events or attacks but may not extend to system failure or voluntary shut down.
- Policy definitions may limit coverage – definitions of a computer system or network should be reviewed
d) Other coverage limitations – coverage for fraudulent transfer of funds due to phishing or social engineering may be sub-limited or excluded.
Tell us about the sector that has observed an increase in demand for cyber security insurer
The cyber insurance market is growing rapidly every passing day and we usually have an enquiry from IT / ITES to the manufacturing sectors on a daily basis. With the current situation of COVID, we have witnessed an increase in demand and insurer scrutiny for sectors like – Airlines, Hospitality, Retail & Financial Institutions.
About Sanjay Kedia
Sanjay Kedia, Country Head and CEO of Marsh India Insurance Brokers Pvt. Ltd, is responsible for the management and growth of Marsh’s business in India. Sanjay joined Marsh India since its inception in November 2002 and helped in setting up the business in a very nascent insurance broking market in India.
Sanjay has an MBA from SP Jain Institute of Management and has done his Advance Management Program (AMP) from Harvard Business School. He was selected for the Marsh 2006 Global Top Performer Award. He was also a part of the project finance advisory and debt syndication team with a leading financial institution for four years. In that capacity, he managed project advisory assignments for large deals in the power, telecom, road, and water sectors.
He is passionate about elevating the conversation on risk and has been a panelist in many leading risk consulting forums. He divides his personal time between gearing up for marathons and contributing to societal welfare/CSR initiatives.