- This event has passed.
Monday Morning Report on Bridging Gaps in Cybersecurity with Cyber Insurance
March 11, 2024
Mr. Rohit Kumar Sharma, Research Analyst at the Manohar Parrikar Institute for Defence Studies and Analyses (MP-IDSA) made a presentation on “Bridging Gaps in Cybersecurity with Cyber Insurance” at the Monday Morning Meeting held on 11th March 2024. Lt. Col. Akshat Upadhyay, Research Fellow, MP-IDSA, moderated the session. Other scholars of MP-IDSA attended the session.
Executive Summary
The presentation summarised the significance of cyber insurance in securing cyberspace, predominantly enterprises and organizations. The presentation also elaborated on the scope of cyber insurance, India’s cyber insurance landscape, the potential impact of the Digital Personal Data Protection Act 2023 on cyber insurance uptake, and the challenges with respect to insurance industry. It also covered the significance of cyber insurance for the prevention and mitigation of cyber risks.
Detailed Report
In his opening remarks, Lt. Col. Akshat Upadhyay asked the speaker to differentiate between cyber theft and cyber threats and to comment on an incident relating to Chinese hacker company I-Soon.
The speaker began the discussion by introducing the topic to the audience and the rationale behind selecting the theme. He acknowledged that the book “Rethinking Risk in the Age of Ransomware, Computer Fraud, Data Breach, and Cyberattacks” introduced him to the concept of cyber insurance and its vital role in regulating the cybersecurity preparedness of organizations. Following this, he discussed the scope of the study and offered a few caveats before delving into the core of the topic.
The speaker mentioned how, besides the direct cost of a cyberattack, there are also hidden costs to reputation, future contracts, and relationship with the customers. As reported, IP theft remains one of the prominent reasons behind cyberattacks against companies. Following an attack, the companies also incur financial loss due to penalties levied on them by regulators. Healthcare remains the sector most affected in terms of data breach cost, followed by the financial sector and pharmaceutical sector. The situation following a cyberattack is fraught with challenges as the average data breach lifecycle is 277 days, meaning the more the number of days, the higher the cost to the victim.
Furthermore, he discussed what cyber insurance is, which is essentially a risk transfer mechanism that supports and protects businesses and individuals from financial repercussions following a cyber incident. Moving ahead, Mr. Sharma also discussed the Insurance Regulatory and Development Authority of India’s (IRDAI) definition of cyber insurance, emphasising the adoption of preventive measures to improve the cybersecurity posture of an organization. Mr. Sharma also briefly elaborated on the stakeholders that constitute the cyber insurance ecosystem and the significant role played by these entities.
The speaker also underlined how insurance enables risk sharing with an organization against the inevitable cyber incidents. He also underscored the systemic nature of cyber risk, which is directly correlated to a company’s increasing dependence on Software-as-a-service (SaaS). The speaker highlighted the importance of applicable insurance covers for managing cyber risk, which encompasses defense costs arising from privacy breaches, expenses for hiring lawyers to represent an organization against lawsuits, regulatory costs, and fines, as well as the response costs associated with notifying affected individuals.
Further, the speaker elaborated on the distinction between first-party coverage and third-party liability coverage. First-party coverage addresses the direct costs incurred by the company, such as cyber extortion and business interruption losses. On the other hand, third-party coverage involves expenses paid to the aggrieved third parties or the liability arising out of regulatory penalties.
The speaker also addressed other types of services offered by the insurers, including the incident response team (IRT). The technical IRT provides access to dedicated technical personnel experienced in managing cyber incidents. Legal IRT assists in notifying affected customers or individuals during the initial phase of the breach, and public relations IRT helps in mitigating reputational damage and developing a long-term recovery plan. The speaker also highlighted how the need for cyber insurance is felt more in small and medium enterprises because of the less sophisticated IT infrastructure.
He also discussed the role of the chief information security officer (CISO) within an organization’s decision-making. Continuing further, he delved into the underwriting methodology employed by the insurers to determine premiums and maximum coverage. These assessments and pricing strategies rely on data-driven approaches drawn from information collected by insurers through questionnaires, surveys, and various other forms of risk assessments. This approach allows insurers to provide monetary incentives to insured entities by setting premiums and coverage levels based on factors such as cybersecurity preparedness, risk mitigation strategies, and the presence of an in-house cybersecurity team. He briefly discussed about the IRDAI’s working group terms of reference of the committee. He also elaborated on how cyber insurance cover can help with regulatory compliance associated with the Digital Personal Data Protection Act (DPDP) 2023.
Questions and Comments
The presentation was followed by a Q&A session. Col. Vivek Chadda (Retd.) raised queries regarding possibility of cooperation between private cyber security vendors and government agencies, and also regarding potential misuse of data by major companies. Mr. Sharma responded by talking about the Digital Personal Data Protection Act and sectoral regulators like RBI, which for instance has come up a with security framework for the banking system. He also elaborated on the role of the Indian Computer Emergency Response Team (CERT-In) that acts as an early warning system for cyber threats and attacks in India. Dr. Anand Kumar raised a query regarding cyber insurance providers in India and inquired whether cyber insurance extends coverage to the impact of armed conflict on physical infrastructure.
Report was prepared by Ms. Julia Jose Thachil, Intern, Counter Terrorism Centre, MP-IDSA.