while buying cyber insurance (a) by an
individual and (b) by a corporate?
According to Anurag Rastogi, the
primary consideration while buying a
cyber insurance policy should be taking
stock of all the threats one may be
exposed to online, so as to buy a relevant
policy and suitable add-on covers. Besides
these, both individuals and corporates
need to be cognizant of the inclusions
and exclusions under their policy. It is
important to check the sub-limits for
the risks covered, he says, adding one
should also check the validity of the policy
in order to do a timely renewal
without break.
Individuals, according to him,
must consider their exposure and their
dependency on the internet. They must
also consider their family’s exposure ie.
the spouse and dependent children who
access the internet. “In order to ascertain
the sum insured, it is best to consider an
individuals’ average spends online or the
credit card/eWallet limit. The insurer will
look at the individual’s past experience
and loss history online if any. This is
because any loss arising out of past acts
will not be covered under insurance,”
says he.
Corporates, he adds, need to be mindful
of the gravity of data that gets stored in
the system, the geographical spread of
the business (whether exposed to GDPR
countries), compliance requirements
such as PCI and HIPPA. Online presence
of the company and outsourced activity
also plays an important role here, he adds.
Sasikumar Adidamu says at the
corporate level, companies need to evaluate
the potential risks as well as the coverages
offered. “For instance, a company, which
holds a lot of customers’ information (say
a food delivery app, financial institution or
a social media site), would want to make
sure that privacy and data breach liability
are covered. In order to retain coverage
under policy terms, companies need to pay
due diligence to avoid the cyber risks in the
first place. A robust data and cyber security
infrastructure ensures that there is no
callousness in dealing with cyber threats.
Companies need to also have a strong
recovery plan and backups in place. They
need to constantly change and evaluate the
infrastructure and prepare a framework to
tackle these hostile forces online. Updating
and upgrading continuously and an
appropriate cover is the only way to guard
against these emerging new types of cyber
risks,” says he.
Individuals, he adds, need to match
the policy coverage with their needs and
select the sum insured according to their
exposure. They must check the coverage
and exclusion section of the policy to
ensure that his needs are being met by
the policy.PREMIUMS, CALCULATION
Premiums and their calculation are
crucial in insurance business. Jayant
Saran of Deloitte India says cyber
insurance premiums are calculated on the
basis of accurate analyses of risks in most
cases. Third-party service providers also
assist in assessing the most vulnerable
spots within an organization’s cyber
infrastructure. “This practice is quite
evolved for organizations that are more
aware. For smaller firms with little
knowledge or exposure to such cases,the practice may take some more time to
reach total acceptance,” says he.
According to Na Vijayashankar,
the insurance industry at present is not
customizing the premium on the basis
of client specific risk assessment. “It
is mostly dictated by the re-insurance
costs,” says he.
Arjun Bhaskaran says the pricing
of cyber insurance is now led by MNC
insurance companies, which are
setting the price benchmarks based
on the research and experience of the
parent organizations. Indian insurance
companies will begin to offer products
and prices that clone the early movers.
Gradually, the pricing will improve based
on actual claims experience and finer
assessment of risks, he says.BASIS EXPOSURE
Insurance company professionals,
however, differ. Anurag Rastogi of
HDFC ERGO, says like other commercial
products, the premium for cyber insurance
too is calculated basis the exposure. “The
premium rates depend on factors like the
scale of operations, limit of insurance
cover being purchased, industry risk
exposure, data liability exposure, claim
circumstances if any and others. The
premium rates are usually on the higher
side for financial institutions, considering
the risk exposure, in comparison to those
in the manufacturing or the healthcare
sector,” says he.
Cyber insurance premium is
calculated based on the cyber security
audit that can be a self-audit by the client
(via a proposal form and questionnaire)
or by insurance company’s team of
experts, says Sasikumar Adidamu. “The
audit concentrates on the IT systems and
processes in place along with previous
incidents and changes made in light of
any previous incidents. The business
continuity plan, IT security policy, cyber
security audit process, type and volume
of data stored are some of the factors that
are considered. While the process is not
perfect, it is sufficiently elaborate and
detailed to provide the underwriters an
accurate picture of the risk. This process
too continues to evolve,” he elaborates.Na Vijayashankar calls for
awareness creation and
more particularly making the
user industry understand the
nuances of cyber insurance