Cybersecurity insurance, a new buzzword among Indian insurers, have crucial roadblocks to surmount before it can live up to the potential promised by the companies. Lack of actuarial data on cyber-attacks, murky disclosures by victim companies and the incredible speed at which a breach may spread globally has companies in a bind.
Actuarial data helps insurance companies evaluate financial implications of risk and uncertainty by applying mathematical and statistical methods, while devising solutions to reduce chances of any future risks and occurrence of any undesirable events. In case of cyber security insurance, actuarial data is scarce as it is a new line of business. And the little data that insurance companies have loses relevance because cyber threat keeps getting deadlier.
Earlier this year, Warren Buffett said cybersecurity incidents will rise, and with it the potential to significantly harm the insurance industry. He said he doesn’t want much underwriting exposure to cybersecurity threats for Berkshire Hathway’s insurance businesses and expressed skepticism that any insurance company can assess the risk for cybersecurity events.
“While the insurers are confident about how cyber risk affects different businesses, they currently face a challenge of lack of enough actuarial data in this new space. Hence, insurance companies rely on qualitative underwriting assessments to evaluate the risk exposures of each client and their security posture,” said Sushant Sarin – Executive Vice President – Commercial Lines & Reinsurance, Tata AIG General Insurance Co. Ltd.
Cybersecurity insurance segment is growing anywhere between 50-100 percent annually, according to aggressive growth projected by various insurance companies and brokers. However, with the growth has come some caution on how to assess a cyber-risk. Bajaj Allianz, HDFC Ergo, ICICI Lombard and Tata AIG are seeking help from either cyber experts or global reinsurance companies.
Cyber-attacks not only cause financial losses to companies that are hurt by shut downs or slowdown in operations but also opens them up to a risk of irreparable reputational damage, regulatory fines and legal liabilities in case of customer data breach. In cyber extortion cases, it is even tougher to quantify the adequacy and requirement of cover.
“In privacy and data breaches, the losses could be financially devastating and with increasingly stringent guidelines and laws imposing stricter than ever penalties, it is not easy to quantify the potential losses,” said Sasikumar Adidamu, Chief Technical Officer, Bajaj Allianz General Insurance.
He added that due to the increasing use of cloud computing services and platforms, the cyber-attacks may lead to breaches on multitudes of connected devices, which leads to accumulation – a term used for domino effect in the insurance industry.
“There is a reason for concern. The risk is new and the effects are global. Cyber risk can affect different entities of one company across the globe or different companies at one go. Underwriting cyber insurance is a challenge because there aren’t too many models for risk assessment,” said Sanjay Datta – Chief Underwriting, Claims and Reinsurance, ICICI Lombard.
One of the reason for a general lack of data apart from newness of the segment is due to missing public disclosures. Although the number of cyber-attacks are increasing a majority go unreported. Unlike India, the US Securities Commission of India has mandated disclosure of cyber security risks and breaches, including potential weaknesses that have not yet been targeted by hackers.
“There is a lot of scare but data on losses caused by attacks is not known. A scientific analysis is not possible. We don’t price insurance, we depend on reinsurance players,” said Anurag Rastogi, Member of Executive Management, Chief Actuary and Chief Underwriting Officer at HDFC ERGO General Insurance. “It is indeed complex, cyber insurance. We will take time to understand it.”