Norton Rose Fulbright has co-authored this update with Allianz (India) and Marsh (India) to present the legal, underwriting and insurance broking perspectives when dealing with international cyber risks faced by Indian businesses.
The level of cross-border business between India and key regions such as the US, Europe and the Middle East has increased significantly over the last two decades. There are multiple reasons for this, such as India’s bold economic reforms, the diversification of its economy, its continued export of manufactured goods and professional services along with the elevation of India’s political relations with states within these key regions. With the rise of technology, India has become a global outsourcing and business processing hub and there are now multiple internet/cyber “cities” set up across India which are home to Indian companies that service the international markets. Many of these companies have also now expanded internationally to service their global clients.
India’s campaign of “Make in India” has gathered steam and India is now positioning itself to be the top manufacturer of choice for US and European businesses. The Indian Government is actively targeting US businesses, who are looking for alternate locations for their manufacturing set-ups, and is encouraging them to move part of their operations to India. In recent months, the disruption of COVID-19 has had a unique positive effect on the country. Certain Indian sectors are now at the forefront of dealing with the crisis and its ramifications. For example, India is currently the second largest personal protective equipment (PPE) manufacturer in the world and has a well-developed pharmaceutical sector for generic drugs.
Furthermore, with the increased need for remote working and digitisation during the COVID-19 pandemic, India’s technology consulting firms may be at the frontline of the emerging new world.
Much has been written about the cyber risks that exist domestically in India and the legal and regulatory framework that is developing to deal with this.
From a malicious cyber-attack perspective, phishing campaigns and ransomware attacks are all too common and have hit businesses, from small family-owned setups to some of the largest global Indian conglomerates. The purpose behind attacks range from financial to political to commercial.
The purpose of this article is to consider the international cyber risks faced by Indian businesses, which have evolved over the last two decades, as Indian businesses become increasingly global.
This article looks at the risks faced by global Indian businesses through three perspectives: legal, insurance broking and insurance underwriting.
International cyber risks faced by Indian businesses
The legal perspective: Norton Rose Fulbright
Cyber risks affecting Indian businesses do not materially differ from those seen in other countries and regions. For example, Indian businesses are equally prone to phishing campaigns, social engineering attacks and business email compromise, ransomware attacks and so on.
However the legal and regulatory risks that Indian businesses now face have certainly evolved in recent years.
Emerging privacy legislation
In recent years, the world has seen emerging privacy legislation across several key jurisdictions.
In 2018, the General Data Protection Regulation (the GDPR) was implemented to protect EU citizens’ rights to data privacy. The GDPR has an extra-territorial application to it, so that it applies to Indian businesses who may be operating outside of the EU but who either offer goods and services to, or monitor the behaviour of, people located in the EU. The GDPR also imposes, either directly or via mandatory contractual provisions, extensive obligations on companies that act as data processors on behalf of parties that the GDPR deems to be data controllers – something which is particularly pertinent in the outsourcing sector in India.
Europe is a significant marketplace for India (particularly in the fields of IT and business services outsourcing), and so the GDPR is particularly relevant to Indian businesses. Non-compliance with the GDPR can lead to significant fines being imposed of up to €20 million or 4 per cent of global turnover (whichever is greater). Fines of this nature can be imposed for, among other things, failure to have appropriate technical and organisational measures in place to safeguard the security of data processing, or failure to comply with mandatory data breach reporting requirements. European data protection authorities are becoming increasingly assertive and the first significant fines under the GDPR are in the process of being imposed.
Privacy legislation is developing across the world and we have seen stringent laws (akin to the GDPR) now coming into force in other jurisdictions, such as the DIFC, Australia and Hong Kong. The new legislation in each of these places obliges companies to make a notification to regulators within a set period of time following a data breach.
Inspired by the GDPR, other jurisdictions are now looking at similar privacy bills, including certain states in the US (most notably, in California by way of CCPA).
As a result, Indian businesses face fast changing legal landscapes in which they or their customers operate.
Indian outsourcing/consultancy businesses supplying services to international parties, as well as businesses that are inherently international in their scope such as the aviation and tourism sectors, face the largest risk in respect of international exposures. Where an outsourced payment processing Indian company holds data, for example on behalf of a European or DIFC company, it will need to be aware of its regulatory obligations (which may be multiple and span across several jurisdictions) and be aware of the potential ramifications of breaching those obligations. It will also need to be aware of the contractual arrangements between it and the international party, which will specify the parties’ respective responsibilities in relation to data processing and information security, as well as setting out the governing law and jurisdiction that applies to the relationships and which will accordingly inform the liabilities that can arise.
Indian businesses in a range of sectors also face cyber threats where the aim is not to steal data but to disrupt business operations (for example, the global trend of ransomware attacks by sophisticated attackers, which often involve threats to publish stolen data as well as unauthorised data encryption, shows no sign of slowing down). Where a business exports its products or services internationally, it may face contractual liability claims that are subject to a non-Indian law, if the company fails to meet its contractual obligations.
The developing nature of cyber-related litigation
Whereas in the past, companies in some jurisdictions did not have to notify the occurrence of a data breach incident to regulators/clients, to consumers or to contractual counterparties, they now have to do so under stringent laws that have come into force. The notification of an event leads to awareness of it by those who have been affected, as well as other stakeholders such as shareholders. This is leading to a steady increase in cyber-related litigation.
In addition to the liability that companies may face from regulatory action, cyber liability claims are emerging across the world. These are being made by (i) employees/data subjects whose data has been impacted and (ii) shareholders where the company’s share price has been adversely affected and shareholders argue that proper systems were not in place to prevent the breach or that the breach was not effectively handled by the company’s board.
Claims are also being made by contractual parties, where the breach occurred somewhere else in the contractual chain but financial or reputational loss has occurred to another party in the chain. This is a common occurrence in a scenario where the vulnerability lies in the systems of an outsourced provider and leads to a breach of another entity’s data, network or systems.
These global developments are of real significance to Indian businesses as they are likely to be exposed to these liabilities where their businesses are becoming more and more global in nature.
Emerging class action regimes
Indian businesses should also be aware of class action regimes that are emerging globally, facilitating the way for class actions being brought against businesses and company management by amongst others employees, data subjects and shareholders, following cyber incidents. Significant class action claims are now on foot, particularly in England and in the US. In the Middle East, a new securities class action regime came into force in Saudi Arabia in 2017, which is yet to be tested in a cyber liability context.
Developing Court systems
Indian businesses should note that global court systems are also developing in view of the ongoing and further expected rise in cyber litigation. In England, a specific court is being set up to deal with fraud and cyber crime claims and there is increasing global coordination between regulators investigating financial crime (which includes cyber-related financial crime), such as the SFO, DFSA and DOJ.
International cyber risks faced by Indian businesses
The broker’s perspective: Marsh
While globally and specifically, in North American and some EU countries, cyber insurance, as an insurance solution, has been in existence since around the last two decades, the product is still very nascent in India. Although cyber insurance has been on the top of the agenda of many Indian corporates, the uptake of the product is not as high as expected. This defies the conventional logic, considering how vulnerable Indian firms are from a cyber-attack viewpoint.
Cyber insurance solutions in India are at an emerging stage where a small proportion of corporates have proceeded to transfer this risk to an insurer. According to various sources, currently around 500 standalone corporate cyber insurance policies are in place in India with a gross written premium of circa US$20m. This is insignificant as compared to the global cyber insurance market of circa $4bn.
The initial buyers of this insurance were the IT/ITeS companies, who procured it predominantly to fulfil their contractual obligations under the contracts that they had in place with their US- and EU-based clients. Since this has historically been more of a tick box approach, there was not much effort in understanding the specifics of cyber insurance in detail.
This is where an insurance broker’s role becomes important, from providing guidance on the right insurance solution, to narrowing the best options with regards to the terms and conditions of the product together with an efficient total cost of risk transfer. When looking at the risk that we are seeking to place, different considerations apply depending on the sector to which the business belongs. In this piece, we will look at each of those key sectors of Indian businesses below and the broking considerations that apply.
IT / ITeS Organizations:
Indian IT firms have transformed into large, complicated, international organizations over the last 20 years and are therefore complicated risks to place.
These firms, due to the large quantity of data that they store, are also targeted the most by cyber attackers and threat vectors. Recently, a large global IT firm announced to its clients that it had detected what appeared to be a Maze ransomware attack. This type of malicious threat not only encrypts data on corrupted computers, but also duplicates it and threatens to publish the information if the ransom is not paid. The significant impact on businesses, especially technology-focused companies cannot be underestimated.
Businesses are relying on rapidly developing technology to facilitate their business systems and most importantly, their security systems. Businesses turn to IT organisations for developing business applications, availing cloud services, or for purchasing cyber security products. The key issue is to identify the cyber risks faced by those businesses that undertake these activities with a business model to develop and provide the named services and products. Therefore, for tech companies, their focus is on creating security products for other businesses but also to secure their own businesses from cyber-attacks.
In an incident when a group of hackers infiltrated a software update system, they released a malware to nearly 1 million Windows computers by disguising the malware as a ‘critical software update’. When looking to place insurance for a tech/IT focused firm, we consider the kind of products and services that the business is dealing with as this will inform the risks that that business is exposed to.
When looking to place a tech/IT firm’s cyber risk and when presenting it for underwriting purposes, we focus on the protocols it has adopted, its data management policies and its employee training practices along with the cyber security infrastructure the firm has.
When considering coverage for tech firms, as a broker we seek to ensure that the insurance policy includes the bare minimum coverage for privacy liability and related regulatory actions, network interruption losses and first party costs including forensics and ransomware attacks. The insurance solution is still evolving with new coverage being added every passing year.
With the government’s agenda of Digital India, banks and financial institutions have been increasingly focusing on enhancing their digital footprint and digital networks to order to facilitate transactions. There has been a drastic increase in the number of Indians carrying out online transactions for payments, purchases, and generally undertaking online activities.
However, with this increase in digital penetration there has been an increased exposure to the banking industry, thereby making it more vulnerable to various cyber security threats.
There is a specific need for the finance industry in India, as a whole, to protect risks to banks at all levels by taking out adequate insurance not just for the interest of the banks but also its customers. For instance, one recent incident involved a mid-size bank in Pune where approximately US$15m was taken out of their systems using a vulnerability in the SWIFT system. We strongly believe that, considering the high cyber risk exposure, there is a strong argument for Cyber insurance being made mandatory for banks as a prudent risk transfer mechanism by the banking regulator.
When placing a financial institution risk, we are alive and particularly considerate of all the possible threats they face, such as phishing, hacking and DDOS attacks, and our aim is to create an adequate cyber insurance policy to protect the needs of the banks and its customers. The scope of cover and wordings available are where, we as Brokers, add value, in seeking to match the scenarios that these insured face with the level of wording they require.
A recent report by Seqrite (the enterprise security arm of Quick Heal technologies) highlighted that Indian manufacturing firms have detected the highest malware at 28 per cent out of all the other sectors in India. Many large corporates in India – large manufacturing firms – have increased the expenditure on cyber security by recognizing the cyber threats to which they are exposed.
The manufacturing industry is no longer run manually and technological systems are replacing individuals in many areas. Manufacturers have welcomed futuristic changes in the way the industry has been functioning. This involves using industrial robots, large-data operations, wireless connectivity, etc., in driving efficiencies. Unfortunately, many industry players stop there and do not recognize the cyber threats that follow from reliance on new age technologies. Some manufacturers think that cyber attackers do not target the manufacturing sector as their systems use non-data technology. Cyber attackers will often have an advantage if a sector does not appreciate the real cyber threat it faces.
The threats to manufacturers are increasing rapidly and the type of threats are unique, making it difficult for this sector to find the right cyber insurance policy. A cybercriminal may be able to infiltrate a manufacturing device connected to wireless systems and be able to change the commands to manufacturing faulty products without the knowledge of the manager. This ultimately becomes a liability for the company when the product results in some kind of loss to the user.
From the broker’s perspective, we see that business interruption losses arising out of cyber-attacks on the operational technology including the SCADA and ICS systems are the biggest motivator for manufacturing firms to seek cyber insurance cover.
International cyber risks faced by Indian businesses
The underwriting perspective: Allianz Global Corporate & Specialty
Cyber has been on top of the radar for risk managers for several years now. The annual Allianz Risk Barometer has consistently ranked cyber incidents as amongst the top three corporate perils affecting businesses for consecutive years and in 2020, it was ranked as the top threat. The outlook for Indian corporates isn’t any different. The Internet Crime Report for 2019, released by the US’ Internet Crime Complaint Center of the Federal Bureau of Investigation, revealed that India ranks third in the world among top 20 countries that are victims of internet crimes, excluding the United States.
The concerns for risk managers across corporates have increased at a rapid pace due to the COVID-19 crisis – several were unprepared to handle the large exercise of working from home, remote working and/or disruptions in day-to-day operations. According to the CrowdStrike Work Security Index, around 61 per cent of Indian business leaders and decision-makers think their firms are more likely to experience a serious cyber crime during the COVID-19 situation as opposed to 45 per cent globally.
Indian companies are gradually expanding their global presence, across industries and geographies. There are multiple reasons for this – growing overseas investments, increased demand for services, cross-border acquisition and mergers and growth opportunities in emerging markets. Businesses are firmly establishing their position in the international world and in sectors such as IT/ITeS, pharmaceuticals, auto and aviation are leading the way.
However, with all the development and success stories that exist, there is an underlying sense of concern. The leadership of organisations constantly grapple with concerns about how unknown (and sometimes known) risks might impact organisations. While the traditional threats such as property damage, business interruption, terrorism and maritime losses are by and large adequately supported, there are emerging risks that might not be on the ambit of risk executives. Industries are awakening to the possibilities of disruptions due to climate change, volatility and fluctuation in the market, political unrest, loss of brand value and cyber-attacks.
With the continued growth of corporations, the insurance industry is also expanding its product suite and offerings to cater to the demands of the customers.
As an underwriter, it is an exciting and challenging time to usher in the brave new world of cyber protection. The product is relatively newer as compared to the other liability policies and hence it is evolving at a much faster pace. Technology plays a critical component in the everyday running of industries and any speed bump could result in huge losses. Cyber underwriters have gauged this peril and are looking at whether cover can be offered for privacy breaches and business interruption losses due to cyber-attacks or intrusions.
As with the growth of this policy, the underwriting of cyber is also undergoing a tremendous amount of change in terms of risk profiling and exposure analysis. There are a lot of threats and moving variables to consider – and even these may not remain consistent during the whole tenure of the policy.
Clients are hardly confined to being classified under one industry type. A telecom enterprise also offers eWallet services, an eCommerce company is applying for a banking license, the oil and gas giant is expanding into media and entertainment, the steel manufacturing conglomerate now has businesses in IT/ITeS, auto manufacturing, financial services and aviation to name a few. This makes the underwriting complicated and complex. We need to be mindful of the technical as well as non-technical exposures.
The activities of a client help the underwriter determine the exposure levels to a probable loss. Depending on the industry classification, the client might have a different requirement of coverage and similarly the underwriter might have a different perception of risk and appetite. For instance, technology companies are heavy on their requirements for cover relating to data privacy and confidentiality breaches whereas a manufacturing company might be more focused on cover for business interruption due to a cyber-attack. Hence, for a manufacturing setup, the risk analysis would focus more on how well defined their business contingency plans are, their reliance on supervisory control and data acquisition (SCADA) or how developed their Industrial Control Systems are. For Banks, underwriters would scrutinise their customer base and the robustness of the IT security in place.
The next item to be mindful of is the geographical scope of the customers’ operations. With the surge in globalisation and the ever-increasing footprint of Indian companies, this is proving more of a challenge now than ever before. India is an outsourcing hub and companies today have clients across the globe. They are much more exposed to multi-jurisdiction litigation owing to their contracts and territorial scope of clients. Due to accelerated mergers and acquisitions, Indian companies not only have offices but subsidiaries and joint ventures in various countries leading to greater compliance of the laws and regulations of multiple jurisdictions. In addition, businesses are more interconnected and interdependent in composition. Any one portion of the company facing downtime due to a cyber-incident could have a ripple effect on the rest of the operations.
As an underwriter, we need to understand the dependencies of various functions internally; as well as externally to their outsourcing partners – for instance, critical dependency on their cloud service provider. Cloud outages can prove expensive on an individual as well as on an aggregate level.
Another threat to the international business is the changing geo-political landscape. Cyber warfare and terrorism are very real possibilities. There is a heightened level of cyber activism, hacktivism and organisations could unwittingly become a part of cyber-vigilantes or any agenda-driven cyber-attacks.
Internal Risk Controls:
Perhaps the only measurable portion of cyber underwriting would be the risk management and security levels of the client. There are many technical tools and guidelines that can help assess their IT security policies. One approach to gauge how seriously an organisation takes the cyber threat is to understand their spend on IT security as a component of their revenue. As companies grow, gradually their expenditure on measures and techniques to safeguard themselves from a cyber-incident should also amplify. We ultimately need to deep dive into their protocols – analyse their hygiene characteristics like encryption, antivirus software, detection capabilities, auditing mechanisms, usage of portable media, access control procedures and most importantly, employee awareness. This is largely dependent on the clients being co-operative and transparent with the underwriters.
Loss History and Other Critical Aspects:
The bigger the scale of the company, the more significant is the role and function of CISO/CIO and the seriousness with which the organisation handles compliance and regulation. With the ever progressing data privacy guidelines, companies need to adhere to the laws of each country in which they operate or have exposures emanating from, including consideration of coverage for third party liability and coverage for fines and penalties. Underwriters are mindful of the hefty penalty amounts that establishments can be liable for under various laws. The extra-territorial scope of laws and regulations can mean that companies are not too far away from the reach of the regulators.
The history of cyber incidents can provide an insight into the philosophy of the clients. Underwriters do not necessarily fault the buyer for having a past record of cyber intrusion and breaches, but it is the handling of these crucial events that offers comfort and conviction to insurers. Repeated attacks, lack of mitigation methods, unsecured servers, low employee sensitivity and faulty disclosure norms are potential red flags and matters of concern.
Conclusion and cyber risk management strategies for Indian businesses
As we have discussed above, the cyber risks faced by increasingly global and complex Indian businesses are here to stay. It is now a question of “when” and not “if” an Indian business will face an internal or external malicious cyber-attack. There is much to navigate for these businesses as they diversify, grow larger and become more global when assessing and seeking to transfer their cyber risk exposure.
There are simple steps that Indian businesses can take to manage their cyber risk.
- Obtain advice on a regular basis on the global regulatory and legal obligations that your business faces given its geographical footprint and especially in light of fast-developing laws and regulations around the world.
- Have advisors with global expertise and reach (including legal, forensic IT and PR agencies) lined up and ready to assist, in the event of a cyber incident.
- Consider carefully the benefits of cyber insurance, as part of an holistic cyber risk framework and ensure that the wording you procure suits your needs.
- Seek and obtain valuable inputs from your insurance brokers and insurers on what they look for, when assessing whether a business presented to them is an effectively managed risk. If you do not meet the features they look for, it is likely that you should be taking steps to improve your risk management framework.
- Lastly and above all, prepare and have a plan.
Should you have any queries about the topics discussed in this paper, please contact our specialists below.
- Steve Hadwin, Director, Head of Operations, Data Protection, Privacy and Cybersecurity, Norton Rose Fulbright LLP, London
- Shabnam Karim, Special Counsel, Norton Rose Fulbright (Middle East) LLP, Dubai and member of the Norton Rose Fulbright India Practice Group
- Bhishma Maheshwari, Executive Vice President and Cyber Lead, Marsh India
- Unnati Bajpai, Senior Underwriter, Financial Lines, Allianz Global Corporate & Specialty SE India Branch