It's time Indian companies start taking cyber insurance seriously

In 2011, Sony had suffered massive cyber attack that led to hackers getting unauthorised access to the PlayStation network. 77 million accounts were hacked and Sony had no choice but to shut down the network for over 20 days. It was a time when cyber insurance wasn't really heard of, but as an Internet company, Sony was prepared to take on such attacks, at least financially, or so it believed.

Until Zurich America insurance Co. denied the claims made by Sony and there began the legal limbo. According to this report, acts by third-party hackers were not covered under the 'personal and advertising injury coverage' in Zurich’s insurance policy, which brought to the forefront the need to carefully look at these insurance products before buying them.

Today as cyber crimes are on the rise, and our lives digitally dependent, there is a lot to be learnt from that Sony hack. Fast forward to 2015, Sony Pictures faced a massive cyber attack that its chief described as 'having your house robbed and burned to the ground'. For those who have been in a similar position will find this statement quite relatable.

The attack led to wiping off huge amount of data online, stolen data was strewn online and pirated copies of movies were flung around. However, what was different was this destructive cyber attack was fully covered by insurance. So, it saved Sony the pain it would otherwise have to go financially to make up for the loss. After all, Sony had learnt it the hard way.

Year over year, the importance of cyber insurance has started taking forefront. Cyber insurance may not mitigate threats or reputation, but it will extend some financial assistance, considering the several parameters such as forensic investigation, disruption of business operations, breach notification and remediation, cost of lawsuits and penalty etc, Dr. Krishnashree Achuthan, CEO of Amrita University’s Center for Cybersecurity Systems and Networks, tells Newsable. It's time Indian companies start taking it seriously.

Cyber insurance and India

Cyber insurance is slowly begun popping its head in India. Achuthan said that awareness is growing rapidly due to the recent data breaches. For instance, many financial organizations have either already acquired or are considering cyber insurance after the debit card information breach of customers from well known banks such as SBI and ICICI, she added.

IT giants that manage gigantic amounts of third-party data are covered under insurance plans. However, she adds that prior to looking into cyber insurance, organizations in India must look into the basics of securing their systems and networks such as upgrading systems, installing patches, deploying firewalls etc. Cyber insurance can be cashed-in on only when a cyber-incident occurs despite having all security measures in place.

What about smaller companies and startups?

In India, there are startups a dime a dozen, and most are Internet-based companies with operational apps. But, will small startups be able to afford the insurance plans. According to Achuthan, it’s the cyber insurance providers that have a lot to do to scale to different types of enterprises both in terms of their size and the type of assets they protect. "Insurance offerings cater only to large companies and financial institutions that have massive amounts of third-party data to protect. For small and mid-size companies, the insurance premium maybe anywhere between 12-20 lakhs a year for a coverage of Rs. 10 crore, depending on where the customer’s data is located," she adds.

It is such massive premiums widen the reach for entrepreneurs and create a gap between insurers and companies. With 'Digital India' being among the government's pet project, it’s a grim reality here. "Many cyber attacks are targeted towards companies with less than 250 employees. What enterprises lose here is their intellectual property. An off-the-shelf policy will never work and the valuation of assets to be protected will vary depending on the nature of the enterprise," she adds.

Cyber security education

Cyber crimes are getting more sophisticated and there is clearly a shifting pattern. It is now become essential to educate and create awareness about cyber crimes, be it about creating a strong password to warnings against clicking unverified links. As we dive deeper into a digital world, including cyber security education in schools could help. There are various new-age issues such as cyber bullying (India is among top three countries), cyber stalking or even reckless use of social media.

"Cyber security education in schools will also help bridge the paucity of cyber security skills in the nation in the long run, as a new breed of cyber savvy youth emerge out of our schools, thus enabling India to garner a competitive advantage against other nations that are already engaged in such activities," Achuthan adds.

• Cyber crimes
• Cyber insurance
• Cyber insurance companies
• Insurance companies
• Sony hack
• WannaCry