The economic activities in the recent past have created abundant opportunities for digital innovation. With the backdrop of bringing convenience to the end user and operational efficiency to the service provider, technological advancement is bringing in some good news. However, technological advancements go hand-in-hand with privacy risks which can have serious repercussions on the organization’s health and reputation and the entire economy at large.
Building capacity in cyber-space will need investment to “create” and to “protect”. While the activity of creation is gaining momentum, that of protection needs to catch up. Web-based industries such as Banks, Financial services, Telecom, Retail, Web based services and IT are prone to be the primary victim of cyber-attacks in the form of DDoS (distributed denial of service) attack, Malware, Data breach, Information loss, Phishing, Corporate account take over, ATM attack, Social engineering etc. These events contribute to both direct and indirect financial losses to organizations.
It is imperative for Banks and financial institutions to identify these threats in the ever evolving environment and build a stable eco-system to drive growth.
Large banks and financial institutions have policies and frameworks to safeguard themselves against cyber threats and create financial reserve to quickly recover after a cyber-attack. It is the smaller banks that need to gear-up for such crisis. In case of an attack, the existence of smaller outfits may be challenged by magnitude of costs incurred to recover from the disruption to the business, reaching out to customers and build trust.
Insurance in these situations acts as a financial assistant providing support for undertaking activities such as Data restoration, forensic investigation, extortion /ransom payments, Legal cost and much more. Cyber insurance also provides for losses incurred by customers or any third party on account of such attack.
However prior to finalizing a cyber insurance policy every entity must do the following:
- Assess the maturity and effectiveness of an organization’s security framework.It’s best to evaluate the security framework and compliance framework independently as both of them are critical for an organization. (These documents become the basis for evaluating the risk exposure and underwriting for the insurance companies).
- Routinely evaluate the cyber security exposure in detail and gather sufficient expertise about the eminent cyber threats. Due diligence of outsourced network security and third party networks, partner platforms etc. should be monitored regularly for potential threats.
- Assess your institutional capabilities to strengthen the infrastructure against future breach and the financial backing to handle crisis. This will assist in selecting suitable sum insured limits.
- Have a clear understanding of legal frameworks around cyber security in relevant jurisdiction.
- External socio-economic environment should not be neglected. In developing countries, cyberspace vulnerabilities are extremely high, due to lack of experienced resources, low awareness of the threat and an explosion of internet users in a brief span of time.
- Maintain records of past attacks or circumstances of data breach and keep them handy.
Cyber insurance serves only as a risk mitigation tool and doesn’t take away the risk of security breach. While cyber insurance policies are designed to provide most effective coverage, there are certain aspects which are out of coverage scope such as misuse of patent, intellectual property infringement, infrastructural failure, trading losses etc.
For smaller institutions, it is advisable to compare policies and evaluate the coverages to suit their requirements. In addition to insurance these organizations may consider focusing on some good practices such as restricted control access, Incident response policy, and Digital inventory management practice and undertake intensive employee training; awareness programs around cyber-attacks.
Considering the recent attacks and the rapid evolution of cyber security, it is indeed an interesting period to witness the development of cyber insurance and the ever-evolving cyber risk nuances.