Cyber insurance is getting tougher to get, even as attacks increase

Insurance providers in India, wary of the growing number of cybersecurity attacks on Indian organisations, are increasing the cost of cyber insurance in the country and stepping up compliance norms. According to industry stakeholders and experts, insurers have seen record highs in the number of cyber insurance claims made by companies hit by ransomware attacks and more.

For instance, ICICI Lombard has seen an increase in the cost of premiums by 40-60% post pandemic, said Sanjay Datta, chief, underwriting and claims, at the firm. A spokesperson for a second cybersecurity insurance firm said that unlike insurance claims for vehicular accidents, which usually amount in the lakhs, cyber insurance claims run up to $2-3 million at a time. 

The number of cyber policy claims and reporting have increased by over 220% year-on-year between 2020 and 2021, according to Surya Narayan Saha, research manager, financial insights at market research firm International Data Corporation (IDC). According to the company’s forecasts in April this year, insurers are projected to spend above $20 million in 2022 on cyber risk management.

Further, T.A. Ramalingam, chief technical officer at insurance firm Bajaj Allianz General Insurance, said the company has seen a nearly 100% increase in the number of cyber insurance claims filed by corporates in the “last few years”. He added that the increased focus on digitization and remote work after the pandemic, geopolitical unrest and increasing activity from ransomware groups have contributed to these.

Ransomware is a type of malware that encrypts a company’s data, and asks them to make payments in exchange for the decryption key. Groups running such attacks have evolved drastically since the pandemic, with criminal groups providing ransomware-as-a-service to others, he added, with ransomware being the most common kind of cyber threat claims are filed for.

In February, security firm Crowdstrike identified a criminal group called Pinchy Spider, which provided such a service using a ransomware called Revil, which had been responsible for attacks worth $10 million at the time. Revil is among the best known ransomware originating in Russia, and it counts large companies like Apple-supplier Qanta Computer, among its victims.

Also: Ransomware attacks look beyond monetary gains to target governments

For users of cyber insurance, all this means it’s getting more difficult to get insured. The Chief Information Security Officer of a motor vehicle company operating in India, who requested anonymity, said that getting cyber insurance today calls for much more negotiation before firms arrive at a consensus for premiums. Earlier security reviews used to include a macro level assessment of the applicant, whereas now it’s a micro-level assessment.

“It’s not like if you just tell them we have implemented certain measures they will believe it. Now they (insurance firms) come physically to check whether all controls are in place,” he said.

ICICI’s Datta elaborated that with loss ratios going up, underwriters who assess exposure faced by clients, are repositioning how they evaluate firms’ security postures before granting them insurance.

The insurance firm spokesperson quoted above said that even the policy form that firms have to fill in order to apply has grown from two to five pages now.

According to Datta, insurance firms evaluate risk by taking cognizance of everything from a firm’s infrastructure to the data they handle. They do this by considering three major pillars now — human firewall, process and technology. Which means that firms can’t just have software firewalls in place, but will need employees dedicated to fighting cyber attacks in order to qualify for insurance. In addition, reviews are conducted of information security policies, business continuity plans, nature of data a company handles, its geographical presence and more.

In addition, companies handling personally identifiable data of users, cyber insurance will also come at a premium, since such data is considered more sensitive and can be devastating if lost or leaked. The number of employees they employ can also play a role in determining eligibility, and a higher weightage is applied to “factors that are related to insured’s compliance with various statutory requirements.”

A survey conducted in May by security firm Sophos, noted that 94% of those with cyber insurance said that their experience of getting insurance has changed over the past 12 months, because of higher demands for security measures, and more complex and expensive policies.