Major cyber insurance policy carriers in India are claiming that cyber insurance might be the fastest-growing insurance sector in India today.
The Indian business sector is increasingly buying cyber insurance coverage to shield itself against the adverse impact of pervasive cyber threats that include malware attacks, email comprises, phishing, insider attacks, crypto-jacking, and (nation-state) sponsored cyber-attacks on critical infrastructure-driven businesses. The amount of yearly cyber insurance coverage companies usually buy ranges from $1 million (small companies) to $200 million (large IT service providers) and it is growing at a CAGR of 35 percent for the past three years (Source: DSCI). According to T. A. Ramalingam, CTO of Bajaj Allianz General Insurance, at least 2-5 percent of the overall premium collection in recent years from their business was generated from sales of its cyber insurance division. This growth rate has compelled insurance experts in companies such as Bajaj Allianz, ICICI Lombard, Tata AIG, HDFC Ergo, and Lloyds India—major cyber insurance policy carriers in India—to claim that cyber insurance might be the fastest-growing insurance sector in India today. This is primarily because companies in nearly every sector—startups, manufacturing, transportation, banks, non-banks, IT service, health, and retail—are steadily digitising their entire workflow for increased ROI and business process efficiency reasons, and are waking up to the cyber-risk management importance of such policies, especially post-pandemic.
Policy challenges to ensure social good through cyber insurance markets
Although the cyber-insurance market in India is showing a rapid growth rate, we can't discount that this is due to (a) a recent push in the awareness of the importance of residual cyber-risk management solutions such as cyber insurance among organisations with Internet-facing business processes, combined with (b) the traditionally extremely low coverage base spanned by cyber insurance solutions in the last decade.
Hence, it is just a matter of time before this CAGR “honeymoon” period subsides in India, and the CAGR of cyber insurance solutions will catch up with the steady growth rate in the west (primarily the USA market). In that case, the Indian cyber insurance market will encounter the same policy challenges pervasive in the western cyber insurance markets that prevent cyber insurance solutions from realising their grander and socially beneficial vision of significantly improving cyber-security and driving down incentives for cyber-attacks instead of solely satisfying the interests of cyber insurance carriers.
However, before we lay down the policy challenges to effective implementation, it makes sense to propose theory—visionary ideas for regulators that would ideally resolve the challenges for the societal benefit. The three different goals of carrier satisfaction, improvement in cyber-security, and de-incentivising cyber-attacks might call for different types of policymaking by regulators (e.g., government) in the first place. Regulators may shield cyber insurance carriers from going bankrupt by helping them (via consulting activities) improve their cyber-risk assessment models and providing a financial backup for managing catastrophic aggregate cyber risks. The regulators might lay down rules that clarify and structure much better (than the existing status quo) the terms of commercial cyber insurance coverage (what policies do and do not cover, and more importantly—what policies should and should not cover) for policy buyers to an improved market density that directly has a positive impact on improved cyber-security. To this end, regulators could also provide coverage for certain cyber-risk types that private insurance companies will refuse to cover. Regulatory policymakers can also affect the profitability of cybercrime and bolster the effectiveness of cyber-security best practices (e.g., those laid down by the NIST framework). This can be achieved by helping cyber insurance carriers identify and promote organisational awareness about security controls that are most effective in reducing risk exposure or restricting extortion payments made by insurers to cyber-criminals or preventing negligent companies from dodging the full cost of regulatory fines and class action settlements through cyber insurance coverage. Also read: Why cyber-security needs to be a strategy in the infinite corporate game
Aligned with the ideas mentioned above, cyber insurers, regulators, and the cyber-actuarial research community have come up with multiple proposals (not necessarily sustainably working solutions) in the last decade. The most salient ones include:
(i) suggesting policy measures that should enable voluntary participation of organisational management in cyber-vulnerability data sharing (with partners, vendors, and the society) initiatives to mitigate adverse selection and moral hazard issues in cyber insurance, and
(ii) calling for introducing a law to mandate cyber insurance coverage for all companies.
However, the global cyber insurance market, along with organisational management, is currently too divided for the former to impact ‘risk-transparent’ policymaking. It is not evolved enough for national mandates to be remotely feasible or effective. For the latter, regulatory policymakers can disentangle many different types of risk, through apt cyber-risk modelling, to and from digital technologies to encourage organisations to voluntarily adopt cyber insurance.
Currently, these different types of risks are being increasingly packaged together in stand-alone policies that have two major drawbacks: first, they exclude/stay silent on the coverage of new types of cyber risks that adversaries devise over time, and second these policies are unable to recognise the deep statistical correlations between these cyber-risks and non-cyber risks on other existing lines of coverage—instead incorrectly assuming statistical independence between two risk types. Adopting instead the idea of integrating cyber-risks into existing lines of coverage to serve the interests of both cyber insurers and policyholders has the challenge of getting greater clarity on the amount of cyber-risk out of the total risk of any existing line of coverage (consequently driving the design of incentives to promote apt human/employee behaviour towards cyber-security best practices for respective lines of coverage). This brings us back to the challenge of recognising statistical correlations between different risk types. Bottomline, it might be a significant undertaking to revamp the currently popular trend of stand-alone cyber policies towards disincentivising cybercrime—satisfying profit-minded carriers and their customers. Also watch: Cybersecurity awareness, education dismal in Indian boardrooms
Recommendations for effective regulatory policymaking
We propose the following recommendations for effective regulatory policymaking to ensure social good through cyber insurance markets.
- Regulators should enrich their consultation activities with cyber insurance carriers for the best (for the social good) underwriting practices adopted by the latter to address the changing landscape of online threats and infrastructure. To this end, the two most important, pertinent, and timely consultation dimensions are the degree of government help covering the costs of large-scale catastrophic cyber risks and making it easier for policy underwriters to have access to better claims and security control data. Concerning the former, policymakers should revisit the role of existing government reinsurance programs regarding cyber threats and consider the types of catastrophic cyber risks for which cyber insurance carriers should be receiving government assistance. On one hand, the legal disputes in the 'NotPetya' cyber-attack, driven by policyholder surprises on carriers denying claims, clearly show that drawing boundaries between warlike acts, terrorism, and everyday attacks in cyberspace is far from straightforward. On the other, cyber insurers should not assume that they would be supported by regulators under reinsurance programs without precise clarifications on types of cyber risks that could trigger government backstop support. The rest should be mandated to be covered by the cyber insurer. This combination of policy measures would result in a ‘win-win’ state that will help bolster insurers’ confidence in their ability to handle large-scale attacks while providing confidence to policy buyers that they will not be denied coverage merely because they suffer a sophisticated or state-sponsored attack that affects many victims.
- Policymakers should consider mandating cyber insurers to report to regulatory authorities aggregate, anonymised claims data on the correlations between different cybersecurity products, frameworks, and guidelines. This will (a) allow the former to develop better risk models with more reliable data, and (b) would enable businesses, governments, and researchers to learn from the collected experience of cyber insurers in trying to assess the effectiveness of different cybersecurity techniques, tools, and services. Overall, effective and mandated data reporting and aggregation will serve an important societal purpose in providing the ‘public’ greater access to information about the overall effectiveness of different security controls and cybersecurity mitigation measures. This is given that the private industry hardly initiates establishing an Information Sharing and Analysis Organization (ISAO).
- It is imperative that policy regulators, for the sake of cyber insurance policy buyers, clarify and standardise the legal wording in policies available to the latter in partnership with insurance industry organisations like the Insurance Services Office (ISO) in the USA, for designating which cyber risks are and are not covered under their (CGL and/or stand-alone) policies. Apart from clearing out a customer’s mind on precisely what its cyber-policy is covering, this could enable the latter to compare across cyber insurance policies for brokers, thereby inculcating healthy market competition of security-improving cyber insurance solutions. Regulators should also enforce and standardise the operation that certain lines of non-cyber insurance should provide a basic amount of coverage of cyber-risks. This will possibly also help fill any notable gaps in coverage.
- Regulatory policymakers must have a focused eye towards improving cyber-security, even at the cost of limiting the cyber insurance market that might upset both carriers and policyholders. As a most pertinent example, cyber insurers should endorse the unpopular practice of not paying online extortion demands by ransomware attackers to recover files. This would serve an important social goal of decreasing cybercrime by reducing the profits of cyber-criminals—even though businesses would find it difficult to insulate themselves from the direct costs of ransomware. One would argue, and even cite real-world examples, where the cost accrued by (cyber-insured) organisations to recover files without paying a ransom is more than that when they decide to pay the ransom. However, their logic that weighs the cost of a ransom against the amount of money needed to restore business computer systems without paying a ransom demand does not consider the costs of future such attacks that the perpetrators will commit supported by the funds they received from their victims. It is in this regard that regulators, arguably even more than other victims of ransomware attacks, should take responsibility to disincentivise cybercrime by preventing ransom from being paid through cyber insurance policies. This would contribute to the greater goal for the social good of making cyber extortion less profitable and therefore, less likely to be actively pursued by criminals in the future.
- Regulatory policymakers should enforce limits on the amount of insurance money that can be used for paying government fines by companies experiencing cybersecurity breaches because of failing to adopt cyber-security best practices. As an example, for data protection regulations (such as the GDPR), forbidding insurers from covering regulatory penalties would add force to these regulations and potentially make businesses directly face the financial consequences of their decisions to (or not to) allocate enough budget to build a cyber-security culture within their organisation. This will drive regulatory investigations to serve as more effective deterrents to poor security practices.
Ranjan Pal (Massachusetts Institute of Technology, Sloan School of Management)
Bodhibrata Nag (Indian Institute of Management Calcutta)
[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]