Thousands of cybercrimes plague the country every year. Yet, not a single Indian insurance company offers a comprehensive anti-cybercrime policy for the corporate sector.
HDFC Ergo General Insurance, for instance, offers a standalone cybercrime insurance cover. The product is only for banks and financial institutions, and the premium ranges from Rs 1 crore to Rs 2 crore (Rs 10-20 million).
The company does not offer the product to the IT and IT-enabled services (ITeS) and retail sectors that are highly prone to cyber risks.
"In India there are few takers for cybercrime insurance primarily because of the high cost vis-a-vis their exposure. These policies are of a high value and, on request from a few brokers, are customised for banks. We sell one or two policies a year," an HDFC Ergo official explained.
He added that the insurer was, however, seeing an increased interest in these products because online banking has just caught on.
Internationally, the sum insured is $25 million (around Rs 100 crore) whereas in India it is $5 million (around Rs 20 crore). "The premium depends on a number of factors and varies from $250,000 (Rs 1 crore) to $500,000 (Rs 2 crore)," the official added.
On the other hand, Tata-AIG General Insurance, which had introduced a cybercrime cover in 2001, has stopped offering the product. A Tata-AIG official declined to comment on the number of cybercrime insurance policies sold or the claims ratio.
"I have not heard of businesses being covered for cybercrimes. A majority of cybercrime cases are brushed under the carpet since companies fear a loss of image if the cases come to light. India has a long way to go when it comes to covering cybercrime," asserted Vijay Mukhi, President, Foundation for Information Security & Technology (FIST).
"It's time for insurance companies to provide thought leadership in this space," concurred Pavan Duggal, a lawyer and consultant on cybercrime legislation.
Cybercrime policies in the US cover e-theft, denial or impairment of e-service, e-communication, e-vandalism, e-threat and fraudulent e-signatures. Comparable covers in India protect firms primarily against misrepresentation, fraud, phishing, piracy and hacking.
Insurance companies globally have learnt to put a value to intangible assets (like data), but Indian insurance firms are yet to learn this game, Mukhi said. Statistics on data theft in India are not available. Insurance companies do not know which cities face the most cybercrimes, so deciding on the premium is difficult.
For every 500 cybercrimes that take place, only 50 are reported; just one cybercrime is registered with the police and a cyber criminal is rarely caught, said Duggal. Also, crime insurance policy is a specialised liability policy. Indian underwriters lack the expertise in underwriting these policies and secure expertise from overseas reinsurers.
Overseas reinsurers, especially Chubb, AIG and Lloyds, are the dominant players in underwriting cybercrime risks. In the US, $100 million is paid as premium annually to cover cyber risks, and the claims paid out amount to $14 billion.
Banks currently cover their risks through a banker's indemnity policy or a customised banker's blanket bond policy. Bigger banks buy covers ranging between Rs 10 crore and Rs 50 crore (Rs 1-5 billion). The premium depends on the profile of the bank (number of branches, number of customers, turnover), and the technology, systems, controls it has to prevent claims.
Many IT-ITeS firms, on the other hand, cover their risks through a professional indemnity policy such as an 'errors and omissions' policy. These policies can be customised to cover data piracy and hacking.