In India, the sector most vulnerable to cyber-attacks is the BFSI industry. Cyber risks can prove to be extremely long-tailed risks, which simply means having large claim and at a later stage.
Mumbai: As the world continues to battle out unprecedented health and humanitarian crisis, another danger is quietly lurking in our lives in the form of ‘cyber risk’. Countries until late 2019 were busy gathering nuclear arsenal and creating advanced tech devices for deterrence and global dominance. But little did anyone imagine how a virus could shake up the world and change the way people conduct their lives. Currently, almost 70% of the world is under lock-down, and virus spread has pushed us to our devices for everything, including work, play and connecting with people. This dependency on the internet has opened doors for cyber-criminals and increased users’ risks.
Let us take a look at some insurance-based solutions to mitigate the cybersecurity risks
Current Scenario: World and the Indian view
- WHO report suggests that there has been a spike of cyber-attacks in 2020 compared to last year. During the lock-down period, cyber-attacks have increased by a staggering 457%.
- Checkpoint USA confirmed that it is currently monitoring/ investigating almost 1.92 lakh cyber-attack cases directly related to COVID-19.
- A report from Deloitte suggested that roughly 32% of the corporate data has been breached during the lock-down.
- Europol confirms a huge spike in attacks on digital framework across Europe. Italy is the most affected.
- The Guardian reported that Easyjet airline has revealed that a recent cyber-attack exposed 9 million customer details. Credit card details of about 2200 passengers were also stolen.
- India is not spared too and according to the recent Reuters report, there has been a staggering 86% increase in cyber attacks in the four weeks between March and April ’20. The attacks are specifically targeted towards the wallets and personal data of private citizens. The increase in attacks is due to the rise in people working remotely.
- Recently there was a major data breach related to the users of the Truecaller app. The data was put up for sale on the dark web for a price tag of Rs 75,000/-. While investigations are on, the breach has put 4.75 cr Indians at risks of being flooded with spam messages, fraudulent links, scams and identity theft.
- A few weeks ago cyber-crime department had filed a complaint against an unknown cyber-criminal who tried to auction the world’s tallest statue the “Statue of Unity” for more than $4 billion. The proceeds from the sale were to be given to the Gujarat govt. to fight the pandemic.
Possible modes of attacks
In India, the sector most vulnerable to cyber-attacks is the BFSI industry. Let us examine the type of cyber-attacks which both the corporate world and individuals are likely to come across.
Fraud COVID Portals: India’s National Security Cyber Security Co-ordinator ( NSCSC) Lt. Gen Rajesh Pant has confirmed to ET that cyber-criminals have created thousands of fraud portals related to the coronavirus. These sites lure thousands of Indians eager to contribute to the fight against coronavirus into making donations. Many of these phony sites are quite sophisticated, virtually indistinguishable from their genuine counterparts. Chief among them is the PM-CARES coronavirus fund. At least half-a-dozen fake sites have emerged fleecing thousands of rupees from Indians eager to make donations. At least 8000 complaints have been received by Home Ministry from India and abroad as people had been duped into giving money to the fake versions of the govt. flagship fund.
Coronavirus Malware: While India has remained the top 5 most targeted countries in the world since the last few years, the attacks have only moved northwards during the pandemic. The so-called “Coronavirus Malware” is aimed at stealing bank account details, password and other sensitive information from the users. India’s historic lock-down has also led to increase in cyber-crime beyond just opportunistic attacks against private individuals.
Phishing Emails: Phishing is the most common and popular method form cyber-attack. The phishing e-mail is sent to an employee’s mail id which has a link attached which could be related to any of the recent happenings around the world. Once the user takes the bait, a certain malware is sneaked in with the intent of stealing important data or information about the company or an individual.
Island Hopping: This technique has gained tremendous traction in recent times due to its complexity and sophistication. Here the cyber criminals do not attack their prime target directly but rather use the vendor companies or the smaller companies associated with the bigger parent company. The reason for this is simple as the smaller companies have less secure servers they get easily infiltrated. Then the compromised servers are used to send malware to the target company. In late 2013, the eighth-largest retailer in the United States, Target Corporation suffered a massive data breach when its Point of Sale system was owned — payment information of 40 million customers was stolen. And this breach cost Target nearly about $300 million.
Advanced Persistent Threats: The method is considered to be a state sponsored one and it is one of the most difficult to detect as it is very discreetly embedded in the servers of the victim company. An advanced persistent threat is an attack in which an unauthorized user gains access to a system or network and remains there for an extended period of time without being detected. Advanced persistent threats are particularly dangerous for enterprises, as hackers have ongoing access to sensitive company data. Advanced persistent threats generally do not cause damage to company networks or local machines. Instead, the goal of advanced persistent threats is most often data theft. Our Neighboring country has also introduced a threat by the name of APT 36 which has been used for consistently attack Indian companies and cause possible major data breaches.
Insurance solutions for cyber attacks
According to an IBM report. it takes at least 7 months to identify a breach and during the times of the unprecedented pandemic the attacks are highest and detection is lowest. Let us understand cyber risks exposure from an insurance perspective and some of the probable solutions the market has to offer to the individuals and corporates.
Cyber risks can prove to be extremely long-tailed risks, which simply means having large claim and at a later stage. Meanwhile insurers are constantly trying to improve their offerings so as to provide a robust coverage to their prospective clients along with protecting their own solvencies.
Some of the scenarios which are being observed currently are:
- Across the globe approx. 51% of companies saw a surge in cyber-attacks in 2019 and that percentage is at an all-time high due to the pandemic.
- Business Continuity Process (BCP) is now extremely relevant, it is to be noted that only 29% of the companies had done BCP before the COVID outbreak.
- Solution based insurance policies are the need of the hour. Insurers are now working towards a comprehensive end-to end solution for cyber risk exposures.
- DATA LOSS PREVENTION solution is surely in the works now.
- Personal Data Protection Act is likely in the near future.
Current cyber insurance solutions in India
Some of the most common covers for an individual risks are listed as below:
- Identity Theft: Fraudsters stealing one’s personal data like banking information, confidential passwords, signature and commit cyber-crimes for their own personal gains.
- Social Media Identity Theft : Fraudsters taking over social media profiles for a fraudulent purpose , or blackmailing the victim by hacking one’s social media profile
- IT Theft: Fraudsters hacking into users’ computer systems to either steal money or data through unauthorized control or access via hacking or viruses.
- Cyber Stalking : Online harassment and stalking are done by repeated use of electronic communication through the internet, i.e., e-mails, instant messages or website entries to malign reputation. It generally refers to a pattern of threatening or malicious behaviors on the social platform.
- Malware Attack: Here, the user system is attacked and damaged by hackers through specially designed malware like Trojan Horse. Malicious software is developed with the intent of stealing or deleting the data from the system which has been hacked in.
- Phishing: This is the most common form of cyber-attack, in which fraudsters gain access to sensitive information by disguising their fraud website, SMS, call or mail from a legitimate organization (bank or e-commerce) to offer prize and other incentives.
- Email Spoofing: It is a forgery done by fabricated emails sent from a source other than a legitimate one to steal personal data.
Finally, the covers offered for risks
- Financial losses incurred due to IT theft, phishing, and email- spoofing.
- Financial losses from fraudulent online transactions via internet banking, e-wallet.
- Defense costs as a result of any claim filed by the insured.
- Expenses from reputational liability, including claims alleging defamation.
- Costs related to cyber extortion loss, transportation, and photocopying of documents court summons.
- Legal Fee for claiming damage fee or prosecution cost against third party.
- Legal expenses of criminal prosecution in case of cyber harassment, stalking or malware attacks.
- Technical expenses & consulting fees incurred for hiring experts to calculate amount & extent of losses during malware attack.
- Mental health expenses incurred for medical consultation by the insured to treat stress or anxiety.