Only a change in thinking can boost Cyber Insurance

Exploring the reasons behind the stunted growth of India's Cyber Insurance Portfolio

Despite the fact that Cyber Insurance has been offered by 10 Insurance companies for a number of years, everyone thinks that it must be a good size portfolio for India – a large country with a growing economy expecting to reach $5 trillion in the near future. The fact is that it is not so. According to statistics, last year 550  corporate policies worth Rs 350 Crores were sold, which is a negligible amount. We are not talking about a few retail cyber insurance policies. This is a small portfolio because our General Insurance Companies always achieve their yearly targets by focusing on Motor Insurance and Health Insurance,  which gives them near to 70% of the yearly revenue. 

During the extensive research I did, while writing the book “1 Cyber Attack Can Ruin You Forever”, I had the opportunity to meet senior executives of many Corporates, Insurers, Insurance Brokerage firms, Cyber Insurance Consultants and tried to find answers to the question – Why is the Cyber Insurance Portfolio not growing in the country as per our expectations? 

The reasons for the same being: 

1. Excessive focus on Motor /Health (over 70 % ) – so not enough attention was paid by the senior management towards that portfolio. 

2. IT heads sabotage any effort when insurer or Insurance Brokerage firm tries to sell  Cyber Insurance products to the corporate – maybe they have the fear of giving too much data to the insurer for a quote, which might reveal the weaknesses of his department.    

3. Insufficient cyber security in the corporate – it is either little attention is being paid towards it or some find the latest Cyber Security Software to be expensive. 

4. Low cyber score of the corporate – The company may find out for the first time how many times it has been attacked in the last year. As expected, lower score (less than 50) results in a higher premium quote. 

5. Over cautious underwriters handling this portfolio – may be they do not have confidence/experience and are too much dependent on quote from Re-insurers and their job is merely to add some margin and release the quote. 

6. Complicated policy language is repelling the corporates – may be one of the 35 policy languages in use in the world is being used by underwriters by picking up clauses from 2 or 3 wordings, which makes it too confusing and complicated. 

7. Excess clause (deduction clause ) of Rs 25 lakhs to Rs 50 Lakhs in the quote given to the corporates – maybe we in India are too familiar with an excess clause of Rs 2000 to Rs 10000  and find it difficult to digest such high figures. 

8. Lop-sided IT budget allocation, having too much focus on hardware, software, and salaries while neglecting so many other things. While going into depth I  came up with  “Sethi Concept of IT Budget”, which is an important outcome of the book.

This itself is a separate topic that has to be discussed in detail. In short, it conveys that IT Budget should be divided into 9 different subheads inlcuding hardware, software, security etc. (refer to illustration)

The final remark is that for buying Cyber Insurance, corporates should have a team comprising of IT head, Chief Information Security Officer, Insurance Manager (who is not comfortable with details of policy, wording) Lawyer, CFO, and of course, the Chief Executive Officer.

This article is authored by S K Sethi, an author, trainer, and opinion-maker specializing in Insurance.