New cybercrimes are taking place at a rapid pace and causing heavy losses. Where there is risk, insurers can’t be far behind. However, before taking the cover of cyber insurance, we, as average users of Internet, need to understand whether this would really help in reducing the loss. Cyber-attacks are becoming more sophisticated, from distributed denial of service (DDoS) attacks to ‘man-in-the-middle’ attacks. In addition, the popularity of virtual currencies and its characteristics offer protection from backtracking or tracing to hackers or attackers. This will only fuel further ransomware attacks in the future. Remember, in several recent ransomware attacks, the victims were asked to make payment in virtual currencies like Bitcoin.
According to a recent report from McAfee, the total cost of cybercrime globally is about $600 billion, or 0.8% of global gross domestic product (GDP). No wonder, insurers are eyeing this lucrative business. They feel that the increasing frequency of breaches and the associated costs highlights the need for cyber insurance.
According to Sanjay Datta, chief for underwriting, claims and re-insurance at ICICI Lombard General Insurance, cyber insurance will not help a company or entity to prevent a cyber breach, but it could help them survive one.
“A typical breach would require the company to hire forensic experts to investigate into the breach and recover its lost data, appoint lawyers to communicate the breach to the regulators, customers and other stakeholders as per regulations. Service of a public relations expert may also be required to handle the press and other media. All of these expenses can make a huge dent in the company’s bottom-line, especially small and medium enterprises. A standard cyber insurance policy would provide cover for all these costs, and further covers, such as cover for business interruption and fraudulent fund transfer; payment card industry data security standard (PCI DSS) may be purchased depending upon the risk profile and needs of the customer,” he says.
What is important in cyber insurance is that there cannot be a product that fits all. Every product needs to be designed, or customised, to suit the requirement of each customer. Add to this, the ever-evolving nature of cyber risk which poses an even bigger challenge for insurers, as they need to work towards providing a wholesome risk mitigation product to customers every time. Insurers have been trying to do so since the past almost 20 years.
Noted security expert Bruce Schneier, who is also chief technology officer at IBM Resilient, has explained the issues faced by cyber insurers in his upcoming book, Click Here to Kill Everybody: Peril and Promise on a Hyperconnected Planet. He says, “Internet plus insurance is complicated because it follows neither of the basic models (fire and flood) but instead has aspects of both: individuals are hacked at a steady (albeit increasing) rate, while class breaks and massive data breaches affect lots of people at once. Also, the constantly changing technology landscape makes it difficult to gather and analyse the historical data necessary to calculate premiums.”
This brings us to the most important question: Should an individual buy a cyber insurance policy? In my opinion, individuals need not buy an expensive cyber insurance policy, if they follow certain basic rules. Use only authentic software; update it regularly; do not leak personal information in public domain; share information only on a ‘need to know’ basis with anyone—be it the government or any private entity. In addition, follow simple rules like not engaging with strangers and not being enticed by ‘attractive’ offers. If you follow these, you will not need cyber insurance and if you don’t, even the insurance policy may not save you.