cyber crime liability report

Cyber Crime Liability Report 2015

P a g e 1 | 29

CYBER CRIME LIABILITY REPORT 2015

A report submitted to India Insure Risk

Management and Insurance Broking Services Pvt. Ltd., Mumbai.

Ms. Sayali Sawant

S.Y.B.Com (Banking and Insurance)

Under the guidance of

Mr. Manish D. Parikh

AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd.

Duration of the Project: 1st April, 2015- 30th June, 2015

Date of Completion of the Project: 26th June, 2015


P a g e 2 | 29

Declaration I, Sayali Sawant, hereby declare that this is report on “FEASABILITY STUDY OF CYBER

CRIME AND INSURANCE POLICY” has been written and prepared by me as a part of my

summer internship since 1st April, 2015 – 30th June, 2015 under the guidance of Mr. Manish

Parikh, AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd. All the

statements in this format are true to the best of my knowledge.

Place: Mumbai

Date: 23rd June, 2015 (Sayali Sawant)


P a g e 3 | 29

Certification


P a g e 4 | 29

ACKNOWLEDGEMENTS Management ideas without actions based on them, means nothing. This is why practical

experience is vital for any management studies. Theoretical studies in the classroom are not

sufficient to understand the functioning climate and the real problems hindering management.

Thus practical exposures are indispensable as the act like a supplement to the classroom studies.

With respect to the same, I would like to acknowledge India Insure Risk Management

and Insurance Broking Services Pvt. Ltd., for accepting my request for the internship with the

company. I would like to express my gratitude to Mr. Arindam Ghosh, VP Mumbai, India

Insure Risk Management and Insurance Broking Services Pvt. Ltd., for offering me this

opportunity to team with them and for entrusting me with this project research. I am also

grateful to Mr. Manish D. Parikh, for being my guide and mentor and helping me throughout

my training period.

Lastly, I would like to say a big “THANK YOU” to the entire staff at the Vile Parle,

Mumbai office of India Insure Risk Management and Insurance Broking Services Pvt. Ltd.

(Sayali Sawant)


P a g e 5 | 29

CONTENTS

1. INTRODUCTION .........................................................................7

A. Background ...................................................................................7

B. Need Of the Study ........................................................................9

C. Organizational Profile .................................................................10

2. Literature Review ........................................................................11

3. Research Methodology ................................................................16

A. Purpose and Objective ................................................................16

B. Research design ...........................................................................16

4. Data Analysis And Interpretation ..............................................18

A. Hypothesis Testing ......................................................................18

B. Distribution of Responses From the Survey Questionnaire .......19

C. Risk Assessment .........................................................................20

D. Risk Management Strategy .........................................................22

5. Summary .......................................................................................23

A. Conclusion and Findings .............................................................23

B. Suggestions .................................................................................25

C. Future Leads ................................................................................25

6. Appendix .......................................................................................26

7. Bibliography and References ........................................................1


P a g e 6 | 29

ABSTRACT Information Communication Technology is defined as technology required for

information processing. It involves the use of computer software, web browsers, Productivity

software suites and software for business applications. Use of Information Technology gas

become inevitable in business and in personal life. Irrespective if the size of the turnover, every

person is involved in any business transaction in some way or the other uses the complete,

computer software and internet etc. for carrying on the business activities. In today’s business

environment, people not only have their physical offices but also their space in the virtual world

popularly called as the “websites”. Growing consumerism and advancement in the technology

has led to mushrooming of e-Commerce and online sale. Automation of business plants is not

possible without the computer software. Banking, Financial Sectors and Insurance has almost

totally gone online. These are just a very few instances of encounter of technology and

business. The list can go on and on.

Any business activity online or offline has to comply with the law of the land. Thus,

Information Technology Act, 20005 was formed a legal framework for smooth conduct of E-

Commerce.

Yet legal experts opine that at present, the rules construct an incomplete regime that

does not adequately protect privacy and for this reason, falls short of internationally accepted

data protection standards. Though the Act provides certain kind of protection, more effective

mandatory to protect, preserve and promote cyber security in India.

Thus cyber liability insurance policy comes into picture to fill the need if combatting

the losses due to cyber-attacks. It provides as an appropriate option to transfer the risk

associated with loss of data (i.e. Data Breach) and hacking efficiently providing liability covers

fir the intangible property.

The paper focuses on cybercrimes, cyber criminals and their activities, perception of

cyber threats by various organizations, and scope of cybercrime insurance policy which

organization should take to mitigate such crime. Here, primary data collected from participants

of the survey is used for analysis purpose.


P a g e 7 | 29

1. INTRODUCTION: The term “cyber liability” means different things to different people. For a corporate risk

manager the issue is how to identify, quantify, mitigate and transfer the risks that face his own

operations. For an IT service provider it is how to monitor, understand and outwit cyber

criminals and develop new tools to prevent cyber-crime. In order to serve the needs of their

clients, insurance professionals have to understand the implications of the business risks faced

by corporations and offer effective, affordable solutions to their risk transfer needs. Daily news

headlines reveal the escalating, and costly, problem of data breaches for companies today. All

companies store assets digitally — from consumer personal data, to B2B customer data, to

trade secrets, to confidential information relating to mergers and acquisitions. While

technological advancements, evolving computer data systems, and internet access offer

significant benefits to businesses and their customers, a major challenge that comes with

the increased use of technology is an increase in the risk of cybercrime attack. Cybercrime

has significant financial and non- financial implications for businesses. To prevent cyber-

crime incidences, most companies employ cyber-security measures which include a

combination of technology and security procedures. However, since cyber attackers are

continuously discovering new ways to exploit vulnerabilities, cyber security alone cannot

prevent all potential attacks. This project looks at how cybercrime insurance can protect

companies from the costs of cybercrime. We explore the challenges for insurance

companies offering cybercrime policies, analyse the required investments, and provide

recommendations.

A. Background:

What is cyber-crime?

Cybercrime is criminal activity done using computers and the Internet. This includes anything

from downloading illegal music files to stealing millions of dollars from online bank accounts.

Cybercrime also includes non-monetary offenses, such as creating and distributing viruses on

other computers or posting confidential business information on the Internet. Because

cybercrime covers such a broad scope of criminal activity, the examples above are only a few

of the thousands of crimes that are considered cybercrimes. While computers and the Internet

have made our lives easier in many ways, it is unfortunate that people also use these

technologies to take advantage of others. Therefore, it is smart to protect yourself by using

antivirus and spyware blocking software and being careful where you enter your personal

information. Cybercrime refers to any illegal activities using, or against, computer systems,

computer networks, and the internet. Although cybercrime is a commonly used term today,

there is no standard global definition and the definition varies based on the context.

Who is carrying it out?

Cyber-attacks can be carried out by a host of people ranging between disgruntled employees,

individual hacker, organised cybercrime syndicates to enemy government or an activist.


P a g e 8 | 29

What is the biggest delusion related to cybercrime?

Most of the organisations believe that their systems are highly secured and their security can

be rated 10 on a scale of 10! They believe they are 100% protected. However, attaining highest

level of security ideally should be a secondary goal for organisations, while being prepared to

combat cyber-attacks should be their primary objective.

But, while the term cybercrime describes a variety of attacks and activities, they can be

broadly classified into three categories.

Category 1 – Business disruption and misuse

Denial-of-Service (DOS) or Distributed Denial-of-Service (DDOS) Attack refers to

making a computer resource unavailable to its intended users or preventing it from

functioning efficiently.

Malware or Malicious Software refers to programs such as viruses and worms that

try to exploit computer systems or networks leading to business disruption, leakage of

sensitive data, or unauthorized access to system resources.

Software and Information Piracy refers to theft or misuse of copyright material and

software.

Industrial Espionage refers to corporate rivals illegally accessing confidential

information to erode competitive advantage, gain financial information, or misuse trade

secrets.

Cyber Extortion refers to holding a company for ransom through denial of service,

manipulating website links, or the threat of leaking customer or financial data.

Category 2 - Online Scams

Phishing refers to disguising an electronic communication as coming from a

trustworthy entity in an attempt to acquire sensitive data.

Spear Phishing refers to targeted campaign of highly personalized bogus e-mails,

aimed at a specific individual or organization, that appear to come from a trusted source.

Pharming techniques involve redirecting website traffic from a legitimate website to a

fraudulent website.

Spoofing refers to fooling people into entering personal details into a counterfeit

website.

Purchase Fraud refers to selling products through online channels which are never

shipped.


P a g e 9 | 29

Category 3 - Theft and fraud

Identity Theft refers to obtaining personal data from individuals—such as social

security number, address, or bank account details—which can be misused to open new

accounts or obtain services in the name of the victim.

Theft from Business refers to stealing revenue directly from businesses using online

channels; for example, obtaining access to a firm’s accounts and transferring the money

illegally.4

Intellectual Property (IP) Theft involves stealing ideas, designs, specifications, trade

secrets, or process methodologies, which may erode competitive advantage in terms of

operations and technology.

Customer Data Theft involves obtaining sensitive customer information with the

purpose of misusing the data for financial gain.

Fiscal Fraud describes fraud against the government, often through attacking

government online channels, and includes theft, such as fraudulent claims for benefits,

and evading taxes.

B. Need Of the Study:

Professional hackers and cyber terrorists have been working overtime to develop various

techniques for compromising a firm’s security, thereby damaging their IT infrastructure. So,

organizations need to build up capabilities for anticipating attacks which are serious and at

times catastrophic and paving inroads into critical corporate information. Apart from building

up organizational resilience to cyber-attacks it will also be prudent for organization to obtain

cyber insurance.

In a digital age, where online communication has become the norm, internet users and

governments face increased risks of becoming the targets of cyber-attacks. As cyber criminals

continue to develop and advance their techniques, they are also shifting their targets focussing

less on theft of financial information and more on business espionage and accessing

government information. To fight fast-spreading cybercrime, businesses and governments

must collaborate globally to develop an effective model that can control the threat. 1CYBER CRIME IN INDIA:

28,481 websites were hacked in India in 2013

Cyber-crimes have cost India INR 24,630

India is ranked as one of the top 3 targets

The study elaborates on cyber-attacks and also provides insights into proper structuring of

cyber insurance.

1 iNotes published by India Insure Risk Management & Insurance Broking Solutions Pvt. Ltd., Issue No. 51, December 2014


P a g e 10 | 29

C. Organizational Profile:

India Insure was conceptualized way before the liberalization of the insurance sector in India.

Started in the year 1999 as insurance consultants, the company was given birth to by a team of

4 professionals who came in from diverse backgrounds with a common dream of doing

something different. Sensing the huge opportunity that existed in the insurance industry post-

liberalization the idea to create a world-class insurance broking firm emerged. Insurance

broking operations commenced in India, in the year, 2003 and India Insure acquired the first

insurance broking license in the country, a historical statistic now, but a proud moment for

Team India Insure then. In the year 2004, India Insure started recruitment of core insurance

professionals from the insurance industry.

India Insure is India’s leading Insurance Broker – the first to be licensed by IRDA. India Insure

is a composite insurance broker licenced to handle both domestic and international business.

The firm is more focused on commercial and corporate insurance.

With a dedicated team size exceeding 100 trained and experience professionals having over

550 man years of experience, India insure operates in from ten locations across India. Products

handled are diverse, ranging from health insurance to complex project deals. India insure

believes that “Winning and sustaining customers trust “is the key to professional broking. India

insure has expertise in handling large power projects to some of the largest liability deals, they

provide a comprehensive array of property, health, employee benefit, liability, reinsurance and

risk management services. In addition, India insure have developed product-specific

competencies that allow them to respond to unique demands and opportunities in specific

vertical markets.

Major lines of business:

Employee Benefits Insurance.

Liability & Specialty Insurance.

Project Insurance.

Claims Handling Services.

Reinsurance.

Value added service offerings:

Risk Inspection.

Risk Audit Reports.

Industry Benchmarking.

Insurance Manuals.

Training on Claims Handling.


P a g e 11 | 29

2.Literature Review:

Cybercrime is a range of illegal digital activities targeted at organisations in order to cause

harm. The term applies to a wide range of targets and attack methods. It can range from mere

web site defacements to grave activities such as service disruptions that impact business

revenues to e-banking frauds.2

In the modern data centric business era where trades are driven by information, communication

and technology; the haunting and tormenting of cyber-attack including hacking, malware,

cyber terrorism, fraud, DOS, DDOS, etc. serve as a potent reason for business interruption

causing financial as well as reputational losses. Cyber hacking can be a threat to almost any

industry ranging from IT to manufacturing. Even, financial markets are vulnerable to cyber

hacking. The impact of cyber risk can be moderate to catastrophic. Its frequency of occurrence

is also quite possible. So, cyber risk can be mapped from medium to very high.

Severity

Frequency

of

occurrence

Insignificant Minor Moderate Major Catastrophic

Frequent Medium High Very high Very High Very High

Occasional Medium Medium High Very High Very High

Possible Low Medium Medium High Very High

Unlikely Low Low Medium High High

Remote Low Low Medium Medium High

1. Risk Matrix

KPMG’S cyber-crime survey report 2014 reveals that India is third most vulnerable and

easy target for worldwide hackers as cyber regulation is not so stringent. Cyber attackers

can disrupt critical infrastructures such as stock markets / power infrastructure; air traffic

control systems; carry out identity theft and financial fraud; steal corporate information,

state and military secrets. Anyone can take advantage of vulnerabilities in any system

connected to the Internet and attack it from anywhere in the world without being identified

The Information Technology Act, 2000 came into force on 17th October, 2000 and was

2 KPMG Cyber Crime Survey Report 2014


P a g e 12 | 29

amended twice in 2008 and 2011 for amendments related to reasonable security practices,

procedures and sensitive personal data. Tampering with computer source documents

(sec65), hacking with computer system (sec66), Publishing obscene information in

electronic form (sec67), breach of confidentiality and piracy (sec72), offence relating to

digital signature (sec73) are some of the cyber–crimes listed under the law for which

maximum punishment is fine of Rs. One lac or two years of imprisonment or both. With

the current law, the victims feel they are not reimbursed properly for the loss they suffer

due to cyber-attack.

Data is one of the most important assets of a business and with hackers stealing tens of

millions of customer details in recent years, firms across the globe are pushing network

security beyond IT department to the boardroom.

Bar chart 13

Bar chart2 reports the average size of data breaches for organizations in the 10 countries. As

shown, organizations in the Arabian region, India and US had the largest average number of

records lost or stolen

3 Ponemon Institute© Research Report (2015)

19214

19788

20456

20650

21695

22902

24103

28070

28798

29199

0 5000 10000 15000 20000 25000 30000 35000

JAPAN

AUSTRALIA

CANADA

FRANCE

UNITED KINGDOM

BRAZIL

GERMANY

US

INDIA

ARABIAN CLUSTER

The average number of breached records by country


P a g e 13 | 29

Pie chart1 4

The root causes of data breach:

Malicious or criminal attacks are most often the cause of a data breach globally. Above Pie

Chart1 provides a summary of the main root causes of a data breach on a consolidated basis

for all 10 countries represented in the 2015 Cost of Data Breach Study: Global Analysis. Forty-

seven percent of incidents involve a malicious or criminal attack, 25 percent concern a

negligent employee or contractor (human factor), and 29 percent involve system glitches that

includes both IT and business process failures.

Below are some statistics from Symantec 2014 Report5

62% increase in the number of breaches in 2013

552,000,000 identities were exposed in 2013

23 zero-day vulnerabilities discovered in 2013

38% of mobile users have experienced mobile cybercrime in 2013

1 in 392 emails contain a phishing attacks

1 in 8 legitimate websites have a critical vulnerability

4 Ponemon Institute© Research Report (2015)

5 Symantec 2014 Internet Security Threat Report

Malicious/cyber attack46%

system glitch29%

human error25%

Distribution of causes of data breach

Malicious/cyber attack system glitch human error


P a g e 14 | 29

Cyber Crime Insurance Policy:

So, from above deductions studying cyber-crime becomes more and more important. As we

can see the quantum of risk is getting bigger and bigger. And to cater such risks the traditional

insurance policies were also not of much use. And cyber-crime insurance bridges these gaps.

Below are the coverage’s offered currently under cyber risk insurance policy.

First Party Losses:

a) Direct or extra expense of responding to the breach. Covered expenses

typically include:

Hiring an independent information security forensics firm, Public relations

Notification of affected parties (i.e., business customers and/or individuals

whose data was accessed or acquired in the data breach), Credit monitoring for

individuals, Identity theft resolution services, Costs to re-secure, re-create

and/or restore data or systems, Legal services/advice, Crisis management

services, E-extortion costs (company is forced to pay hacker in order to get

data/access back)

b) Fines/penalties: While civil fines themselves are usually covered, some

carriers may not offer coverage for costs to investigate, defend and settle fines.

c) Denial of service costs to business: These costs include loss of use and

resulting business interruption. Coverage can be set as a per day amount or can

be tailored to a company’s specific loss. For example, losses to an online

retailer would likely be higher on Cyber Monday than on Memorial Day.

d) Losses resulting from misappropriation of the insured’s information assets or

confidential business information. Under some policies, losses related to

misappropriation of intellectual property, trade secrets, company records,

customer lists, company credit card numbers, budgets, proposals, work papers,

and any other proprietary or sensitive company data that results from a data

breach are covered.

e) Damage to systems: This could include losses resulting from damage to the

insured’s computer systems resulting from the breach. Some policies include

coverage for the cost of restoring lost or compromised data.

f) Disclosure of information: Some policies include coverage for damages in

connection with the disclosure of information to a competitor.

g) Intellectual property: Coverage could include expenses related to the

restoration or recreation of intellectual property, including trademarks,

copyrighted material and proprietary business information, up to amortized

value

Third Party Losses:

a) Third-party claims: This includes claims for damages brought by customers,

consumers or outside business entities for damages they incurred as a result of

the insured company’s breach of security, namely their losses from the

inability to transact business, including punitive and exemplary damages,

settlements and costs.


P a g e 15 | 29

b) Defence costs: These costs include attorney fees and expert fees for outside

claims made against an insured related to a data breach.

c) Media liability: This provides coverage for losses related to libel, slander,

defamation and other media torts, as well as copyright, trademark and patent

infringement. This can include losses resulting from information posted to

social networking sites, such as Facebook and LinkedIn.

d) Data and (personally identifiable information (PII) loss: This covers losses or

breach of a third party’s data, including dissemination of PII. One example

would be if confidential third-party information, such as Social Security

numbers or passwords, was used to breach the third party’s data. Policies

define PII differently in the absence of an industry-standard definition.

e) Fines and penalties: These include fines that may be assessed under state

privacy statutes as well as under federal privacy regulations.

But, still the cyber-crime insurance is in nascent stage. Also most of the organisations in India

still don’t consider cyber-crime as a risk to them and are not aware about the utility of this

policy. So, above discussed is the current progress in the cyber liability domain.


P a g e 16 | 29

3.Research Methodology:

This research methodology has many dimensions. It includes not only research methods but

also considers the logic behind the methods used in the context of the study and explains why

a particular method is used. So that research could lend itself to proper evaluations.

A. Purpose and Objective:

To understand the growing incidences of cyber-crimes associated with the Indian

industries (viz. Stock Broking, IT, Multimedia, Custodian).

To understand the preparedness of the companies in handling cyber threats.

To analyse the feasibility and scope of cyber insurance policy in the Indian market.

B. Research design:

Descriptive Research: A descriptive study is one in which information is collected

without changing the environment (i.e., nothing is manipulated).

Method used to conduct descriptive research: Questionnaire survey. Sample Size: Twenty Five companies. Data collection method: Primary Data (questionnaire survey). Sampling Method-Simple random sampling: A subset of a statistical population in

which each member of the subset has an equal probability of being chosen. A simple

random sample is meant to be an unbiased representation of a group.

8%

84%

4%4%

SECTORWISE DISTRIBUTION OF COMPNIES

IT Stock broking Multimedia Custodian


P a g e 17 | 29

Geographical Region: Mumbai Region

Number of companies: Twenty Five companies visited.

Number of Interviewees: Twenty Five.

24%

56%

20%

INTERVIEWEE COMPOSITION

IT Compliance Sr. Management


P a g e 18 | 29

4.Data Analysis And Interpretation

A sample of 25 participants was taken and following was analysed.

A. Hypothesis Testing:

Perception about cyber-crime as a threat is a qualitative phenomenon. The data available with

us is on the basis of either presence or absence of such threats (attribute). Thus, we record the

proportion of successes in each sample. Hence, we apply hypothesis testing proportions to

understand if the sample taken during May-June 2015 is appropriate for further analysis.

Norton cyber-crime report 2012 states that 56% Indians consider cyber-crime as a threat. As

per our survey, we claim that more people now foresee cyber threat to their organisations. A

random sample of 25 organisations from stock broking, IT, custodian and media was taken

out of which 20 claim that there is a threat. Can this claim be accepted with regards to a larger

population?

Note: Tested at 1% Level of significance.

The null hypothesis can be written as;

H0: p = 0.56

And alternative hypothesis can be written as –

Ha: p>0.56

Hence, p=0.56, q=0.44

Observed sample proportion p̂= 20/25 = 0.80

And test statistic is,

Zcal = p - p̂

√𝐩.𝐪

𝐧

= 0.80-0.56

√𝟎. 𝟓𝟔 ∗𝟎.𝟒𝟒

𝟐𝟓

=2.41

As Ha is one-sided, we shall determine the rejection area applying one-tailed test (in the right

tail because Ha is of more than type) at 1% level of significance.

R: Zcal > 2.33


P a g e 19 | 29

As Zcal falls in the rejection region, we reject the null hypothesis and conclude that our claim

can be accepted at 1% L.O.S. on the basis of our sample information.

B. Distribution of Responses From the Survey Questionnaire:

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13

Response Distribution

yes no

2.33

Accept Reject

2.41


P a g e 20 | 29

C. Risk Assessment:

Awareness about cyber incidences: Only 56% were aware about the cyber-crime

incidences taking place in the market. 44% had no idea about such events.

Perception about cyber threat: 80% of survey respondents consider cyber-crime as a

serious threat to their business operations, while remaining 20% do not consider cyber-

crime as an immediate threat to their business.

56%

44%

AWARENESS

YES NO

80%

20%

PERCEPTION OF CYBER-CRIME AS A THREAT

Threat Not a threat


P a g e 21 | 29

Perception about losses in case of an cyber-attack: 88% of the respondents think

financial as the major impact of a cyber-attack they may face, followed by 76% fearing

reputational losses. 65% feel Business interruption would cost them huge due to such

event, 41% feel regulatory fine as a major cost and 32% consider loss of data would be

their biggest loss.

Quantum of financial Loss: A major 41% feel the amount of loss they could face would

be low, 29% feel it would be high, 18% don’t consider they might incur any financial

loss due to such event and the remaining 12% feel they might incur moderate loss.

88%

65%

41%

76%

32%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

financial loss Businessinterruption loss

Reglatorycompliance fine

Reputation damageloss

Data Loss

Perception about losses

18%

41%

12%

29%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

NO Loss Low Moderate High

Quantum of Financial Loss


P a g e 22 | 29

D. Risk Management Strategy:

a) System Auditing: Apart from mandatory audits by various regulatory audits (e.g.

Exchange Audits for stock brokers (annually) and SEBI audits (once in four years)),

43% of the respondent companies have their regular internal audits on a frequent

basis.

b) Redundant Systems: 29% survey respondents claim that they have backup systems

at different locations being capable of recovering from business interruption due to

unforeseen events in very short span of time.

c) Security Pool: 9% of the firms have a separate pool of resources set aside for such

events to meet the losses which may occur due to cyber-attacks. They prefer to self-

insure themselves by creating such a pool, rather than going for a commercial

insurance.

d) Other Measures: 19% of the respondent firms believe the below measures are

sufficient to protect their business from cyber-crime.

Investor Protection Fund (stock Brokers): The members of stock

exchanges at present contribute to this Fund Re.0.15 per Rs.1 lakh of gross

turnover, which is debited to their general charges account. The Stock

Exchange contributes on a quarterly basis 2.5% of the listing fees collected

by it. Presently the maximum compensation available for investor is

Rs.1, 00,000. So, the stock brokers consider this fund enough to take care

of litigations filed by their clients, in case they get affected by an unforeseen

event.

Data backup by KRA: KRA stands for KYC Regulatory Authority. Some

of them feel that their data backed by firms such as NSDL, CSDL, CRISIL,

NSE, etc. are also enough to get back to work in case of cyber-attack where

their data is lost.

29%

43%

9%

19%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Redundant Systems Internal Audits Security Pool Other measures

Methods of combatting cybercrimes adopted by organisations


P a g e 23 | 29

5.Summary:

A. Conclusion and Findings:

Is there a need of Cyber Liability Policy? In our survey, a majority of respondents feel that their organisations are putting in quite

a lot of efforts for uninterrupted and proper business operations. Though various

security measures are employed by the organisations, they aren’t always sufficient. But,

many believe in the false hope that their system is 100% secured. But, there were also

few respondents who knew the gravity of the situation in case a cyber-attack occurred.

They feel that with the expansion of their business lines, there is definitely a need for

such a product.

As we can see a majority of 72% feel there is a need for such an insurance product

Which would help them to counter these new threats to their business operations. They

feel that they are exposed to cyber threats even after spending heftily on security. So,

cyber policy with some modifications would provide a sound base to their uninterrupted

business operations. But, 28% of the respondents feel there is no need of such a product.

They consider it as an additional cost to their business operations and of no use to them.

They don’t feel they are vulnerable to such threats or their business operations would

be affected due to such events in near future.

72%

28%

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

YES NO

Need of Cyber Policy


P a g e 24 | 29

According to our survey 54% of the respondents feel that they would go for such a

Policy only if it is required by law. 23% of the participants feel that the provisions

for cyber-crime liability should be put on as an add-on to an existing liability policy

rather than an exclusive policy. And remaining 23% of the respondents would like

to have cyber-liability as a separate product with some modified terms.

A cyber-crime insurance policy wouldn’t be preferred by small brokers easily as they do

not operate on a large scale and thus, would consider it as an additional cost.

Indian financial markets lack awareness about emerging cyber-crimes which can prove to

be one of the grave threats in near future.

Many survey respondents are of the opinion that cyber-attacks won’t take place in India as

Indian markets are developing but aren’t so huge.

They do not foresee cybercrime as a risk to their business operations currently but do not

deny that situation can change in the upcoming five to ten years. They believe that their

IT security systems are completely updated and cent percent accurate, though they

aren’t confident that there are no loopholes in it.

54%

23% 23%

0%

10%

20%

30%

40%

50%

60%

If required by law As an Add on cover Separate Policy

Views about Policy


P a g e 25 | 29

B. Suggestions:

Stock Brokers-

Stock brokers would benefit cybercrime insurance policy if it was given as an

add-on or an alteration to the current Stock Indemnity Policy or Commercial

General Liability Policy.

With regards to third party liability coverage, even loss due to vendor’s

technical irresponsibility needs to be covered.

If the number of cyber-attacks in the stock broking industry increases over time,

SEBI should make cyber liability policy mandatory for protection of investors

against losses arising due to such events.

Media-

Regulatory coverages should include cost incurred by content providers to sue

the culprit who infringed their data.

IT-

Many companies outsource data processing or storage to third party vendors.

So, for IT firms, it is necessary to cover them for claims that arise from

misconduct by their vendors.

IT firms demand that the terms “Hardware” and “Software” should be well-

defined and neatly framed in the policy language.

General-

Awareness about cybercrime should be created in the Indian markets especially

among the BFSI Sector.

The severity of losses, whether financial or non-financial, can take a

catastrophic form. It can be huge and thus, its severity needs to be explained.

There should be a standardized policy language. It should give more

significance to brand reputation clause.

Period of such policy coverage should be larger/longer since, the frequency of

such attacks is very less and renewing it every year isn’t economical as the

premium is high of this policy.

C. Future Leads: This study will provide a good work to carry out more vigorous analysis in this field with

more effective statistical tool and with latest data of boom period. The Indian stock

market has grown and growing in terms of volume since last decades implementing all

new technologies. Thus, it has become more and more susceptible to cyber-crime. It can

prove to be a flourishing market for a cyber-liability policy. Media also will prove to be a

leading industry covering its cyber liabilities under an insurance product in the near

future. Though IT companies (claiming to have 100% security) won’t agree to such a

product until their myth is broken.


P a g e 26 | 29

6.Appendix This report has emphasized the importance of creating awareness among Indian Industries about

cybercrime and it’s vulnerabilities to their business organisations as well as highlighted an insurance

product which can be utilized to transfer such risk. It is based on a random sample of 25 industries and

hypothesis testing found in chapter 4 proves that it is appropriate to predict the results of the survey

over the entire population. The survey was conducted on the basis of a questionnaire whose

responses are recorded in chapter 4 and conclusions upon the same are found in chapter 5. The

questionnaire is given herewith. Also, responses of some participants are given.

Form Found on Page

Hypothesis Testing Page 12

Distribution of responses from the questionnaire Page 14

Conclusion and Findings Page 18

Questionnaire:

The use of technology has become an integral part of our lives. Our increasing use of technology consolidates itself

as a powerful platform that has revolutionized the way we do business and communicate with people, leaving us in

the open to threats of cybercrime. Organizations must recognize this environment and must identify methods to

address these RISKS proactively.

Name of Summer Intern: _________________

Date of Interview: _________________

Client / Corporate Name: _________________

Person met in Client Office: _______________ Designation of person: ____________________

Business Details:

Client Industry :____________( manufacturing/IT Services/BOP/ KPO/Stock Broking/Financial

Services/distribution)

In business since when: _______________ (Number of years/ Year of incorporation)

No. of employees: ______________

1. Do you have an online business?

2. Do you have a website? If yes, is any sensitive information stored in the website?

3. How do you store critical data (internal or client)?

4. If your data is managed by third party/cloud, what extra measures do you take for data security?

5. Have you ever faced any cyber-attack in the past? If yes, please state when and what happened?

6. Post a cyber-attack, did you suffer business interruption? If yes, how long?

7. Did you incur a heavy cost in terms of restoring your IT System?

8. Did you have to pay any consultation cost to restore your IT system?

9. Have you ever faced any regulatory scrutiny due to any cyber related problem?

10. If faced regulatory scrutiny, have you been imposed any fine?

11. Do y’all collect any personal information of customers? If yes, what?

12. Have any of your employees ever lost any laptop or blackberry or computer tapes?

13. Do all your employees have internet access?

Date of Meeting: ____________


P a g e 27 | 29

Reviews of some survey participants:

India Capital Markets Pvt. Ltd. They feel even an attack on/through their

vendors pose a serious risk to them as they

use the technology provided by those

vendors. Optimum level of funds are set

aside for IT security as and when required by

regulatory authority. Employees are

provided only email services outside office

when travelling and nothing apart from that.

No access for any kind of operational

activities outside office premises. They think

insurance companies should come forward

and draft a request for such issues and their

serious threats to broking industry and

submit it to regulatory authority so that they

understand the severity and make it

mandatory to some extent to have such a

policy or it should be proposed as an

alteration/addition to current CGL policy.

Knowledge, awareness very low regarding

such threats among Indian brokers.

Hungama digital media entertainment Pvt.

ltd.

Business operation: Are content providers

and distributors. . The issue they face is that

of infringement/piracy of content post

release. So they think the policy should be

such that if there is infringement and they

want to file a litigation against the culprit.

They should be reimbursed for that. And not

the other way round. Also, in their mobile

platform they store just normal details of

their customers just as name, number. There

are no monetary transactions involved under

their website. They have regular security

audits. Wrongful acquisition of their content

is the major problem they face.

VNS Finance and Capital Services Ltd They have online platform to cater their

clients.

They make use of OTP as well. They also

have

Half yearly system audits. Orders are

monitored

Constantly. As soon as something

suspicious is

Observed all the orders are stopped. They

do

Collect details of customer and think they

might


P a g e 27 | 29

Be at risk. But, they don’t think the

quantum of

Loss would be huge.

Sharekhan LTD.

They have multiple back-ups available for

their smooth execution of their business in

case of business interruption. But, they feel

IT cannot assure 100% full proof security.

There are loop holes in every technology.

The main issue is the additional cost to bear.

In case of settlement issue, if they are not

able to process themselves, their pool at the

clearing banks is also always quite sufficient.

Their major threat is business interruption. It

might incur a hefty loss to them. Since, their

client base is very large ranging from small

traders to big institutions. They feel the

period of policy cover should be longer.

Since, the frequency of such attacks is also

very less and renewing it every year doesn’t

seem economical as the premium is also

usually very high of such kind of policies.

INVESTERIA FINANCIAL SERVICES

PVT. LTD

They use 3 level security and use 256 bit

encryption: 1) hardware firewall( a device

connected between ISP and their own

network)

2)software firewall

3) antivirus/antispam, user id and password

After passing through these layers only can a

hacker get into their system?

Also have a backup lease line.

Have 2 connectivity options, through their

system or connected directly to the exchange.

In case of an attack to their system the clients

connected directly to the exchange platform

do not get affected. Losses cannot be huge

apart from business interruption losses and

loss of reputation. Since, the brokerage is

limited to 0.7% of turnover.

IT security is as per the standard required by

regulatory authority. Back office software’s

are LAN based and web based application

available where employee can only see (read

only no write and copy/download). Value of

money during trading is virtual nothing real.

Logs are captured and monitored of every

activity executed on their system. They make

sure IP address from which the system was

accessed was from within the organisation.


P a g e 29 | 29

7.Bibliography and References

http://businesstoday.intoday.in/story/cybercrime-hit-42-mn-indians-in-2011-

cost-$8-bn-norton/1/187969.html as accessed on 21/06/2015

http://www.bseindia.com/members/MembershipDirectory.aspx?expandable=2

as accessed on 11/05/2015

http://www.gcl.in/downloads/bm_cybercrime.pdf as accessed on 22/06/2015

http://infosecawareness.in/cyber-crime-cells-in-india as accessed on

24/06/2015

www.cybervictims.org/CCVCresearchreport2013.pdf as accessed on

24/06/2015

Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis

KPMG’s Cyber Crime Survey Report 2014

iNotes published by India Insure Risk Management & Insurance Broking

Solutions Pvt. Ltd. , Issue No. 51, December 2014

Symantec 2014 Internet Security Threat Report

http://businesstoday.intoday.in/story/cybercrime-hit-42-mn-indians-in-2011-cost-$8-bn-norton/1/187969.html

http://businesstoday.intoday.in/story/cybercrime-hit-42-mn-indians-in-2011-cost-$8-bn-norton/1/187969.html

http://www.bseindia.com/members/MembershipDirectory.aspx?expandable=2

http://www.gcl.in/downloads/bm_cybercrime.pdf

http://infosecawareness.in/cyber-crime-cells-in-india

http://www.cybervictims.org/CCVCresearchreport2013.pdf

cyber crime liability report

Documents