Many business people mistakenly think their general liability insurance will protect them in the event of a cyber attack. In most cases, it won’t, and the losses can be devastating. That’s why cyber insurance is important.
It’s vital for insurance brokers to understand cyber risk, a complex type of exposure, and convey risks and solutions to clients.
Cyber insurance could potentially cover something as calculated and criminal as ransomware attacking a business, or as simple as individual internet use, online commerce, or even personal data exposure from a lost mobile phone. Cyber insurance policies are critical because they provide coverage specific to cybercrime losses. We in Sri Lanka are not immune to cyber attacks as seen recently with the .lk cyber attack, and documented attacks to some banks in Sri Lanka due to this phenomenon.
What does cyber liability insurance cover?
Cyber liability
Cyber liability insurance is an important type of insurance designed to specifically cover expenses, business losses, business interruption, and fines and penalties should a data breach happen to a business.
Cyber liability insurance also protects businesses in the event of a ransomware attack.
It is written to cover losses that other policies will not cover.
Who needs cyber insurance?
The short answer: everyone. Every business that uses electronic communication and/or the internet should protect their business from a potentially terrible event, that could be very costly and could harm a business’ brand or reputation.
Cyber risk is real
Almost everyone uses some kind of cyber technology every day. In an era when your four-year-old can navigate your smartphone like a toy, email and texting are prevalent, and businesses conduct activity and transactions online, the cyber world is a bustling mega centre of communication and commerce. For criminals, cyberspace is the land of opportunity.
Businesses now consider the risk of cyber liability losses to exceed the risk of fraud or theft. In this tumultuous environment, your business can take several steps to limit risks, including purchasing cyber liability insurance.
It is only one tool in the overall risk mitigation tool box. Given that smaller institutions are at a disadvantage when it comes to having the resources to thwart sophisticated attacks, it might also be helpful for smaller banks with limited resources to focus on three control areas that can provide some of the biggest bang for their buck against cyber criminals.
Mind the (insurance) gap
Smart companies are evaluating risks across their enterprises and creating ways to safeguard themselves. These efforts include conducting cyber risk assessment, training employees in best online practices and how to recognise phishing attempts, creating ransomware-attack procedures, and using sophisticated programs to protect their data.
And of course, purchasing cyber attack coverage is very important.
It is in this backdrop that we address the issues that could affect a Bank, a Financial Institution or for that matter any business that is functioning in cyberspace.
Cyber insurance provides three important instant benefits.
* Cyber health check
* Financial assistance in the face of attack
* Incident reporting anytime and free incident response within 72 hours.
Cyber health check.
Most cyber insurers require an assessment to help determine the insurance company’s risk in the underwriting process. Think of it like the physical exams that some life insurance policies require. If organisations use a sound assessment methodology that includes real-world adversarial simulations—beyond just paper-based reviews—banks can identify the biggest cyber risks and the gaps it needs to prioritise
Financial assistance
Like any insurance policy, cyber insurance can provide peace of mind — the kind you get from knowing that the insurance company will cover certain losses.
These could include the costs of ransom payments, paying for customer credit freezes and reports, regulatory fines, legal defence and other costs.
Incident reporting
Cyber attacks genuine or threats, aborted or threats needs an instant response team to mitigate and arrest the arising losses. The first incident reporting and response teams effort and services of up to 72 hours will be free of cost to the insured.
Cyber security, the evolving risk
Whether it be considering economic impacts and ramifications; supply-chain management; dealing with cyber security risks; enterprise and operational risk management; business continuity and enterprise resilience Covid-19 is proving to be one of the most globally significant stress tests of organisational, community and individual resilience ever.
* Risk in cyber cycle data breach and incident management coverage (first party)
* Cyber extortion coverage (first party), reputation risk coverage (first party) network security
* Liability coverage (third party), privacy breach liability coverage (third party) confidentiality
* Breach Coverage (third party), fraudulent funds (first party), business interruption coverage (first party), failure to supply coverage (third party), media liability coverage (third party).
* Outsourcing coverage (first and third party), privacy breach protection coverage (first party)
* Additional covers - dependent business interruption, and cyber terrorism. Four major financial institutions’ risk: Mitigation of cyber risk through an insurance placement can provide meaningful risk transfer protection to banks; this is increasingly important as technology strategy and investment is a top priority for all banks.
* Mitigation of cyber risk through an insurance placement can provide meaningful risk transfer protection to banks; this is increasingly important as technology strategy and investment is a top priority for all banks. Business disruption due to technology failures or outages (i.e. business interruption, contingent business interruption and systems failure)
* Loss of client or proprietary financial assets (i.e. fraud loss)
* Information/ data leak (i.e. privacy liability) I. “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.” Cisco CEO John Chambers – can an organisation be hacked and not know how it got hacked?
II. Malware, Phishing, Man-in-the-middle attack, Denial-of-service attack, SQL injection, Zero-day exploit and DNS Tunneling are said to be the common types of cyber-attacks ?
III. If a bank current or savings account or credit card is hacked and funds lost, will the bank cover the whole loss or are there limits?
The bank will bear the whole cost.
IV. Which insurance companies are involved in providing cover for cyber risks for the banking system? Are there specialist insurance companies for cyber?
There are many internationally active re insurance companies available in the market.
V. Do you have recent examples of attacks on the banking industry, loss suffered and cover provided by Insurers?
Cases on large banks abroad are many. A cyber attack on Union Bank of India last July began after an employee opened an email attachment releasing malware that allowed hackers to steal the State-run bank’s data. The losses were mounting to 171 mn. USD. But slowly the bank could retrieve some amount of the losses.
There are at least three Sri Lankan Banks which had to avert Cyber attacks recently.
Almost all financial institutions have experienced a cyber attack in one form or another, and the number of attacks is only increasing. Financial firms are 300 times more likely than other institutions to experience such attacks.
Fears of a major cyber attack on banks have been rising since hackers
successfully stole nearly $100 million from Bangladesh’s central bank in February 2016. Shortly afterwards, Russian central bank officials disclosed that hackers stole more than $31 million (two billion rubles at the time) from the country’s central bank and commercial banks.
VI. What can you advise anyone interested in crypto accounts such as Bitcoins? Do such accounts have insurance cover?
Most of the banking regulations haven’t accepted bitcoins yet. But in the event of cyber attack the negotiations (Ransom Payment) usually happen through digital money or crypto currency.
VI. Are banks and other financial operators more susceptible to cyber attacks than other manufacturing/commercial/industrial companies and why are they at a higher level of cyber risk.
Because of the interconnectivity of bank, spillover effect of
Cyber attacks are great. In a report published in January 2020, the Federal Reserve Bank of New York claimed that The report maintains that aReserve Bank of New York claimed that The report maintains that a Cyber attack on any of the five most active US banks could affect 38% of the network
The report also found that cyberattacks on six small banks with less than $10 billion in assets could threaten the solvency of one of the
VII. What type of insurance policy would you recommend for Cyber –attack, Third Party Or comprehensive – exactly what risks are covered?
There is no policy called a Third Party or a First Policy in Cyber Insurance. A cyber Insurance policy usually picks up both losses. Hence the defence cost, Third party liability and business interruption are covered in a cyber insurance policy.
VIII. On what basis are the premiums computed?
These are all annual insurance contracts. Premium is charged on an annual basis.
IX. Is it common for an attack to be handled internally within the bank, or is it more often handed over to a specialist firm to control the event? What process is recommended by you?
Such cases are always handled by the forensic IT specialists.
X. Both the HDFC Bank and SBI in India revealed in their annual reports that they have cyber security Policies providing up to $100 mn. in cover, but did not disclose the cost of the premium – is this what banks in Sri Lanka should anticipate and hypothetically what would such cover cost in terms of annual premiums?
The current cover for SBI is about 120 mn. USD for this year. The limit of indemnity is high because the kind of data and transaction that they handle is humongous.
The Premium is something not advisable to disclose. This would largely depend on the risk exposure of the Bank.
For a $10 million insurance policy, the premium could mount up to $ 2.5 million (approx).
XI. The new post Covid-19 work environment has moved to working from home – does such off- site work increase risk from cyber attack resulting from unsecure home networks – is such off-site work being priced in new policies?
The policy covers all such risks. There are no such exclusions in off-site work scenarios so far.
XII. What is the position of the Regulator in terms of Insurance for the Banking system- is Cyber Insurance mandatory as in other jurisdictions?
In India it is mandatory. Other countries are looking into it, particularly in the Asian market.
XIII. In Sri Lanka is there any insurance company that can be regarded as a specialist in cyber risk?
The answer is that there is such specialist expertise in the domestic insurance market.
xiv. What limit of insurance should I get?”
Current market benchmarks in SL:
* Corporates IT based overseas exposure - $ 3-5 m
* Banks & FIs - $ 3-10 m
* Large banks in the region including India $ 100–250 m.
The answer is “depends”. The limits you need to purchase will depend on the number of sensitive records you store, the type of the data and other tools you use to minimise the fallout from the data breach.
It’s essential to really understand the data that you store and the information systems you use to grasp the full picture of what you stand to lose if the breach happens.
The writer is the Chairman of an insurance broking company.