Image Source: https://rb.gy/0h05ge

This article has been written by Rishabh Mishra, pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. The article has been edited by Prashant Baviskar (Associate, LawSikho).

Introduction

Cyber insurance is one of the key components of business security and a must have insurance in the present market scenario as everything and every business model wants to be digitally present. As every new technology in business brings ease of working, it also brings new challenges and risks. These risks encourage the business to be more vigilant, so that they may face these challenges and mitigate the risks. However, in the recent past, we have seen a sudden increase in the dependency on the digital mode of working, mainly due to the pandemic. In this era of pandemics, people have started using their personal computers as they are working from home. This has resulted in a shift from secured computers to probably unsecured computers, thus becoming the target of cyber-attacks. This is one of the recent factors which has become a major concern for the cyber insurers and an add on to their existing market challenges which are discussed further in this article. 

Challenges for cyber insurance

Before understanding the market challenges, some basics associated with cyber insurance are discussed herein. The principles of insurability must meet the following general criteria to be economically viable towards risks:

Download Now
  1. Risk must be quantifiable.
  2. Risk must be diversified among communities in terms of risk exposure.
  3. Risk must occur randomly, or one may say that the occurrence of risk should be unpredictable and such occurrence should be free from the will of the insured.

All the insurances’ premium is quantified based on these general principles. The prices are also affected by the following factors as they also pose a challenge.

Quantifying risks

Its assessment comes with three challenges, firstly, lack of historical data on cyber incidents; secondly dynamic nature of cyber risks as well as relevant legislation; and lastly, access to corporate security information that is necessary for underwriting individual risks. The first challenge is the result of lack of awareness among cyber incident victims, and their inability to report their attacks, which makes it difficult for cyber insurers to understand the threat while underwriting. The cyber-world is dynamic in nature with its threats, thus, it is also a challenge for cyber insurers to identify the possible threats and this makes it hard for insurers to come to a conclusion for coverage on which sorts of threat they should offer and at what price. The last challenge herein is associated with the threat of disclosure of security measures and methods adopted by companies. There is a clear cut issue of trust among the insurers and the insured. Because of this issue, companies do not share their security details with the insurer and this creates the limitation for underwriters of insurance by making them stick to probabilities on threats instead of quantifying actual threats. Quantifying actual threats and risks is much more required than ever before in the present time of pandemic because of work from home culture which has increased the practical notion of “bring your own device”. People have started using their personal devices, and corporations allowing the same is a serious concern for cyber insurers because it is very hard for them to foresee the loss which such devices may bring through data breach.

Accumulation risks

The common accumulation risk includes common software vulnerability, information technology service disruptions, critical infrastructure providers and other far reaching effects associated with the above risks. Common software vulnerability if exploited could result in mass data corruption, the effects of which may extend beyond the boundaries of the nation. A dent in widely used software may give perpetrators access to a huge amount of information. An attack on an information technology service provider may put its various users at risk, and it would be very difficult to assess such loss of data in monetary terms. It is not necessary that a threat posed only through software is a concern for service providers, but a threat to physical infrastructure on which digital technology relies may also expose the entity to a huge risk. A cyber incident to a critical infrastructure provider may also expose an entity or individual to various risks. Far reaching effects of these risks may affect multiple persons and can create chain reactions. For instance, a cyber-incident leads to malfunction of the manufacturing process of a factory which results in loss of property as well as delay in production and defects in final outcome of production.

Reinsurance availability

The above risks and factors governing them also reduces the chances of reinsurance of cyber risks. The companies become reluctant to cover their customers after some catastrophic events. The other factors which reduce reinsurance offerings from cyber insurers are the structural challenges which are a  mixture of the first party’s property and liability of coverage to third parties as this is usually included in stand-alone policies.

Astronomical attacks

The astronomical increase in the number of attacks is yet another factor for the increase in the premiums of cyber insurance and lowering risks.  We are aware of the far reaching effects of the above factors, which makes higher premiums and lower risks more convincing from the aspects of cyber insurers.

The way out

Looking at the nature of attacks in cyberspace it would not be out of place to mention that there is less expectancy of lowering cyber-attacks through legislation. Though it provides regulatory guidelines, a pivotal role can only be played by cyber security mechanisms to mitigate the effects of cyber risks. Some of the best practices and factors which can be adopted and considered by organisations as well as individuals to negotiate their lower premiums with cyber insurers are as follows:

  1. Regular penetration testing— While negotiating the premiums of cyber security insurance, the organisation must be able to show that they are regularly testing their cyber-security mechanism to expose their system’s vulnerabilities.
  2. Strong passcode control policy— A strong password gives a sense of security and makes the data impenetrable. It is advisable that passwords must contain unique words having alphanumeric content with special characters. This practice shall be considered in premium negotiations.
  3. Encryption of sensitive data— Encrypted data is very hard to penetrate and having such practice is considered one of the best ways of protection. Maintaining such practice with access to limited people creates trust among insurers and entities that can take the advantage of this practice while premium negotiations.
  4. Control on the access of records— A number of records to be dealt with by an organization by way of transfer, storage or access of such records. Accessibility to how many people are yet another criteria for the determination of premium. The lower the number of records the less the premium.
  5. Work with your existing carrier— Whichever carrier insures one property may charge a lower premium for all the additional insurance’s premiums.
  6. Coverage— It is yet another factor that depends on the nature of business and can only be determined according to the needs of such business. It may increase or decrease the premium.

Conclusion

It would not be out of place to mention that cyber insurance is also driven by the same factors as any other insurance as it contains quantifiable risks, diversification of risks and uncertainty of events. However, it is very hard to assess the loss suffered by an entity because all the insured data is in digital form and its worth can only be predicted. In order to quantify the loss, only assumptions and presumptions can be made against the loss. Another reason why diversification of risk is hard is because of the nature of digital content. Cyber insurers may distribute the loss caused by the risk but they are not ready to compensate the same because they are too rigid to offer stand-alone policies. This means insured persons may recover the loss which they have suffered but they will not be insured against the loss of a third party which such a party has suffered due to their negligence. The third part, that is, the uncertainty of events, is somewhat similar to that of others but events herein are more dynamic than that of others. For instance, in motor accidents, a person is insured in the event of an accident but in case of cyber threats a person has to be insured against an unauthorized online transaction, e-mail spoofing, phishing, identity theft, damage to e-reputation, cyberbullying, social media liabilities, malware attacks, IT theft loss or any other event or act of cyber threat. This last part, which is “any other event or act of cyber threat” with uncertainty brings a lot of unpredictable events because the change in technology also changes the manner and pattern of attacks. Now, the factors which affect the pricing of cyber insurance based on the above governing factors encourage the cyber insurers to prefer high premiums covering lower risks of persons. The major factor of this higher premium is the combination of uncertainty and unpredictability of events. The only way out of lowering the premiums is self-assessment of needs of business and adoption and consideration of best practices because while negotiating the premiums point of self-assessment and consideration and adoption of best practices may not necessarily expand the coverage but shall necessarily help in lowering the premiums offered for the coverage. Thus, the best practices can be considered as a saviour at least from higher premiums. 

References

  1. https://www.oecd-ilibrary.org/docserver/9789264282148-6-en.pdf?expires=1637469788&id=id&accname=guest&checksum=F90B7AA5A954F53BCA9BB499CD7C65C9
  2. https://www.paisabazaar.com/commercial-insurance/cyber-security-insurance/
  3. https://www.norrisinsurance.com/insurance-tips/personal-insurance-tips/social-media-liability
  4. https://www.rapid7.com/fundamentals/malware-attacks/#:~:text=A%20malware%20attack%20is%20acommand%20and%20control%2C%20and%20more
  5. https://www.weforum.org/agenda/2020/10/there-s-not-enough-money-in-cyber-insurance/
  6. https://www.techtarget.com/searchsecurity/news/252507932/Cyber-insurance-premiums-costs-skyrocket-as-attacks-surge
  7. https://www.redteamsecure.com/blog/how-to-lower-your-cybersecurity-insurance-premiums
  8. https://www.jagranjosh.com/general-knowledge/cyber-insurance-policy-1611919924-1

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

https://t.me/joinchat/L9vr7LmS9pJjYTQ9

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

LEAVE A REPLY

Please enter your comment!
Please enter your name here