In the ever-evolving digital realm, India's cyber insurance market has emerged as a domain of strategic importance and robust growth. Cyber awareness rose significantly after the pandemic, compelling companies, businesses and individuals to rely heavily on digital solutions for daily operations. It also led to increased incidences of cybercrimes, targeting vulnerable groups.
While every industry and sector saw a rise in such attacks, 2022 saw targeted attacks on the government sector. India, the US, Indonesia, and China reported about 40% of the total reported incidents in the government worldwide - a 38% rise in 2022 over 2021. According to the Computer Emergency Response Team of India (CERT-IN), India's national agency to deal with cyber security, the country witnessed 1.39 Mn cybersecurity incidents in 2022. The rising incidences of cyber-attacks and crimes on businesses and organisations indicate a dire need for large-scale adoption of cyber insurance.
According to a Deloitte market report, India’s cyber insurance market is currently valued at $50-60 Mn, poised to grow at a staggering compound annual growth rate (CAGR) of 27-30% in the next 3-5 years. Globally, the size of the cyber insurance market was over $12 Bn in 2022. Over the next seven years, the market will grow at a CAGR of ~26% to over $63 Bn in 2029. This reflects the sector's increasing significance in the burgeoning digital economy. But what are the factors leading to this sector's ascendance?
Market Dynamics and Insights: A Deep Dive
The Deloitte report provides insights into India's cyber insurance market dynamics. It highlights a noticeable trend among Chief Information Security Officers (CISOs) towards enhancing their cyber insurance coverage. This trend suggests a paradigm shift in the perception of cyber insurance, recognising it as an integral component of strategic risk management in an era characterised by rapid digital transformation and escalating cyber threats.
As more and more businesses go down the digitisation path, gathering massive amounts of customer data to scale their business, they are also opening themselves to vulnerabilities. The consequences of cyber attacks on small businesses can be devastating, leading to reputational damages, financial losses and even permanent shutdowns. The increasing complexity and frequency of cyber threats have made it mandatory to have cyber insurance, alongside robust cybersecurity measures, for a comprehensive risk management strategy. For instance, under the Digital Personal Data Protection (DPDP) Act 2023, personal data breaches can attract fines of up to INR 250 Cr, enough to shut down small businesses.
Since SMEs typically do not have extensive cybersecurity infrastructure, cyber insurance acts as a lifeline, covering expenses like legal fees, data restoration, and customer notifications. These policies protect financially against losses from cyber incidents such as data breaches or ransomware attacks. Moreover, these policies often include support for cyber incident response and offer access to expert guidance and services, which is vital in minimising the impact of a cyber incident on SME operations and reputation.
The evolving perception showcases cyber insurance not just as a financial safeguard but as an essential element of proactive risk management, integral to ensuring business continuity and resilience in the face of digital adversities.
According to a report by a Working Group (WG) to Study Cyber Liability Insurance by IRDAI, India’s insurance regulator, losses normally covered under cyber insurance can be divided into 4 categories:
- First Party Losses: This includes direct financial loss, data recovery, business interruption cover, and mitigation costs cover
- Regulatory Actions: The costs of regulatory actions and investigations, civil fines and penalties, and defense costs
- Crisis Management Costs: This includes forensic expert cover, security consultation, reputation damage cover, legal costs cover, notification, coordination with service providers, strategy etc., credit and identity theft monitoring cover, cyber extortion/ransomware cover, operation of a 24x7 hotline, cyber stalking, counseling, information removal, and pursuing action
- Liability Claims: Legal liability/damages directly arising from privacy or data/security breach, defamation, intellectual property right (IPR) infringement and defense costs
SMEs can implement measures such as educating employees about cyber attacks, deploying antivirus and firewalls, adopting a comprehensive cybersecurity policy and hiring specialised third-party providers. As organisations face increasing scrutiny over data protection, coupled with compliance with the DPDP Act, they are motivated to be proactive and responsible to minimise data breaches.
However, in these dynamic scenarios, challenges persist. Sellers are grappling with higher payouts due to rising claims, impacting premiums and leading buyers to reevaluate the value derived from their cyber insurance purchases. Additionally, variations in policy features, coverage, premiums, and terms and conditions contribute to a gap in understanding among buyers and challenge sellers in accurately assessing risk exposure. This complexity underscores the need for greater clarity and standardisation in the cyber insurance market to better serve buyers and sellers in this rapidly advancing digital age.
Addressing Market Disparities: The Need for Customized Solutions
The Indian cyber insurance sector, despite its burgeoning growth, is encountering systemic challenges, particularly in harmonising insurance premiums with the corresponding coverage scope. This mismatch, acutely observable in the consumer segment, points towards a market inefficiency that necessitates more bespoke cyber insurance solutions.
Formulating customised policies tailored to the unique risk profiles and requirements of different industry verticals is imperative. Such an approach would not only ensure extensive coverage but also enhance the efficacy of risk management strategies. This evolution indicates the sector's progressive adaptation to intricate and evolving digital risks.
For cyber insurance providers, it's crucial to develop and offer policies that are both comprehensive and clear, spanning various types of cyber incidents. It requires a commitment to transparency in the stipulation of policy terms and conditions and robust cyber incident response support provisions. There is a growing need for SMEs to assess their specific risk exposures critically and selectively opt for policies that align with their unique business requirements, paying close attention to coverage limitations, deductibles, and exclusions.
Legal Foundations & Govt. Support: Safeguarding the Digital Realm
A digitally forward central government and supportive policy framework is key for keeping the digital frontiers safe while laying the groundwork for a thriving cyber insurance sector. The implementation of the proposed Digital India Act 2023 is going to be a game changer. A forward-looking legal framework, the act harmonises and consolidates digital laws and regulations, including the DPDP Act, National Data Governance Policy and Indian Penal Code amendments for cybercrime. The proposed act will address the following tenets of Digital India:
- Open Internet
- Online safety and trust
- Accountability and quality of service
- Adjudicatory mechanism
- New technologies
The Act will comprise issues like consumer protection, electronic contracts, digital signatures, online dispute resolution, and liability of intermediaries and cover emerging technologies like Artificial Intelligence, Internet of Things (IoT), blockchain and others. The Act's Global Standard Cyber Laws component will act as a catalyst and enabler for India's $1 Tr digital economy goal.
The Government of India has also implemented other strategic initiatives in the realm of cybersecurity, such as the establishment of the Indian Cyber Crime Coordination Centre (I4C), the National Critical Information Infrastructure Protection Centre (NCIIPC), and the Cyber Swachhta Kendra, - pivotal in bolstering of the nation's cybersecurity infrastructure. Here’s a deep dive into the above initiatives:
- I4C: Launched in 2018 under the Ministry of Home Affairs, the I4C enables citizens to tackle issues related to cybersecurity in a streamlined manner by improving coordination between Law Enforcement Agencies and stakeholders.
- NCIIPC: Ensures digital safety and cybersecurity by protecting Critical Information Infrastructures (CIIs) from “unauthorised access, modification, use, disclosure, disruption, incapacitation or distraction”.
- Cyber Swacchta Kendra: An initiative providing free botnet detection and removal tools to clean and secure affected systems.
These initiatives, coupled with regular cyber security drills and exercises, not only seek to elevate India's cybersecurity readiness but also indirectly support the cyber insurance market by improving the overall security posture of businesses and organisations nationwide.
Conclusion: Envisioning a Resilient Future in Cyber Insurance
Currently, India is among the top three global economies in terms of digital consumers (850 Mn Internet users). With a strong foundation of digital infrastructure and rapidly expanding digital access and outreach, India is on its way to becoming a trillion-dollar digital economy by 2025-26 in alignment with the Aatmanirbhar Bharat Initiative. This drives a more urgent need for building capacity and structuring policies to support the development of cyber insurance in India.
IRDAI, the insurance regulator in India, released a product structure for cyber insurance in 2021, setting the tone for the insurance providers and consumers in a post-COVID-19 world.
As cyber threat actors adopt new technologies faster and exploit them to their benefit, cyber insurers are resorting to new technologies and reinventing their capabilities to respond to the latest developments. Advancements in Artificial Intelligence, machine learning, big data, robotics, blockchain, augmented and virtual reality, IoT are expected to reshape the insurance industry and help reach the untapped audiences in a more digital-forward and streamlined way.
The rapidly growing digital economy presents significant opportunities for cyber insurance providers to expand their market and gain a competitive edge in a fast-expanding insurance market segment. As companies in nearly every sector, including IT, pharma, supply chain, startups, manufacturing, banks, non-banks, health, and retail, continue to digitise their workflow, they are increasingly investing in products and services for better cyber-risk management, further enabling the steady growth of cyber insurance sector in India.
The implementation of the Digital Personal Data Protection (DPDP) Act 2023 will push organisations to proactively address cyber risks and threats for enhanced digital data protection. The DPDP Act underscores the nation’s focus towards building a strong data policy regime, significantly impacting the majority of organisational areas, including IT, human resources, legal, procurement, sales and marketing, and more. Under the DPDP Act, organisations in these sectors and related sectors must develop and implement a data privacy and protection program to comply with the provisions.
The Working Group (WG) to Study Cyber Liability Insurance by IRDAI recommends simplification of policy wordings and claim process for easy understanding and implementation to popularise cyber insurance adoption. It also suggests offering a base version of the policy at an affordable premium and then give the customer an option to choose additional covers. The report also recommends that the insurance industry should launch awareness campaign to educate consumers about their exposures and the insurance protection available to mitigate the losses. As India’s cyber insurance market matures, it is set for significant evolution and increased sophistication. With robust legal and governmental support, the sector is expected to align with global best practices and technological advancements, playing a crucial role in strengthening our digital economy. With deepening digitalisation and market penetration, demand for cyber insurance is poised to surge. Integrating emerging technologies like Generative AI and machine learning in underwriting processes and providing comprehensive risk management solutions will likely become more prevalent. Additionally, the trend towards offering comprehensive risk management solutions is expected to gain momentum, further enhancing the resilience and efficacy of the cyber insurance landscape in India.