Interviews

Bridging the Cyber Protection Gap: The Evolving Cyber Insurance Landscape

CXOToday has engaged in an exclusive interview with Ritesh Thosani, Senior Vice President, Cyber Practice Leader, Marsh India

 

  1. The cyber insurance market hit USD 14 billion in 2023 and is set to double by 2027, yet a major protection gap persists. What are the key reasons for this gap?

The cyber insurance market is experiencing phenomenal growth, hitting $14 billion in 2023 and on track to double by 2027. As our recent report, “Closing the Cyber Risk Protection Gap,” highlights this issue and this gap exists for several key reasons.

  • The nature of cyber risk is such that it is not easy to measure and assess due to its highly dynamic nature. While in traditional risks there is always an historical data available to assess the risk, in cyber threats the risks are dynamic and changing all the time. This is further complicated by the interconnected nature of our digital world, and this increases potential for catastrophic events that are hard to simulate and thus price. This uncertainty plays a role in a low tolerance to risks by some of these insurers especially in regard to these large-scale events
  • Often, companies consider cyber insurance as an additional burden if they are already taking required initiatives to protect digital infrastructure. Additionally, purchasing insurance demotivates companies to invest on strengthening their cybersecurity infrastructure.
  • Cybersecurity infrastructure is prone to attacks. Therefore, reinsurers are reluctant to support a yet-to-mature infrastructure in India. Besides, global dynamics of cyber risk insurance markets also affect Indian counterparts as most cyber risk insurance programmes in India are governed by treaty reinsurance guidelines agreed between Indian insurers and their respective global treaty reinsurers. With the rising ransomware and social engineering fraud-related claims, global reinsurers are continuing with a tough underwriting approach and closely monitoring loss ratios in India. These impact risk selections and insurance pricing, driving up reinsurance renewal rates and strengthening annual terms and conditions for cyber insurance sellers

To close this gap through the concerted efforts of all the stakeholders, insurers are working on improving the existing risk models and to come up with more specific solutions. Along with,  standardized frameworks, increased transparency, and a collective effort to understand and mitigate these evolving risks are crucial, along with simplifying and streamlining the process of buying cyber insurance.

 

  1. How do you see the evolution of cyber resilience for small businesses operating in India’s rapidly digitizing economy?

The consequences of cyber-attacks particularly on small businesses can be damaging, leading to reputational and financial losses, and even permanent shutdowns.

Small businesses should:

  • Understanding the threat landscape, should be the first step for SME owners. Cybercriminals resort to phishing emails, ransomware attacks, and data breaches, resulting in financial losses, reputation damage, and even business closure in certain cases.
  • One of the most common reasons for cyberattacks across industries caused by unsuspecting employees. Therefore, SMEs should take initiatives and introduce various learning programmes to increase cybersecurity awareness among their workforce.
  • Artificial intelligence has proven to be groundbreaking when it comes to cyber security. Historically, the cybersecurity community has been one of the pioneers in using AI and machine learning. There are many AI tools and solutions in the market, which can help in defending against cyber attacks
  • Data loss can lead to massive losses for SMEs, especially during ransomware attacks or hardware failures. Regular data backups are critical to ensure a business quickly recovers from such incidents. Hence, backups should be stored securely, preferably offsite or in the cloud. Recovery procedures should also be tested regularly to verify their effectiveness and make any necessary adjustments. Along with considering risk transfer solution like cyber insurance to effectively manage cyber risk.

 

  1. How can small businesses in India evaluate the right cyber insurance policies for their business & employee needs?

Choosing the right cyber insurance policy can feel overwhelming for any small business owner, but it’s a critical step in today’s digital landscape. A simplified approach can help them navigate this process effectively.

  • It’s imperative to employ risk analysis as the baseline before thinking of insurance. Do not simply invest in insurance; know what risks are relevant to the operations of your business. What information do you keep? What are the critical processes? What can threaten your business the most? This assessment assist in identifying some of the aspects that should be protected.
  • Selecting coverage that will provide enough protection for your exposures to risk. What this means is that it is not a one size fits all approach when it comes to cyber insurance. It is essential to note that most of the policies available in the market are generic hence they may not capture all the risks peculiar to your industry or business model. Seek out insurers who offer tailored solutions for small businesses, considering factors like your size, revenue, and data sensitivity.
  • One should also look at the policy more closely in relation to the coverage extent and the policy’s exclusions. Seek for protection for occurrences such as data loss, hacking, cyber blackmail, loss of business, and legal liability due to cyber related occurrences. Also, consider employee-related risks. It is also important to find policies that address social engineering attacks, phishing scams, and other cases that originate from the employees’ mistakes. Lastly work with your risk brokers to curate a customized cyber insurance program as per your business requirements

 

  1. What challenges does the Indian cyber insurance market face when it comes to scaling and meeting demand?

The Indian cyber insurance sector has a great growth potential; however, it faces systematic challenges particularly in harmonising insurance premium with the corresponding coverage scope. This mismatch, acutely observable in the consumer segment, points towards a market inefficiency that necessitates more bespoke cyber insurance solutions.

Cyber risks are dynamic in nature and hence there is a need for innovative and affordable products, which makes it mandatory for insurers to have cybersecurity skills. These are some of the challenges which can only be solved through collective efforts. The government can increase the awareness of data sharing and the insurers can design their products for the SMEs and invest in expertise. In this way, all stakeholders can realize the possibilities of cyber insurance and support the development of the safe India’s digital economy.

While premiums remain high, Indian has quite low rate online when compared to the global market. Bigger challenges like underwriting constraints, capacity crunch, etc. mostly emanating from RI dictates make scaling difficult. Budgeting for cyber insurance is still a big challenge and often takes a back seat when balancing between spending on cybersecurity or insurance.

 

  1. How can public sector and the insurance industry come together to develop a comprehensive cyber protection framework?

With solid collaboration between the public sector and the insurance industry, a strong cyber protection framework will be possible for India. First and foremost, there needs to be a mutual vision on cybersecurity, whereby both sectors agree on common priorities and desired outcomes. The safe exchange of data with regard to threat intelligence will be enabled, hence allowing insurers proper risk assessment and the ability to develop efficient policy products.

Tax benefits can be used to incentivize firms to improve their cybersecurity posture, therefore making their risk more insurable. Together with the insurance sector, awareness can effectively communicate the need for cybersecurity and cyber insurance among businesses.

Investment in research and development-including emerging cyber risks and innovative insurance solutions-can be a differentiator in keeping ahead of the game. Supportive governmental regulation will lead to a healthy cyber insurance market, benefiting both businesses and the nation at large. By doing so, this collaboration will help improve the overall cybersecurity posture of India and give businesses the confidence to function in the digital world.

Regulatory impetus can bring a lot of change in this space. More initiatives like making cyber insurance compulsory for listed organizations or organizations over certain revenue threshold could be a game changer.

 

  1. XX% of SMBs in Tier 1 cities are more aware of cyber insurance compared to XX% in Tier 2 & 3 cities of India

50-60% in tier-1 and less than 10% in tier 2&3

 

  1. What are challenges that stops Indian SMBs from investing in cyber protection?

One of the major reasons for SMEs to not invest in robust cyber security is budget constraints, along with the cumbersome process of buying cyber insurance. It is crucial for small businesses to prioritise cybersecurity to protect their operations. A ransomware attack can have severe consequences on small businesses including financial loss, disruption of services, and damage to the brand image.