Since the pandemic, businesses are waking up to cyber risk management. Cyber insurance might be the fastest-growing insurance sector in India today. This comes with a unique set of challenges that regulators and insurers need to address quickly. Here are 5 recommendations for the stakeholders
The Indian business sector is increasingly buying cyber insurance coverage to shield itself against the adverse impact of pervasive cyber threats that include malware attacks, email comprises, phishing, insider attacks, crypto-jacking, and (nation-state) sponsored cyber-attacks on critical infrastructure-driven businesses. The amount of yearly cyber insurance coverage companies usually buy ranges from $1 million (small companies) to $200 million (large IT service providers) and it is growing at a CAGR of 35 percent for the past three years (Source: DSCI). According to T. A. Ramalingam, CTO of Bajaj Allianz General Insurance, at least 2-5 percent of the overall premium collection in recent years from their business was generated from sales of its cyber insurance division. This growth rate has compelled insurance experts in companies such as Bajaj Allianz, ICICI Lombard, Tata AIG, HDFC Ergo, and Lloyds India—major cyber insurance policy carriers in India—to claim that cyber insurance might be the fastest-growing insurance sector in India today. This is primarily because companies in nearly every sector—startups, manufacturing, transportation, banks, non-banks, IT service, health, and retail—are steadily digitising their entire workflow for increased ROI and business process efficiency reasons, and are waking up to the cyber-risk management importance of such policies, especially post-pandemic.
Hence, it is just a matter of time before this CAGR “honeymoon” period subsides in India, and the CAGR of cyber insurance solutions will catch up with the steady growth rate in the west (primarily the USA market). In that case, the Indian cyber insurance market will encounter the same policy challenges pervasive in the western cyber insurance markets that prevent cyber insurance solutions from realising their grander and socially beneficial vision of significantly improving cyber-security and driving down incentives for cyber-attacks instead of solely satisfying the interests of cyber insurance carriers.
However, before we lay down the policy challenges to effective implementation, it makes sense to propose theory—visionary ideas for regulators that would ideally resolve the challenges for the societal benefit. The three different goals of carrier satisfaction, improvement in cyber-security, and de-incentivising cyber-attacks might call for different types of policymaking by regulators (e.g., government) in the first place. Regulators may shield cyber insurance carriers from going bankrupt by helping them (via consulting activities) improve their cyber-risk assessment models and providing a financial backup for managing catastrophic aggregate cyber risks. The regulators might lay down rules that clarify and structure much better (than the existing status quo) the terms of commercial cyber insurance coverage (what policies do and do not cover, and more importantly—what policies should and should not cover) for policy buyers to an improved market density that directly has a positive impact on improved cyber-security. To this end, regulators could also provide coverage for certain cyber-risk types that private insurance companies will refuse to cover. Regulatory policymakers can also affect the profitability of cybercrime and bolster the effectiveness of cyber-security best practices (e.g., those laid down by the NIST framework). This can be achieved by helping cyber insurance carriers identify and promote organisational awareness about security controls that are most effective in reducing risk exposure or restricting extortion payments made by insurers to cyber-criminals or preventing negligent companies from dodging the full cost of regulatory fines and class action settlements through cyber insurance coverage.
Also read: Why cyber-security needs to be a strategy in the infinite corporate game
[This article has been published with permission from IIM Calcutta. www.iimcal.ac.in Views expressed are personal.]