By Sujit Bhar
India has grown used to cyber fraud and malicious cyber attacks. Considering the lax security environment around web-based payment systems, bank transactions and interpersonal web-based deals, the situation is hardly surprising, but when a leading organisation such as the All India Institute of Medical Sciences’ (AIIMS) portal is attacked, paralysing its servers, red flags come up across every cyber channel.
When cyber crime is limited to petty theft—such as hoodwinking unsuspecting customers into relaying specific OTPs for payments—there is sense in creating a police force to keep watch. India has a cyber cell in each city police station. However, when a major attack, such as the one on AIIMS, happens, it is clear that more needs to be done on the administrative front by all government agencies assigned to protect individual privacy and property. A case of extortion and cyber terrorism was registered by the Intelligence Fusion and Strategic Operations (IFSO) unit of the Delhi Police on November 25 in the AIIMS case, and the outcome remains unclear. Rumours say there have been Chinese hackers involved, but no significant data security announcements have been made thereafter.
The bigger issue aligned with that is about insurance. There is insurance against cyber theft in India, and even individuals can insure themselves against cyber theft. Basically, cyber insurance is a contract between the insurer and a company to protect against any losses due to a network-based event. That means if you and/or your business suffer loss in a cyber attack, this insurance will cover cost resulting from that security breach. What you can claim are the expenses and legal costs associated with cyber breaches which may involve hacking of systems, data theft, and loss of important information in an organization. How you attach physical value to the data lost is another matter.
This, essentially, translates in real life to an insurance that pays for the wallet and its supposed contents if a pickpocket gets it. You may also claim all the cost that you incur in going through the legalities in reclaiming from authorities your ID cards, etc.
Cyber insurance covers first-party and third-party liabilities arising directly from a cyber security breach. As said earlier, it covers expenses arising due to data breaches, cyber-attacks, human error, business disruption, and electronic media claims. And, of course, emergency response costs, event management costs, notification costs, business loss, and recovery costs.
That is a lot you can get back. Of course, you have to prove that you had your gates locked and the alarms were on too. Translation: You should have had a legal anti-virus loaded in your system, and no pirated software was used.
The Big Worry
Insurers in India have added flavours to their schemes. Plans are customised, based on industry-specific requirements and also company-specific requirements. One could get into the details of the broad canvas here, but before that one needs to address the major worrying news emanating from beyond our borders. The worrying news is that, in the face of increasing cyber attacks and losses, insurers abroad—especially in Europe—are taking a position whereby they are refusing to insure cyber attack-related losses.
This wave has not come over to India yet, but with major re-insurers being mostly based abroad, the ripples can easily reach Indian shores and Indian insurers.
Recently, a Financial Times report has quoted the chief executive of one of Europe’s biggest insurance companies as saying that cyber attacks, rather than natural catastrophes, will become “uninsurable”.
Insurance has become a difficult business nowadays, with humongous payouts related to pandemics and climate change. While the Covid-19 pandemic may have been a once-in-a-century event, climate change related damage instances, including growing cases of climate refugees, are costing the insurers an arm and a leg. The earlier force majeure clause of Act of God, is being circumvented with increasing frequency of such climate disasters. It has been stated that for “the second year in-a-row, natural catastrophe-related claims are expected to top $100 billion.”
Insurers say that even that can be adjusted within the bottom line of the companies’ balance sheets, but cyber attacks cannot. The Financial Times has quoted Mario Greco, chief executive of insurer Zurich, as saying: “What will become uninsurable is going to be cyber. What if someone takes control of vital parts of our infrastructure, the consequences of that?”
Quite like the attack on AIIMS, other hospitals around the world have been attacked, pipelines have been shut down and even government departments have been targeted. Cyber terrorism is an aphorism today that is being taken very seriously, not just by Hollywood disaster movie makers.
The bigger picture becomes clear when Greco says: “First off, there must be a perception that this is not just data… this is about civilisation. These people can severely disrupt our lives.”
Burnt by many recent cyber losses, the insurers have initiated measures through which underwriters limit their exposure to certain sectors, apart from insurers pushing up prices for policies. Then there have been cases in which some insurers are tweaking policies to make clients retain more losses.
Prohibitive cost; Apportioning blame
Considering the moderate size and scope of Indian companies (compared to international behemoths) and Indian government enterprises/departments, such drastic insurance policy changes may become so prohibitively expensive that insurance itself will become impossible, especially in sectors where public policy entails involvement of the poor. At the same time, cyber attacks are not a seasonal occurrence. Its frequency and scope will only grow, sometimes at exponential rates.
Already, in the West, exceptions are being written into policies for certain types of attacks. The Financial Times report says that “…in 2019, Zurich initially denied a $100mn claim from food company Mondelez, arising from the NotPetya attack, on the basis that the policy excluded a ‘warlike action’. The two sides later settled.”
Then, Lloyd’s of London (one of the biggest reinsurers that Indian companies often depend upon) “defended a move to limit systemic risk from cyber attacks by requesting that insurance policies written in the market have an exemption for state-backed attacks.” That is a difficult ask. When a cyber attack happens, there is little or no way of finding out who was behind it—as in the attack on AIIMS. Hence such an exemption becomes “legally fraught”. International legal settlements, especially considering the lethargic way the Indian justice system works, will be a Himalayan task, if not impossible.
The situation becomes critical. According to insurance companies, however big they are, there is only that much that a private company can absorb. In effect, the entire insurance system could collapse if governments force them into absorbing systemic risks. Controlling such systemic risks, the companies believe, is basically a governmental task. And they aren’t too far off the mark in assuming this.
The possible outcomes
The possible outcomes are not happy ones. The first could be that insurers stubbornly refuse to insure such risks. The second is a situation where governments force companies to take up the risk, resulting in a collapse of the entire insurance system over time. The third may see almost prohibitive insurance prices that companies and governments can ill afford, and the final chapter is that of companies shying away from buying such insurance, in which case there could be a collapse of security of company data and a complete loss of confidence of these companies in the market.
According to the Financial Times report, Greco offers a solution of sorts, in which he invites governments to “set up private-public schemes to handle systemic cyber risks that can’t be quantified, similar to those that exist in some jurisdictions for earthquakes or terror attacks.”
That idea itself has holes in it. One understands the Japanese government partly underwriting or making tax adjustments for earthquake insurance payments, because it is an earthquake prone area. The saving grace is that not only are all parts of Japan not earthquake prone zones, but insurers have international business interests, and their international exposures often hedge Japanese risks.
However, in a cyber terror insurance, there is no country or zone immune to it. It is not possible to declare all of humanity as cyber terror prone. Economically, that could be like planning for the end of days. Also, when cyber terrorists realise that there is an insurance policy out against his/her attack, the terrorist organisation could even find ways to benefit from this arrangement.
Considering the financial situation of India—with a sizeable number of its citizens living in sub-Saharan-like conditions—such expenses will just be the last nail in the coffin. The government is bent on moving cash out of circulation, but has paid little heed to the security aspect of web-based transactions and insurance therefore. A series of major cyber terror attacks on critical systems and structures in India could have a crippling effect.
It is time for bright minds to get together to find a mid-path solution. And fast.
—The author writes on legal, economic and corporate issues, apart from social commentary. He is Executive Editor at India Legal