Cyber Security and Its Importance For the BFSI sector
Cyber risk sometimes is unique to each type of industry-the risks faced by a manufacturing company are different from those faced by a bank, insurance company or a retail organization-depending on what can be lost or compromised
As every entrepreneur understands, it is unavoidable to encounter risks in business operations; given a competitive environment, an entrepreneur or promoter in the journey of growing his business cannot be blind to a risk event happening and affecting his business prospects.
With technology helps for enabling business and making the processes efficient and cost effective, the additional layer of risk in the past decade has been cyber risk. Whether it is only for support systems such as finance or accounting, R&D or supply chain management or for core business processes such as manufacturing, the ever increasing adaptation to IT has brought with it typical risks wherein an organization may lose data, money or securities or may face business interruption resulting in loss of revenue/profit.
Cyber risks vary with industry
Cyber risk sometimes is unique to each type of industry—the risks faced by a manufacturing company are different from those faced by a bank, insurance company or a retail organization—depending on what can be lost or compromised. Beyond this, the location or geography in which the organization operates, would dictate a lot of significance on legal compliance in the collection, storage, use, disposal or forgetting of private information- though this is not so sensitive in some jurisdictions (Asian or African countries) and very sensitive in some others (such as GDPR in Europe or similar regulations in US or UK).
Within the same industry, cyber risks vary depending on the specific services provided/taken, cyber security infrastructure in which the client has invested (and the security gaps that still remain), risk philosophy of the organization (sometimes with a false sense of hope/security) etc.
Where do Insurance companies and BFSI sector fare when it comes to cyber security and risk management?
Each of these organizations—banks, insurance companies, non-banking finance companies, micro lending institutions—deal with millions of customers and over a large territory. They have in their possession and care, private information of each customer including ID information such as PAN or Aadhar, bank account information, addresses, dates of birth etc. The question is “what is the big deal if that data is compromised or stolen?” Incidents in the past which occurred in India; millions of customers’ credit/debit card data stolen few years ago or Aadhar data of crores of Indians compromised or private health information stolen recently from a diagnostic lab chain reveal what can happen to such organizations. Even today it doesn’t seem so scary if such incidents occur in India in the absence of tough regulations or weightage given in our legal/judicial framework.
Everyone around is bracing for the arrival of the personal data protection bill which is expected to be passed in Parliament and to become law sometime in 2021. If that happens, we would have a law with teeth, and if enforced, can make every organization responsible and accountable to preserve and secure private data of individual citizens. With such a law which almost mirrors the European GDPR regulations, it is incumbent upon insurance companies and other BFSI sector players to show due care in how they collect, process, use, preserve and dispose private citizen data in order to show high levels of compliance and to be prepared to pay heavy fines if something goes wrong.
World over health insurance companies, banks, card processing companies, credit rating/monitoring companies have been victims of vicious cyberattacks and in developed economies they have ended up incurring hundreds of million dollars in upfront costs incurred and in some cases fines and penalties paid to regulators and governments.
Incidents in 2020 have many lessons to teach
During pandemic times, the accent on cyber risk and security went up by many notches; driven by higher degree of risk due to work-from-home situation across the world, challenges in ensuring cyber risk protection for such a crazy new world order, managing IT security of home network environments, patch management of OS and applications etc. During the entire lockdown and unlock cycles across the world, we saw cyber incidents involving banks and health care organizations at top of the chart when it came to cyberattacks in general and in particular ransomware incidents.
In those incidents, we have witnessed reputed companies, still had hundreds of computers using outdated legacy operating systems and applications with no support or patch updates making them sitting ducks when a cyber-attack happens. They had major vendor related risk issues not captured in their cyber risk assessment and still never realized how it can challenge their business.
On the positive side, this resulted in cyber risk being discussed in corporate corridors and board rooms. Along with this cyber insurance became a well-known topic when corporates reviewed enterprise risk management prompting insurance companies, banks and other B2C financial service firms to buy cyber insurance protection as first time buyers as also increased/enhanced protection for higher sum insured for those who already had cyber insurance in place.
How does insurance help in cyber risk management?
The only two questions any company’s board would ask a CEO or CFO, where you aware that cyber risk is insurable and if you are aware, have you bought cyber insurance for our company? With a well-designed cyber insurance policy in place, the head of an organization is able to face the situation with confidence and some level of clarity for the following reasons : he or she has an insurance fall back protection by way of a cyber insurance policy; as is common world over, a cyber insurance underwriter also offers free advice to those who bought cyber insurance from them, the service of highly capable Cyber incident handling consultants, forensic investigators and law firms highly capable to handle cyber risk compliance and governance issues and also other agencies like security firms to handle and advise on ransomware situations, brand management and public relations consultants to advise on brand protection; cyber insurance is the only tool which can compensation or indemnify for up front first party costs ( sometimes in millions of rupees or dollars) or huge third-party liability exposure (imagine a class action suit filed by thousands of retail customers) or a heavy fine imposed by a data protection authority.
While it is true that the risk is here and staring at our face, as business owners, the good news is insurance is available on hand to give a level of comfort that though the event cannot be prevented, its deep financial impact on the organization can be mitigated to a great extent with cyber insurance.