Insurance is generally difficult to sell, but for a product like cyber insurance, the coin has flipped. The market is at a point where demand is growing fast and insurance companies might not be prepared to meet it yet, say industry insiders.
Multiple insurance brokers ET spoke to said that over the last couple of years, the demand for cyber insurance is steadily climbing and is expected to climb further now that India has formulated its own data protection law. But cases of high claims and the complexity of the product make it such that insurance companies are wary of selling one. And also, for startups to qualify for a good cover is very difficult.
“Demand for cyber insurance has been increasing steadily… the market is currently valued at $50-60 million and has been growing at a compound annual growth rate of 27-30% over the past three years,” said Dhirandra Mahyavanshi, CEO, insurance broking startup Turtlemint.
He further added that over the next few years, demand for cyber insurance is expected to grow by around 30% in India.
Recently licensed insurance broking startup Bimakavach is betting big on this space.
Tejas Jain, founder of Bimakavach, told ET that he is building an entire suite of insurance products that new-age small- and medium-sized businesses will need to keep their operations safe and cyber insurance is a key product in that stack.
“Companies like fintechs, software service providers hold on to a lot of data, but historically hardly took the right insurance covers, but now even their investors are pushing them to get covered,” Jain added.
Products like cyber insurance, fraud cover, including both insider and third party fraud, directors and officers liability all these are being taken by new generation companies. “A lot of conversations are happening around cyber insurance covers in the wake of India enacting the data protection law too,” Jain added.
Factors driving demand
Multiple reasons are driving demand among businesses these days. More and more companies are digitising their operations, in turn gathering a lot of data on their customers. While it helps them scale up their business, it also makes them vulnerable to cyberattacks.
“Typically, for small and medium businesses, the IT systems are not so robust, hence, insurers also stay away from offering any cover to such entities,” said Evaa Saiwal, business head, liability, cyber and financial risk at Policybazaar for Business.
Saiwal added that information security experts play a vital role in advising companies to strengthen their systems so that they become eligible for these products. Overall issues like rising cases of fraud attacks, ransomware attacks and the rising cost of dealing with a cyberattack is causing companies to seek cover. For instance, under the DPDP Act, fines can go up to as much as Rs 250 crore, enough to shut down a medium sized business.
“There are a lot of discussions happening among companies and insurers after DPDP Act was enacted, but transactions are yet to pick up big time, the industry is awaiting to understand the full impact of the law,” Saiwal said.
Mahyavanshi of Turtlemint said that 70% of the cyber insurance products sold in India were after Europe enacted GDPR in 2018. The DPDP Act is expected to create a similar demand, he added.
While one section of companies are seeking protection, another is increasing their cover. Industry insiders pointed out that they often come across cases where the company wants cover of as high as $10 million. Around $5 million to $6 million, they say, have become common these days.
As per industry estimates, premium could hover around 0.6% to 1.2% of the protection amount, depending on the kind of company being covered. Data heavy segments like banking, finserv and Saas often attract higher cost.
“The rates offered to companies are not very conducive, they need to budget for this expense,” said Saiwal of Policybazaar.
Also insurers and reinsurers have very strict checks before they can insure a company. Saiwal said that many companies undertake complete overhaul of their IT systems to become eligible for these covers. Overall it is an expensive and time taking process.
But with GDPR already in place, the reinsurance industry has already built the assessment models, now it is the turn of the Indian cyber insurance market to mature and build products with the optimum coverage.