The Global cyber insurance market is expected to grow at a CAGR (compound annual growth rate) of 27% from $4.2 billion in 2017 to $22.8 billion in 2024, claims a new report by Data Security Council of India (DSCI), released at a FINSEC Conclave 2019 for Banking and Financial Sector on April 26.
“Cyber risk, data breaches and its consequent financial liabilities, looms large on the rapidly evolving Digitisation momentum of every sector and business. Cyber insurance is proving to be a key tool in the risk management and cost-offsetting arsenal of an enterprise and at the same time scaling up the prevention and protection measures,” said Rama Vedashree, CEO, DSCI in an official press statement.
While the adoption in India is still very limited, the demand for cyber risk insurance is growing. India registered a 40% year-on-year growth from 2017 to 2018, at a time when Indian companies were facing one of the worst ransomware attacks in history, resulting in days of disruption to business operations. About 350 cyber insurance policies have been sold so far, claims the report.
Companies in the IT/ITES (Information Technology/Technical Entry Scheme) sector, along with Banking and Financial Services are early adopters of cyber risk insurance. The insured amount for cyber risks ranges from $1 million to $200 million for Indian companies, says the report.
The report also alludes to the Allianz Risk Barometer 2019 study, which highlights that businesses in India consider cyber incidents as top risk.
According to a March report by Sophos, a security services provider, 76% of Indian businesses were hit by cyberattacks in the past year, while a Microsoft and Frost and Sullivan studyfrom December 2018, pegged average financial cost of cyber attacks for Indian companies at $10.4 million.
Most cyber risk insurance plans provide coverage for losses that might occur due to unexpected cyberattacks, but there are some that cover physical damage to hardware too. Some insurance providers also give the option to personalise the plan in line with the company’s business security requirements.
While cyber risk insurance can help companies minimise their losses, it is not an alternative to the company’s cybersecurity strategy. Cybersecurity experts are of the opinion that the kind of insurance cover a company qualifies for depends on the their cybersecurity efforts. Any insurance provider will first evaluate the strength of a company’s cybersecurity position before issuing a policy. Stronger effort towards cybersecurity can result in better coverage. Fragmented enterprise security can result in inadequate or poorly targeted insurance cover.
Companies need to negotiate the policies carefully before buying them. With governments assigning blame for large scale cyberattacks on each other, insurance companies have found a loophole to exploit.
According to a New York Times report from April 2019, after the NotPetya cyber attack on warehouses of Mondelez International (owner of Cadbury chocolates) in 2017 in US, the company reported financial losses of over $100 million. To the company’s shock, their insurance provider, Zurich Insurance, rejected their claim, citing the war exclusion clause in the insurance contracts, which protects insurance companies from bearing costs related to war damage.
According to the same NYT news report, several insurance providers in US have tried to use war exemption to avoid claims related to cyberattacks.