At a time when cyber crimes are growing rapidly, a panel set up by the insurance regulator has suggested that instead of a standard cyber insurance cover, the industry should focus on popularising the cyber insurance product, make it easier for insurers to adapt the product as per customer requirements and continue to enrich customer’ experience and protection.
The panel suggests that insurers can build in certain minimum covers as a part of individual cyber insurance. Though individual cyber insurance was introduced in India in 2017, few insurers have filed this policy with the regulator. However, the panel has underlined that with the outbreak of the Covid 19 pandemic, the world has become more digital. In ecommerce, banking, and education, there is a shift from the physical to the digital. It suggests that insurers must work towards offering comprehensive solutions rather than mere loss mitigation products, not only as a customer friendly initiative but also as a good risk mitigation measure.
While individuals perceive payment and bank account hacks to be a bigger cyber attack problem, companies are worried more about data breach and network interruption. The panel says that coverages offered by most insurers in respect of individual insurance are majorly similar in nature, with the exception of some enhanced covers offered by a few. “Theft of funds is seen as a major exposure for individual cyber insurance policies. Some people have an impression that because of the zero liability concept for the customers of a bank, even this exposure is considered to be close to nil,” it says.
The Insurance Regulatory and Development Authority of India’s (Irdai) working group to study cyber liability insurance has suggested that insurers should offer cyber insurance as a part of package policy such as Householders Package policy. The base version of the policy should be at an affordable premium and then the customers be given an option to choose additional covers. The policy wording must be easy to understand and the claim process must be easy to comprehend and implement and the insurance industry should launch an awareness campaign to educate consumers about their exposures and the insurance protection available to mitigate the losses due to cyber attacks.
Standardisation will impede innovation
The working group has underlied that while standardisation is a very good approach, early standardisation of cyber insurance in its nascence may impede innovation and adaptation to evolving industry needs. It says that standardisation may lead to price-based competition instead of being agile and contextual to client needs.
The panel says that there are certain aspects of cyber insurance that require a consensus and Common Reference Framework to bring about clarity in coverage. For example, some policies contain a provision that coverage is provided to those systems which are provided by the company for exclusive and secure usage for the purpose of its business. “This may deny coverage when employees use their own computers while working from home which is more prevalent now, in the post Covid19 world. Given the compulsion for and encouragement given to employees to work from home, it is necessary to include their own devices, too,” the panel recommends.
Globally, the size of the cyber liability insurance market is quite small as compared with other lines of business. The report says only a small fraction of the cyber losses is currently insured and many companies do not yet appreciate the full magnitude of their cyber exposures and assume that traditional insurance lines would mitigate cyber losses. “Even those industries which realise the scale and extent of their exposures, like the financial institutions, perceive cyber insurance coverage as too narrow or ambiguous to assure them of adequate recovery in the event of a loss,” the report says.
Even insurance companies are treading cautiously and small coverage limits and high deductibles are common in cyber insurance coverage. The aversion on the part of insurers to design cyber insurance plans are due to limited actuarial data, the nature of unpredictable changes in the technology space, the radically changing patterns of use of technology and the terrifying capabilities of the perpetrators.