SlideShare a Scribd company logo

Cyber crime liability report

S
Sayali Sawant
1 of 29
Download to read offline
Cyber Crime Liability Report 2015 P a g e 1 | 29 CYBER CRIME LIABILITY REPORT 2015 A report submitted to India Insure Risk Management and Insurance Broking Services Pvt. Ltd., Mumbai. Ms. Sayali Sawant S.Y.B.Com (Banking and Insurance) Under the guidance of Mr. Manish D. Parikh AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd. Duration of the Project: 1st April, 2015- 30th June, 2015 Date of Completion of the Project: 26th June, 2015
Cyber Crime Liability Report 2015 P a g e 2 | 29 Declaration I, Sayali Sawant, hereby declare that this is report on “FEASABILITY STUDY OF CYBER CRIME AND INSURANCE POLICY” has been written and prepared by me as a part of my summer internship since 1st April, 2015 – 30th June, 2015 under the guidance of Mr. Manish Parikh, AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd. All the statements in this format are true to the best of my knowledge. Place: Mumbai Date: 23rd June, 2015 (Sayali Sawant)
Cyber Crime Liability Report 2015 P a g e 3 | 29 Certification
Cyber Crime Liability Report 2015 P a g e 4 | 29 ACKNOWLEDGEMENTS Management ideas without actions based on them, means nothing. This is why practical experience is vital for any management studies. Theoretical studies in the classroom are not sufficient to understand the functioning climate and the real problems hindering management. Thus practical exposures are indispensable as the act like a supplement to the classroom studies. With respect to the same, I would like to acknowledge India Insure Risk Management and Insurance Broking Services Pvt. Ltd., for accepting my request for the internship with the company. I would like to express my gratitude to Mr. Arindam Ghosh, VP Mumbai, India Insure Risk Management and Insurance Broking Services Pvt. Ltd., for offering me this opportunity to team with them and for entrusting me with this project research. I am also grateful to Mr. Manish D. Parikh, for being my guide and mentor and helping me throughout my training period. Lastly, I would like to say a big “THANK YOU” to the entire staff at the Vile Parle, Mumbai office of India Insure Risk Management and Insurance Broking Services Pvt. Ltd. (Sayali Sawant)
Cyber Crime Liability Report 2015 P a g e 5 | 29 CONTENTS 1. INTRODUCTION .........................................................................7 A. Background ...................................................................................7 B. Need Of the Study........................................................................9 C. Organizational Profile.................................................................10 2. Literature Review ........................................................................11 3. Research Methodology ................................................................16 A. Purpose and Objective ................................................................16 B. Research design...........................................................................16 4. Data Analysis And Interpretation..............................................18 A. Hypothesis Testing......................................................................18 B. Distribution of Responses From the Survey Questionnaire .......19 C. Risk Assessment .........................................................................20 D. Risk Management Strategy.........................................................22 5. Summary.......................................................................................23 A. Conclusion and Findings.............................................................23 B. Suggestions .................................................................................25 C. Future Leads................................................................................25 6. Appendix.......................................................................................26 7. Bibliography and References........................................................1
Cyber Crime Liability Report 2015 P a g e 6 | 29 ABSTRACT Information Communication Technology is defined as technology required for information processing. It involves the use of computer software, web browsers, Productivity software suites and software for business applications. Use of Information Technology gas become inevitable in business and in personal life. Irrespective if the size of the turnover, every person is involved in any business transaction in some way or the other uses the complete, computer software and internet etc. for carrying on the business activities. In today’s business environment, people not only have their physical offices but also their space in the virtual world popularly called as the “websites”. Growing consumerism and advancement in the technology has led to mushrooming of e-Commerce and online sale. Automation of business plants is not possible without the computer software. Banking, Financial Sectors and Insurance has almost totally gone online. These are just a very few instances of encounter of technology and business. The list can go on and on. Any business activity online or offline has to comply with the law of the land. Thus, Information Technology Act, 20005 was formed a legal framework for smooth conduct of E- Commerce. Yet legal experts opine that at present, the rules construct an incomplete regime that does not adequately protect privacy and for this reason, falls short of internationally accepted data protection standards. Though the Act provides certain kind of protection, more effective mandatory to protect, preserve and promote cyber security in India. Thus cyber liability insurance policy comes into picture to fill the need if combatting the losses due to cyber-attacks. It provides as an appropriate option to transfer the risk associated with loss of data (i.e. Data Breach) and hacking efficiently providing liability covers fir the intangible property. The paper focuses on cybercrimes, cyber criminals and their activities, perception of cyber threats by various organizations, and scope of cybercrime insurance policy which organization should take to mitigate such crime. Here, primary data collected from participants of the survey is used for analysis purpose.
Cyber Crime Liability Report 2015 P a g e 7 | 29 1. INTRODUCTION: The term “cyber liability” means different things to different people. For a corporate risk manager the issue is how to identify, quantify, mitigate and transfer the risks that face his own operations. For an IT service provider it is how to monitor, understand and outwit cyber criminals and develop new tools to prevent cyber-crime. In order to serve the needs of their clients, insurance professionals have to understand the implications of the business risks faced by corporations and offer effective, affordable solutions to their risk transfer needs. Daily news headlines reveal the escalating, and costly, problem of data breaches for companies today. All companies store assets digitally — from consumer personal data, to B2B customer data, to trade secrets, to confidential information relating to mergers and acquisitions. While technological advancements, evolving computer data systems, and internet access offer significant benefits to businesses and their customers, a major challenge that comes with the increased use of technology is an increase in the risk of cybercrime attack. Cybercrime has significant financial and non- financial implications for businesses. To prevent cyber- crime incidences, most companies employ cyber-security measures which include a combination of technology and security procedures. However, since cyber attackers are continuously discovering new ways to exploit vulnerabilities, cyber security alone cannot prevent all potential attacks. This project looks at how cybercrime insurance can protect companies from the costs of cybercrime. We explore the challenges for insurance companies offering cybercrime policies, analyse the required investments, and provide recommendations. A. Background:  What is cyber-crime? Cybercrime is criminal activity done using computers and the Internet. This includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary offenses, such as creating and distributing viruses on other computers or posting confidential business information on the Internet. Because cybercrime covers such a broad scope of criminal activity, the examples above are only a few of the thousands of crimes that are considered cybercrimes. While computers and the Internet have made our lives easier in many ways, it is unfortunate that people also use these technologies to take advantage of others. Therefore, it is smart to protect yourself by using antivirus and spyware blocking software and being careful where you enter your personal information. Cybercrime refers to any illegal activities using, or against, computer systems, computer networks, and the internet. Although cybercrime is a commonly used term today, there is no standard global definition and the definition varies based on the context.  Who is carrying it out? Cyber-attacks can be carried out by a host of people ranging between disgruntled employees, individual hacker, organised cybercrime syndicates to enemy government or an activist.
Cyber Crime Liability Report 2015 P a g e 8 | 29  What is the biggest delusion related to cybercrime? Most of the organisations believe that their systems are highly secured and their security can be rated 10 on a scale of 10! They believe they are 100% protected. However, attaining highest level of security ideally should be a secondary goal for organisations, while being prepared to combat cyber-attacks should be their primary objective. But, while the term cybercrime describes a variety of attacks and activities, they can be broadly classified into three categories. Category 1 – Business disruption and misuse  Denial-of-Service (DOS) or Distributed Denial-of-Service (DDOS) Attack refers to making a computer resource unavailable to its intended users or preventing it from functioning efficiently.  Malware or Malicious Software refers to programs such as viruses and worms that try to exploit computer systems or networks leading to business disruption, leakage of sensitive data, or unauthorized access to system resources.  Software and Information Piracy refers to theft or misuse of copyright material and software.  Industrial Espionage refers to corporate rivals illegally accessing confidential information to erode competitive advantage, gain financial information, or misuse trade secrets.  Cyber Extortion refers to holding a company for ransom through denial of service, manipulating website links, or the threat of leaking customer or financial data. Category 2 - Online Scams  Phishing refers to disguising an electronic communication as coming from a trustworthy entity in an attempt to acquire sensitive data.  Spear Phishing refers to targeted campaign of highly personalized bogus e-mails, aimed at a specific individual or organization, that appear to come from a trusted source.  Pharming techniques involve redirecting website traffic from a legitimate website to a fraudulent website.  Spoofing refers to fooling people into entering personal details into a counterfeit website.  Purchase Fraud refers to selling products through online channels which are never shipped.
Cyber Crime Liability Report 2015 P a g e 9 | 29 Category 3 - Theft and fraud  Identity Theft refers to obtaining personal data from individuals—such as social security number, address, or bank account details—which can be misused to open new accounts or obtain services in the name of the victim.  Theft from Business refers to stealing revenue directly from businesses using online channels; for example, obtaining access to a firm’s accounts and transferring the money illegally.4  Intellectual Property (IP) Theft involves stealing ideas, designs, specifications, trade secrets, or process methodologies, which may erode competitive advantage in terms of operations and technology.  Customer Data Theft involves obtaining sensitive customer information with the purpose of misusing the data for financial gain.  Fiscal Fraud describes fraud against the government, often through attacking government online channels, and includes theft, such as fraudulent claims for benefits, and evading taxes. B.Need Of the Study: Professional hackers and cyber terrorists have been working overtime to develop various techniques for compromising a firm’s security, thereby damaging their IT infrastructure. So, organizations need to build up capabilities for anticipating attacks which are serious and at times catastrophic and paving inroads into critical corporate information. Apart from building up organizational resilience to cyber-attacks it will also be prudent for organization to obtain cyber insurance. In a digital age, where online communication has become the norm, internet users and governments face increased risks of becoming the targets of cyber-attacks. As cyber criminals continue to develop and advance their techniques, they are also shifting their targets focussing less on theft of financial information and more on business espionage and accessing government information. To fight fast-spreading cybercrime, businesses and governments must collaborate globally to develop an effective model that can control the threat. 1CYBER CRIME IN INDIA:  28,481 websites were hacked in India in 2013  Cyber-crimes have cost India INR 24,630  India is ranked as one of the top 3 targets The study elaborates on cyber-attacks and also provides insights into proper structuring of cyber insurance. 1 iNotes published by India Insure Risk Management & Insurance Broking Solutions Pvt. Ltd., Issue No. 51, December 2014
Cyber Crime Liability Report 2015 P a g e 10 | 29 C. Organizational Profile: India Insure was conceptualized way before the liberalization of the insurance sector in India. Started in the year 1999 as insurance consultants, the company was given birth to by a team of 4 professionals who came in from diverse backgrounds with a common dream of doing something different. Sensing the huge opportunity that existed in the insurance industry post- liberalization the idea to create a world-class insurance broking firm emerged. Insurance broking operations commenced in India, in the year, 2003 and India Insure acquired the first insurance broking license in the country, a historical statistic now, but a proud moment for Team India Insure then. In the year 2004, India Insure started recruitment of core insurance professionals from the insurance industry. India Insure is India’s leading Insurance Broker – the first to be licensed by IRDA. India Insure is a composite insurance broker licenced to handle both domestic and international business. The firm is more focused on commercial and corporate insurance. With a dedicated team size exceeding 100 trained and experience professionals having over 550 man years of experience, India insure operates in from ten locations across India. Products handled are diverse, ranging from health insurance to complex project deals. India insure believes that “Winning and sustaining customers trust “is the key to professional broking. India insure has expertise in handling large power projects to some of the largest liability deals, they provide a comprehensive array of property, health, employee benefit, liability, reinsurance and risk management services. In addition, India insure have developed product-specific competencies that allow them to respond to unique demands and opportunities in specific vertical markets. Major lines of business:  Employee Benefits Insurance.  Liability & Specialty Insurance.  Project Insurance.  Claims Handling Services.  Reinsurance. Value added service offerings:  Risk Inspection.  Risk Audit Reports.  Industry Benchmarking.  Insurance Manuals.  Training on Claims Handling.
Cyber Crime Liability Report 2015 P a g e 11 | 29 2.Literature Review: Cybercrime is a range of illegal digital activities targeted at organisations in order to cause harm. The term applies to a wide range of targets and attack methods. It can range from mere web site defacements to grave activities such as service disruptions that impact business revenues to e-banking frauds.2 In the modern data centric business era where trades are driven by information, communication and technology; the haunting and tormenting of cyber-attack including hacking, malware, cyber terrorism, fraud, DOS, DDOS, etc. serve as a potent reason for business interruption causing financial as well as reputational losses. Cyber hacking can be a threat to almost any industry ranging from IT to manufacturing. Even, financial markets are vulnerable to cyber hacking. The impact of cyber risk can be moderate to catastrophic. Its frequency of occurrence is also quite possible. So, cyber risk can be mapped from medium to very high. Severity Frequency of occurrence Insignificant Minor Moderate Major Catastrophic Frequent Medium High Very high Very High Very High Occasional Medium Medium High Very High Very High Possible Low Medium Medium High Very High Unlikely Low Low Medium High High Remote Low Low Medium Medium High 1. Risk Matrix KPMG’S cyber-crime survey report 2014 reveals that India is third most vulnerable and easy target for worldwide hackers as cyber regulation is not so stringent. Cyber attackers can disrupt critical infrastructures such as stock markets / power infrastructure; air traffic control systems; carry out identity theft and financial fraud; steal corporate information, state and military secrets. Anyone can take advantage of vulnerabilities in any system connected to the Internet and attack it from anywhere in the world without being identified The Information Technology Act, 2000 came into force on 17th October, 2000 and was 2 KPMG Cyber Crime Survey Report 2014
Cyber Crime Liability Report 2015 P a g e 12 | 29 amended twice in 2008 and 2011 for amendments related to reasonable security practices, procedures and sensitive personal data. Tampering with computer source documents (sec65), hacking with computer system (sec66), Publishing obscene information in electronic form (sec67), breach of confidentiality and piracy (sec72), offence relating to digital signature (sec73) are some of the cyber–crimes listed under the law for which maximum punishment is fine of Rs. One lac or two years of imprisonment or both. With the current law, the victims feel they are not reimbursed properly for the loss they suffer due to cyber-attack. Data is one of the most important assets of a business and with hackers stealing tens of millions of customer details in recent years, firms across the globe are pushing network security beyond IT department to the boardroom. Bar chart 13 Bar chart2 reports the average size of data breaches for organizations in the 10 countries. As shown, organizations in the Arabian region, India and US had the largest average number of records lost or stolen 3 Ponemon Institute© Research Report (2015) 19214 19788 20456 20650 21695 22902 24103 28070 28798 29199 0 5000 10000 15000 20000 25000 30000 35000 JAPAN AUSTRALIA CANADA FRANCE UNITED KINGDOM BRAZIL GERMANY US INDIA ARABIAN CLUSTER The average number of breached records by country
Cyber Crime Liability Report 2015 P a g e 13 | 29 Pie chart1 4 The root causes of data breach: Malicious or criminal attacks are most often the cause of a data breach globally. Above Pie Chart1 provides a summary of the main root causes of a data breach on a consolidated basis for all 10 countries represented in the 2015 Cost of Data Breach Study: Global Analysis. Forty- seven percent of incidents involve a malicious or criminal attack, 25 percent concern a negligent employee or contractor (human factor), and 29 percent involve system glitches that includes both IT and business process failures. Below are some statistics from Symantec 2014 Report5  62% increase in the number of breaches in 2013  552,000,000 identities were exposed in 2013  23 zero-day vulnerabilities discovered in 2013  38% of mobile users have experienced mobile cybercrime in 2013  1 in 392 emails contain a phishing attacks  1 in 8 legitimate websites have a critical vulnerability 4 Ponemon Institute© Research Report (2015) 5 Symantec 2014 Internet Security Threat Report Malicious/cyber attack 46% system glitch 29% human error 25% Distribution of causes of data breach Malicious/cyber attack system glitch human error
Cyber Crime Liability Report 2015 P a g e 14 | 29 Cyber Crime Insurance Policy: So, from above deductions studying cyber-crime becomes more and more important. As we can see the quantum of risk is getting bigger and bigger. And to cater such risks the traditional insurance policies were also not of much use. And cyber-crime insurance bridges these gaps. Below are the coverage’s offered currently under cyber risk insurance policy.  First Party Losses: a) Direct or extra expense of responding to the breach. Covered expenses typically include: Hiring an independent information security forensics firm, Public relations Notification of affected parties (i.e., business customers and/or individuals whose data was accessed or acquired in the data breach), Credit monitoring for individuals, Identity theft resolution services, Costs to re-secure, re-create and/or restore data or systems, Legal services/advice, Crisis management services, E-extortion costs (company is forced to pay hacker in order to get data/access back) b) Fines/penalties: While civil fines themselves are usually covered, some carriers may not offer coverage for costs to investigate, defend and settle fines. c) Denial of service costs to business: These costs include loss of use and resulting business interruption. Coverage can be set as a per day amount or can be tailored to a company’s specific loss. For example, losses to an online retailer would likely be higher on Cyber Monday than on Memorial Day. d) Losses resulting from misappropriation of the insured’s information assets or confidential business information. Under some policies, losses related to misappropriation of intellectual property, trade secrets, company records, customer lists, company credit card numbers, budgets, proposals, work papers, and any other proprietary or sensitive company data that results from a data breach are covered. e) Damage to systems: This could include losses resulting from damage to the insured’s computer systems resulting from the breach. Some policies include coverage for the cost of restoring lost or compromised data. f) Disclosure of information: Some policies include coverage for damages in connection with the disclosure of information to a competitor. g) Intellectual property: Coverage could include expenses related to the restoration or recreation of intellectual property, including trademarks, copyrighted material and proprietary business information, up to amortized value  Third Party Losses: a) Third-party claims: This includes claims for damages brought by customers, consumers or outside business entities for damages they incurred as a result of the insured company’s breach of security, namely their losses from the inability to transact business, including punitive and exemplary damages, settlements and costs.
Cyber Crime Liability Report 2015 P a g e 15 | 29 b) Defence costs: These costs include attorney fees and expert fees for outside claims made against an insured related to a data breach. c) Media liability: This provides coverage for losses related to libel, slander, defamation and other media torts, as well as copyright, trademark and patent infringement. This can include losses resulting from information posted to social networking sites, such as Facebook and LinkedIn. d) Data and (personally identifiable information (PII) loss: This covers losses or breach of a third party’s data, including dissemination of PII. One example would be if confidential third-party information, such as Social Security numbers or passwords, was used to breach the third party’s data. Policies define PII differently in the absence of an industry-standard definition. e) Fines and penalties: These include fines that may be assessed under state privacy statutes as well as under federal privacy regulations. But, still the cyber-crime insurance is in nascent stage. Also most of the organisations in India still don’t consider cyber-crime as a risk to them and are not aware about the utility of this policy. So, above discussed is the current progress in the cyber liability domain.
Cyber Crime Liability Report 2015 P a g e 16 | 29 3.Research Methodology: This research methodology has many dimensions. It includes not only research methods but also considers the logic behind the methods used in the context of the study and explains why a particular method is used. So that research could lend itself to proper evaluations. A. Purpose and Objective:  To understand the growing incidences of cyber-crimes associated with the Indian industries (viz. Stock Broking, IT, Multimedia, Custodian).  To understand the preparedness of the companies in handling cyber threats.  To analyse the feasibility and scope of cyber insurance policy in the Indian market. B. Research design:  Descriptive Research: A descriptive study is one in which information is collected without changing the environment (i.e., nothing is manipulated).  Method used to conduct descriptive research: Questionnaire survey.  Sample Size: Twenty Five companies.  Data collection method: Primary Data (questionnaire survey).  Sampling Method-Simple random sampling: A subset of a statistical population in which each member of the subset has an equal probability of being chosen. A simple random sample is meant to be an unbiased representation of a group. 8% 84% 4% 4% SECTORWISE DISTRIBUTION OF COMPNIES IT Stock broking Multimedia Custodian
Cyber Crime Liability Report 2015 P a g e 17 | 29  Geographical Region: Mumbai Region  Number of companies: Twenty Five companies visited.  Number of Interviewees: Twenty Five. 24% 56% 20% INTERVIEWEE COMPOSITION IT Compliance Sr. Management
Cyber Crime Liability Report 2015 P a g e 18 | 29 4.Data Analysis And Interpretation A sample of 25 participants was taken and following was analysed. A. Hypothesis Testing: Perception about cyber-crime as a threat is a qualitative phenomenon. The data available with us is on the basis of either presence or absence of such threats (attribute). Thus, we record the proportion of successes in each sample. Hence, we apply hypothesis testing proportions to understand if the sample taken during May-June 2015 is appropriate for further analysis. Norton cyber-crime report 2012 states that 56% Indians consider cyber-crime as a threat. As per our survey, we claim that more people now foresee cyber threat to their organisations. A random sample of 25 organisations from stock broking, IT, custodian and media was taken out of which 20 claim that there is a threat. Can this claim be accepted with regards to a larger population? Note: Tested at 1% Level of significance. The null hypothesis can be written as; H0: p = 0.56 And alternative hypothesis can be written as – Ha: p>0.56 Hence, p=0.56, q=0.44 Observed sample proportion p̂ = 20/25 = 0.80 And test statistic is, Zcal = p - p̂ √ 𝐩. 𝐪 𝐧 = 0.80-0.56 √𝟎. 𝟓𝟔 ∗ 𝟎.𝟒𝟒 𝟐𝟓 =2.41 As Ha is one-sided, we shall determine the rejection area applying one-tailed test (in the right tail because Ha is of more than type) at 1% level of significance. R: Zcal > 2.33
Cyber Crime Liability Report 2015 P a g e 19 | 29 As Zcal falls in the rejection region, we reject the null hypothesis and conclude that our claim can be accepted at 1% L.O.S. on the basis of our sample information. B. Distribution of Responses From the Survey Questionnaire: 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Response Distribution yes no 2.33 Accept Reject 2.41
Cyber Crime Liability Report 2015 P a g e 20 | 29 C. Risk Assessment:  Awareness about cyber incidences: Only 56% were aware about the cyber-crime incidences taking place in the market. 44% had no idea about such events.  Perception about cyber threat: 80% of survey respondents consider cyber-crime as a serious threat to their business operations, while remaining 20% do not consider cyber- crime as an immediate threat to their business. 56% 44% AWARENESS YES NO 80% 20% PERCEPTION OF CYBER-CRIME AS A THREAT Threat Not a threat
Cyber Crime Liability Report 2015 P a g e 21 | 29  Perception about losses in case of an cyber-attack: 88% of the respondents think financial as the major impact of a cyber-attack they may face, followed by 76% fearing reputational losses. 65% feel Business interruption would cost them huge due to such event, 41% feel regulatory fine as a major cost and 32% consider loss of data would be their biggest loss.  Quantum of financial Loss: A major 41% feel the amount of loss they could face would be low, 29% feel it would be high, 18% don’t consider they might incur any financial loss due to such event and the remaining 12% feel they might incur moderate loss. 88% 65% 41% 76% 32% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% financial loss Business interruption loss Reglatory compliance fine Reputation damage loss Data Loss Perception about losses 18% 41% 12% 29% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% NO Loss Low Moderate High Quantum of Financial Loss
Cyber Crime Liability Report 2015 P a g e 22 | 29 D. Risk Management Strategy: a) System Auditing: Apart from mandatory audits by various regulatory audits (e.g. Exchange Audits for stock brokers (annually) and SEBI audits (once in four years)), 43% of the respondent companies have their regular internal audits on a frequent basis. b) Redundant Systems: 29% survey respondents claim that they have backup systems at different locations being capable of recovering from business interruption due to unforeseen events in very short span of time. c) Security Pool: 9% of the firms have a separate pool of resources set aside for such events to meet the losses which may occur due to cyber-attacks. They prefer to self- insure themselves by creating such a pool, rather than going for a commercial insurance. d) Other Measures: 19% of the respondent firms believe the below measures are sufficient to protect their business from cyber-crime.  Investor Protection Fund (stock Brokers): The members of stock exchanges at present contribute to this Fund Re.0.15 per Rs.1 lakh of gross turnover, which is debited to their general charges account. The Stock Exchange contributes on a quarterly basis 2.5% of the listing fees collected by it. Presently the maximum compensation available for investor is Rs.1, 00,000. So, the stock brokers consider this fund enough to take care of litigations filed by their clients, in case they get affected by an unforeseen event.  Data backup by KRA: KRA stands for KYC Regulatory Authority. Some of them feel that their data backed by firms such as NSDL, CSDL, CRISIL, NSE, etc. are also enough to get back to work in case of cyber-attack where their data is lost. 29% 43% 9% 19% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Redundant Systems Internal Audits Security Pool Other measures Methods of combatting cybercrimes adopted by organisations
Cyber Crime Liability Report 2015 P a g e 23 | 29 5.Summary: A. Conclusion and Findings:  Is there a need of Cyber Liability Policy? In our survey, a majority of respondents feel that their organisations are putting in quite a lot of efforts for uninterrupted and proper business operations. Though various security measures are employed by the organisations, they aren’t always sufficient. But, many believe in the false hope that their system is 100% secured. But, there were also few respondents who knew the gravity of the situation in case a cyber-attack occurred. They feel that with the expansion of their business lines, there is definitely a need for such a product. As we can see a majority of 72% feel there is a need for such an insurance product Which would help them to counter these new threats to their business operations. They feel that they are exposed to cyber threats even after spending heftily on security. So, cyber policy with some modifications would provide a sound base to their uninterrupted business operations. But, 28% of the respondents feel there is no need of such a product. They consider it as an additional cost to their business operations and of no use to them. They don’t feel they are vulnerable to such threats or their business operations would be affected due to such events in near future. 72% 28% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% YES NO Need of Cyber Policy
Cyber Crime Liability Report 2015 P a g e 24 | 29 According to our survey 54% of the respondents feel that they would go for such a Policy only if it is required by law. 23% of the participants feel that the provisions for cyber-crime liability should be put on as an add-on to an existing liability policy rather than an exclusive policy. And remaining 23% of the respondents would like to have cyber-liability as a separate product with some modified terms. A cyber-crime insurance policy wouldn’t be preferred by small brokers easily as they do not operate on a large scale and thus, would consider it as an additional cost. Indian financial markets lack awareness about emerging cyber-crimes which can prove to be one of the grave threats in near future. Many survey respondents are of the opinion that cyber-attacks won’t take place in India as Indian markets are developing but aren’t so huge. They do not foresee cybercrime as a risk to their business operations currently but do not deny that situation can change in the upcoming five to ten years. They believe that their IT security systems are completely updated and cent percent accurate, though they aren’t confident that there are no loopholes in it. 54% 23% 23% 0% 10% 20% 30% 40% 50% 60% If required by law As an Add on cover Separate Policy Views about Policy
Cyber Crime Liability Report 2015 P a g e 25 | 29 B. Suggestions:  Stock Brokers-  Stock brokers would benefit cybercrime insurance policy if it was given as an add-on or an alteration to the current Stock Indemnity Policy or Commercial General Liability Policy.  With regards to third party liability coverage, even loss due to vendor’s technical irresponsibility needs to be covered.  If the number of cyber-attacks in the stock broking industry increases over time, SEBI should make cyber liability policy mandatory for protection of investors against losses arising due to such events.  Media-  Regulatory coverages should include cost incurred by content providers to sue the culprit who infringed their data.  IT-  Many companies outsource data processing or storage to third party vendors. So, for IT firms, it is necessary to cover them for claims that arise from misconduct by their vendors.  IT firms demand that the terms “Hardware” and “Software” should be well- defined and neatly framed in the policy language.  General-  Awareness about cybercrime should be created in the Indian markets especially among the BFSI Sector.  The severity of losses, whether financial or non-financial, can take a catastrophic form. It can be huge and thus, its severity needs to be explained.  There should be a standardized policy language. It should give more significance to brand reputation clause.  Period of such policy coverage should be larger/longer since, the frequency of such attacks is very less and renewing it every year isn’t economical as the premium is high of this policy. C. Future Leads: This study will provide a good work to carry out more vigorous analysis in this field with more effective statistical tool and with latest data of boom period. The Indian stock market has grown and growing in terms of volume since last decades implementing all new technologies. Thus, it has become more and more susceptible to cyber-crime. It can prove to be a flourishing market for a cyber-liability policy. Media also will prove to be a leading industry covering its cyber liabilities under an insurance product in the near future. Though IT companies (claiming to have 100% security) won’t agree to such a product until their myth is broken.
Cyber Crime Liability Report 2015 P a g e 26 | 29 6.Appendix This report has emphasized the importance of creating awareness among Indian Industries about cybercrime and it’s vulnerabilities to their business organisations as well as highlighted an insurance product which can be utilized to transfer such risk. It is based on a random sample of 25 industries and hypothesis testing found in chapter 4 proves that it is appropriate to predict the results of the survey over the entire population. The survey was conducted on the basis of a questionnaire whose responses are recorded in chapter 4 and conclusions upon the same are found in chapter 5. The questionnaire is given herewith. Also, responses of some participants are given. Form Found on Page Hypothesis Testing Page 12 Distribution of responses from the questionnaire Page 14 Conclusion and Findings Page 18 Questionnaire: The use of technology has become an integral part of our lives. Our increasing use of technology consolidates itself as a powerful platform that has revolutionized the way we do business and communicate with people, leaving us in the open to threats of cybercrime. Organizations must recognize this environment and must identify methods to address these RISKS proactively. Name of Summer Intern: _________________ Date of Interview: _________________ Client / Corporate Name: _________________ Person met in Client Office: _______________ Designation of person: ____________________ Business Details: Client Industry :____________( manufacturing/IT Services/BOP/ KPO/Stock Broking/Financial Services/distribution) In business since when: _______________ (Number of years/ Year of incorporation) No. of employees: ______________ 1. Do you have an online business? 2. Do you have a website? If yes, is any sensitive information stored in the website? 3. How do you store critical data (internal or client)? 4. If your data is managed by third party/cloud, what extra measures do you take for data security? 5. Have you ever faced any cyber-attack in the past? If yes, please state when and what happened? 6. Post a cyber-attack, did you suffer business interruption? If yes, how long? 7. Did you incur a heavy cost in terms of restoring your IT System? 8. Did you have to pay any consultation cost to restore your IT system? 9. Have you ever faced any regulatory scrutiny due to any cyber related problem? 10. If faced regulatory scrutiny, have you been imposed any fine? 11. Do y’all collect any personal information of customers? If yes, what? 12. Have any of your employees ever lost any laptop or blackberry or computer tapes? 13. Do all your employees have internet access? Date of Meeting: ____________
Cyber Crime Liability Report 2015 P a g e 27 | 29 Reviews of some survey participants: India Capital Markets Pvt. Ltd. They feel even an attack on/through their vendors pose a serious risk to them as they use the technology provided by those vendors. Optimum level of funds are set aside for IT security as and when required by regulatory authority. Employees are provided only email services outside office when travelling and nothing apart from that. No access for any kind of operational activities outside office premises. They think insurance companies should come forward and draft a request for such issues and their serious threats to broking industry and submit it to regulatory authority so that they understand the severity and make it mandatory to some extent to have such a policy or it should be proposed as an alteration/addition to current CGL policy. Knowledge, awareness very low regarding such threats among Indian brokers. Hungama digital media entertainment Pvt. ltd. Business operation: Are content providers and distributors. . The issue they face is that of infringement/piracy of content post release. So they think the policy should be such that if there is infringement and they want to file a litigation against the culprit. They should be reimbursed for that. And not the other way round. Also, in their mobile platform they store just normal details of their customers just as name, number. There are no monetary transactions involved under their website. They have regular security audits. Wrongful acquisition of their content is the major problem they face. VNS Finance and Capital Services Ltd They have online platform to cater their clients. They make use of OTP as well. They also have Half yearly system audits. Orders are monitored Constantly. As soon as something suspicious is Observed all the orders are stopped. They do Collect details of customer and think they might
Cyber Crime Liability Report 2015 P a g e 27 | 29 Be at risk. But, they don’t think the quantum of Loss would be huge. Sharekhan LTD. They have multiple back-ups available for their smooth execution of their business in case of business interruption. But, they feel IT cannot assure 100% full proof security. There are loop holes in every technology. The main issue is the additional cost to bear. In case of settlement issue, if they are not able to process themselves, their pool at the clearing banks is also always quite sufficient. Their major threat is business interruption. It might incur a hefty loss to them. Since, their client base is very large ranging from small traders to big institutions. They feel the period of policy cover should be longer. Since, the frequency of such attacks is also very less and renewing it every year doesn’t seem economical as the premium is also usually very high of such kind of policies. INVESTERIA FINANCIAL SERVICES PVT. LTD They use 3 level security and use 256 bit encryption: 1) hardware firewall( a device connected between ISP and their own network) 2)software firewall 3) antivirus/antispam, user id and password After passing through these layers only can a hacker get into their system? Also have a backup lease line. Have 2 connectivity options, through their system or connected directly to the exchange. In case of an attack to their system the clients connected directly to the exchange platform do not get affected. Losses cannot be huge apart from business interruption losses and loss of reputation. Since, the brokerage is limited to 0.7% of turnover. IT security is as per the standard required by regulatory authority. Back office software’s are LAN based and web based application available where employee can only see (read only no write and copy/download). Value of money during trading is virtual nothing real. Logs are captured and monitored of every activity executed on their system. They make sure IP address from which the system was accessed was from within the organisation.
Cyber Crime Liability Report 2015 P a g e 29 | 29 7.Bibliography and References  http://businesstoday.intoday.in/story/cybercrime-hit-42-mn-indians-in-2011- cost-$8-bn-norton/1/187969.html as accessed on 21/06/2015  http://www.bseindia.com/members/MembershipDirectory.aspx?expandable=2 as accessed on 11/05/2015  http://www.gcl.in/downloads/bm_cybercrime.pdf as accessed on 22/06/2015  http://infosecawareness.in/cyber-crime-cells-in-india as accessed on 24/06/2015  www.cybervictims.org/CCVCresearchreport2013.pdf as accessed on 24/06/2015  Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis  KPMG’s Cyber Crime Survey Report 2014  iNotes published by India Insure Risk Management & Insurance Broking Solutions Pvt. Ltd. , Issue No. 51, December 2014  Symantec 2014 Internet Security Threat Report

Recommended

Pegasus, A spyware
Pegasus, A spywarePegasus, A spyware
Pegasus, A spyware
Manash Kumar Mondal
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
National Retail Federation
 
presentation on cyber crime and security
presentation on cyber crime and securitypresentation on cyber crime and security
presentation on cyber crime and security
Alisha Korpal
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
Harendra Singh
 
Software piracy
Software piracySoftware piracy
Software piracy
K. M. Rokonuzzaman
 
Cyber Security - Flier
Cyber Security - FlierCyber Security - Flier
Cyber Security - Flier
Sunit Belapure
 
Ppt growing need of cyber security
Ppt growing need of cyber securityPpt growing need of cyber security
Ppt growing need of cyber security
yatendrakumar47
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
Rajat Jain
 

Recommended

Pegasus, A spyware
Pegasus, A spywarePegasus, A spyware
Pegasus, A spyware
Manash Kumar Mondal
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
National Retail Federation
 
presentation on cyber crime and security
presentation on cyber crime and securitypresentation on cyber crime and security
presentation on cyber crime and security
Alisha Korpal
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
Harendra Singh
 
Software piracy
Software piracySoftware piracy
Software piracy
K. M. Rokonuzzaman
 
Cyber Security - Flier
Cyber Security - FlierCyber Security - Flier
Cyber Security - Flier
Sunit Belapure
 
Ppt growing need of cyber security
Ppt growing need of cyber securityPpt growing need of cyber security
Ppt growing need of cyber security
yatendrakumar47
 
Cybercrime presentation
Cybercrime presentationCybercrime presentation
Cybercrime presentation
Rajat Jain
 
Cybercrime & Security
Cybercrime & SecurityCybercrime & Security
Cybercrime & Security
Shreeraj Nair
 
Cyber crime and its safety
Cyber crime and its safetyCyber crime and its safety
Cyber crime and its safety
AashiGupta46
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
Avani Patel
 
Cyber crime final report
Cyber crime final report Cyber crime final report
Cyber crime final report
Shishupal Nagar
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
Sanket Gogoi
 
What is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | EdurekaWhat is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | Edureka
Edureka!
 
Cyber security
Cyber securityCyber security
Cyber security
Harsh verma
 
Cybercrime and its effects on personal life who uses internet
Cybercrime and its effects on personal life who uses internet Cybercrime and its effects on personal life who uses internet
Cybercrime and its effects on personal life who uses internet
vimal kumar arora
 
File000152
File000152File000152
File000152
Desmond Devendran
 
Cyber security
Cyber securityCyber security
Cyber security
Rishav Sadhu
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
Ramiro Cid
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
Oktawian Powazka
 
Cyber crime: A Quick Survey
Cyber crime: A Quick SurveyCyber crime: A Quick Survey
Cyber crime: A Quick Survey
Arindam Sarkar
 
Cyber crime presentation by HuNnY ButT
Cyber crime presentation by HuNnY ButTCyber crime presentation by HuNnY ButT
Cyber crime presentation by HuNnY ButT
Hamza Khalid
 
Ppt
PptPpt
Ppt
Geetu Khanna
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE - ATT&CKcon
 
Cyber security awareness for students
Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for students
Akhil Nadh PC
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
Dipesh Waghela
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
Chitra Mudunuru
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 
QuickBooks Support Phone Number 1844-722-6675
QuickBooks Support Phone Number 1844-722-6675QuickBooks Support Phone Number 1844-722-6675
QuickBooks Support Phone Number 1844-722-6675
Alex Chamber
 
Understanding the Basics of Cold Sores by Matthew David Cole MD
Understanding the Basics of Cold Sores by Matthew David Cole MDUnderstanding the Basics of Cold Sores by Matthew David Cole MD
Understanding the Basics of Cold Sores by Matthew David Cole MD
M. David Cole, MD
 

More Related Content

What's hot

Cyber crime final report
Cyber crime final report Cyber crime final report
Cyber crime final report
Shishupal Nagar
 
What is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | EdurekaWhat is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | Edureka
Edureka!
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE - ATT&CKcon
 

What's hot (20)

Cybercrime & Security
Cybercrime & SecurityCybercrime & Security
Cybercrime & Security
 
Cyber crime and its safety
Cyber crime and its safetyCyber crime and its safety
Cyber crime and its safety
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
 
Cyber crime final report
Cyber crime final report Cyber crime final report
Cyber crime final report
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
What is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | EdurekaWhat is Phishing? Phishing Attack Explained | Edureka
What is Phishing? Phishing Attack Explained | Edureka
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cybercrime and its effects on personal life who uses internet
Cybercrime and its effects on personal life who uses internet Cybercrime and its effects on personal life who uses internet
Cybercrime and its effects on personal life who uses internet
 
File000152
File000152File000152
File000152
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber security threats for 2017
Cyber security threats for 2017Cyber security threats for 2017
Cyber security threats for 2017
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
Cyber crime: A Quick Survey
Cyber crime: A Quick SurveyCyber crime: A Quick Survey
Cyber crime: A Quick Survey
 
Cyber crime presentation by HuNnY ButT
Cyber crime presentation by HuNnY ButTCyber crime presentation by HuNnY ButT
Cyber crime presentation by HuNnY ButT
 
Ppt
PptPpt
Ppt
 
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
MITRE ATT&CKcon 2018: Summiting the Pyramid of Pain: Operationalizing ATT&CK,...
 
Cyber security awareness for students
Cyber security awareness for students Cyber security awareness for students
Cyber security awareness for students
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and Security
 
AppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptxAppSec DC 2019 ASVS 4.0 Final.pptx
AppSec DC 2019 ASVS 4.0 Final.pptx
 

Viewers also liked

JUSTEK Products-2017
JUSTEK Products-2017JUSTEK Products-2017
JUSTEK Products-2017
Zhi Liu
 

Viewers also liked (10)

QuickBooks Support Phone Number 1844-722-6675
QuickBooks Support Phone Number 1844-722-6675QuickBooks Support Phone Number 1844-722-6675
QuickBooks Support Phone Number 1844-722-6675
 
Understanding the Basics of Cold Sores by Matthew David Cole MD
Understanding the Basics of Cold Sores by Matthew David Cole MDUnderstanding the Basics of Cold Sores by Matthew David Cole MD
Understanding the Basics of Cold Sores by Matthew David Cole MD
 
Our father
Our fatherOur father
Our father
 
Question 7
Question 7Question 7
Question 7
 
O dever
O deverO dever
O dever
 
One direction
One directionOne direction
One direction
 
Final
FinalFinal
Final
 
The Importance of an Annual Checkup by Matthew David Cole MD
The Importance of an Annual Checkup by Matthew David Cole MDThe Importance of an Annual Checkup by Matthew David Cole MD
The Importance of an Annual Checkup by Matthew David Cole MD
 
Un savoir minimum
Un savoir minimumUn savoir minimum
Un savoir minimum
 
JUSTEK Products-2017
JUSTEK Products-2017JUSTEK Products-2017
JUSTEK Products-2017
 

Similar to Cyber crime liability report

Our Previous Edition Post event synopsis
Our Previous Edition Post event synopsisOur Previous Edition Post event synopsis
Our Previous Edition Post event synopsis
Vasuki Kashyap
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
Kevin Leffew
 
The digital economy and cybersecurity
The digital economy and cybersecurityThe digital economy and cybersecurity
The digital economy and cybersecurity
Mark Albala
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective
Omlis
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy
Mark Albala
 

Similar to Cyber crime liability report (20)

The Most Trusted Cyber Threat Solution Providers in India 2023.pdf
The Most Trusted Cyber Threat Solution Providers in India 2023.pdfThe Most Trusted Cyber Threat Solution Providers in India 2023.pdf
The Most Trusted Cyber Threat Solution Providers in India 2023.pdf
 
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber AttacksA Comprehensive Review of Cyber Security, Threats and Cyber Attacks
A Comprehensive Review of Cyber Security, Threats and Cyber Attacks
 
Our Previous Edition Post event synopsis
Our Previous Edition Post event synopsisOur Previous Edition Post event synopsis
Our Previous Edition Post event synopsis
 
Cyber threat forecast 2018..
Cyber threat forecast 2018..Cyber threat forecast 2018..
Cyber threat forecast 2018..
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
 
Top 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providersTop 10 leading fraud detection and prevention solution providers
Top 10 leading fraud detection and prevention solution providers
 
Arena - Designing for trust
Arena - Designing for trust Arena - Designing for trust
Arena - Designing for trust
 
Cybersecurity report
Cybersecurity reportCybersecurity report
Cybersecurity report
 
Cybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources ReportCybersecurity: Protecting Local Government Digital Resources Report
Cybersecurity: Protecting Local Government Digital Resources Report
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
8Cyber security courses in Bangladesh.docx
8Cyber security courses in Bangladesh.docx8Cyber security courses in Bangladesh.docx
8Cyber security courses in Bangladesh.docx
 
Corporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious GameCorporate Cybersecurity: A Serious Game
Corporate Cybersecurity: A Serious Game
 
The digital economy and cybersecurity
The digital economy and cybersecurityThe digital economy and cybersecurity
The digital economy and cybersecurity
 
Addressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspectiveAddressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspective
 
The 10 most recommended bio metric companies to watch in 2019
The 10 most recommended bio metric companies to watch in 2019The 10 most recommended bio metric companies to watch in 2019
The 10 most recommended bio metric companies to watch in 2019
 
Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective Omlis Data Breaches Report - An Inside Perspective
Omlis Data Breaches Report - An Inside Perspective
 
Why is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economyWhy is cyber security a disruption in the digital economy
Why is cyber security a disruption in the digital economy
 
Stay Ahead of Threats The Importance of Cyber Security Services.pdf
Stay Ahead of Threats The Importance of Cyber Security Services.pdfStay Ahead of Threats The Importance of Cyber Security Services.pdf
Stay Ahead of Threats The Importance of Cyber Security Services.pdf
 
Intelligence-Driven Fraud Prevention
Intelligence-Driven Fraud PreventionIntelligence-Driven Fraud Prevention
Intelligence-Driven Fraud Prevention
 
Three Key Ways OEMs Can Mitigate Their Cyber-Threat Risk.pdf
Three Key Ways OEMs Can Mitigate Their Cyber-Threat Risk.pdfThree Key Ways OEMs Can Mitigate Their Cyber-Threat Risk.pdf
Three Key Ways OEMs Can Mitigate Their Cyber-Threat Risk.pdf
 

Cyber crime liability report

  • 1. Cyber Crime Liability Report 2015 P a g e 1 | 29 CYBER CRIME LIABILITY REPORT 2015 A report submitted to India Insure Risk Management and Insurance Broking Services Pvt. Ltd., Mumbai. Ms. Sayali Sawant S.Y.B.Com (Banking and Insurance) Under the guidance of Mr. Manish D. Parikh AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd. Duration of the Project: 1st April, 2015- 30th June, 2015 Date of Completion of the Project: 26th June, 2015
  • 2. Cyber Crime Liability Report 2015 P a g e 2 | 29 Declaration I, Sayali Sawant, hereby declare that this is report on “FEASABILITY STUDY OF CYBER CRIME AND INSURANCE POLICY” has been written and prepared by me as a part of my summer internship since 1st April, 2015 – 30th June, 2015 under the guidance of Mr. Manish Parikh, AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd. All the statements in this format are true to the best of my knowledge. Place: Mumbai Date: 23rd June, 2015 (Sayali Sawant)
  • 3. Cyber Crime Liability Report 2015 P a g e 3 | 29 Certification
  • 4. Cyber Crime Liability Report 2015 P a g e 4 | 29 ACKNOWLEDGEMENTS Management ideas without actions based on them, means nothing. This is why practical experience is vital for any management studies. Theoretical studies in the classroom are not sufficient to understand the functioning climate and the real problems hindering management. Thus practical exposures are indispensable as the act like a supplement to the classroom studies. With respect to the same, I would like to acknowledge India Insure Risk Management and Insurance Broking Services Pvt. Ltd., for accepting my request for the internship with the company. I would like to express my gratitude to Mr. Arindam Ghosh, VP Mumbai, India Insure Risk Management and Insurance Broking Services Pvt. Ltd., for offering me this opportunity to team with them and for entrusting me with this project research. I am also grateful to Mr. Manish D. Parikh, for being my guide and mentor and helping me throughout my training period. Lastly, I would like to say a big “THANK YOU” to the entire staff at the Vile Parle, Mumbai office of India Insure Risk Management and Insurance Broking Services Pvt. Ltd. (Sayali Sawant)
  • 5. Cyber Crime Liability Report 2015 P a g e 5 | 29 CONTENTS 1. INTRODUCTION .........................................................................7 A. Background ...................................................................................7 B. Need Of the Study........................................................................9 C. Organizational Profile.................................................................10 2. Literature Review ........................................................................11 3. Research Methodology ................................................................16 A. Purpose and Objective ................................................................16 B. Research design...........................................................................16 4. Data Analysis And Interpretation..............................................18 A. Hypothesis Testing......................................................................18 B. Distribution of Responses From the Survey Questionnaire .......19 C. Risk Assessment .........................................................................20 D. Risk Management Strategy.........................................................22 5. Summary.......................................................................................23 A. Conclusion and Findings.............................................................23 B. Suggestions .................................................................................25 C. Future Leads................................................................................25 6. Appendix.......................................................................................26 7. Bibliography and References........................................................1
  • 6. Cyber Crime Liability Report 2015 P a g e 6 | 29 ABSTRACT Information Communication Technology is defined as technology required for information processing. It involves the use of computer software, web browsers, Productivity software suites and software for business applications. Use of Information Technology gas become inevitable in business and in personal life. Irrespective if the size of the turnover, every person is involved in any business transaction in some way or the other uses the complete, computer software and internet etc. for carrying on the business activities. In today’s business environment, people not only have their physical offices but also their space in the virtual world popularly called as the “websites”. Growing consumerism and advancement in the technology has led to mushrooming of e-Commerce and online sale. Automation of business plants is not possible without the computer software. Banking, Financial Sectors and Insurance has almost totally gone online. These are just a very few instances of encounter of technology and business. The list can go on and on. Any business activity online or offline has to comply with the law of the land. Thus, Information Technology Act, 20005 was formed a legal framework for smooth conduct of E- Commerce. Yet legal experts opine that at present, the rules construct an incomplete regime that does not adequately protect privacy and for this reason, falls short of internationally accepted data protection standards. Though the Act provides certain kind of protection, more effective mandatory to protect, preserve and promote cyber security in India. Thus cyber liability insurance policy comes into picture to fill the need if combatting the losses due to cyber-attacks. It provides as an appropriate option to transfer the risk associated with loss of data (i.e. Data Breach) and hacking efficiently providing liability covers fir the intangible property. The paper focuses on cybercrimes, cyber criminals and their activities, perception of cyber threats by various organizations, and scope of cybercrime insurance policy which organization should take to mitigate such crime. Here, primary data collected from participants of the survey is used for analysis purpose.
  • 7. Cyber Crime Liability Report 2015 P a g e 7 | 29 1. INTRODUCTION: The term “cyber liability” means different things to different people. For a corporate risk manager the issue is how to identify, quantify, mitigate and transfer the risks that face his own operations. For an IT service provider it is how to monitor, understand and outwit cyber criminals and develop new tools to prevent cyber-crime. In order to serve the needs of their clients, insurance professionals have to understand the implications of the business risks faced by corporations and offer effective, affordable solutions to their risk transfer needs. Daily news headlines reveal the escalating, and costly, problem of data breaches for companies today. All companies store assets digitally — from consumer personal data, to B2B customer data, to trade secrets, to confidential information relating to mergers and acquisitions. While technological advancements, evolving computer data systems, and internet access offer significant benefits to businesses and their customers, a major challenge that comes with the increased use of technology is an increase in the risk of cybercrime attack. Cybercrime has significant financial and non- financial implications for businesses. To prevent cyber- crime incidences, most companies employ cyber-security measures which include a combination of technology and security procedures. However, since cyber attackers are continuously discovering new ways to exploit vulnerabilities, cyber security alone cannot prevent all potential attacks. This project looks at how cybercrime insurance can protect companies from the costs of cybercrime. We explore the challenges for insurance companies offering cybercrime policies, analyse the required investments, and provide recommendations. A. Background:  What is cyber-crime? Cybercrime is criminal activity done using computers and the Internet. This includes anything from downloading illegal music files to stealing millions of dollars from online bank accounts. Cybercrime also includes non-monetary offenses, such as creating and distributing viruses on other computers or posting confidential business information on the Internet. Because cybercrime covers such a broad scope of criminal activity, the examples above are only a few of the thousands of crimes that are considered cybercrimes. While computers and the Internet have made our lives easier in many ways, it is unfortunate that people also use these technologies to take advantage of others. Therefore, it is smart to protect yourself by using antivirus and spyware blocking software and being careful where you enter your personal information. Cybercrime refers to any illegal activities using, or against, computer systems, computer networks, and the internet. Although cybercrime is a commonly used term today, there is no standard global definition and the definition varies based on the context.  Who is carrying it out? Cyber-attacks can be carried out by a host of people ranging between disgruntled employees, individual hacker, organised cybercrime syndicates to enemy government or an activist.
  • 8. Cyber Crime Liability Report 2015 P a g e 8 | 29  What is the biggest delusion related to cybercrime? Most of the organisations believe that their systems are highly secured and their security can be rated 10 on a scale of 10! They believe they are 100% protected. However, attaining highest level of security ideally should be a secondary goal for organisations, while being prepared to combat cyber-attacks should be their primary objective. But, while the term cybercrime describes a variety of attacks and activities, they can be broadly classified into three categories. Category 1 – Business disruption and misuse  Denial-of-Service (DOS) or Distributed Denial-of-Service (DDOS) Attack refers to making a computer resource unavailable to its intended users or preventing it from functioning efficiently.  Malware or Malicious Software refers to programs such as viruses and worms that try to exploit computer systems or networks leading to business disruption, leakage of sensitive data, or unauthorized access to system resources.  Software and Information Piracy refers to theft or misuse of copyright material and software.  Industrial Espionage refers to corporate rivals illegally accessing confidential information to erode competitive advantage, gain financial information, or misuse trade secrets.  Cyber Extortion refers to holding a company for ransom through denial of service, manipulating website links, or the threat of leaking customer or financial data. Category 2 - Online Scams  Phishing refers to disguising an electronic communication as coming from a trustworthy entity in an attempt to acquire sensitive data.  Spear Phishing refers to targeted campaign of highly personalized bogus e-mails, aimed at a specific individual or organization, that appear to come from a trusted source.  Pharming techniques involve redirecting website traffic from a legitimate website to a fraudulent website.  Spoofing refers to fooling people into entering personal details into a counterfeit website.  Purchase Fraud refers to selling products through online channels which are never shipped.
  • 9. Cyber Crime Liability Report 2015 P a g e 9 | 29 Category 3 - Theft and fraud  Identity Theft refers to obtaining personal data from individuals—such as social security number, address, or bank account details—which can be misused to open new accounts or obtain services in the name of the victim.  Theft from Business refers to stealing revenue directly from businesses using online channels; for example, obtaining access to a firm’s accounts and transferring the money illegally.4  Intellectual Property (IP) Theft involves stealing ideas, designs, specifications, trade secrets, or process methodologies, which may erode competitive advantage in terms of operations and technology.  Customer Data Theft involves obtaining sensitive customer information with the purpose of misusing the data for financial gain.  Fiscal Fraud describes fraud against the government, often through attacking government online channels, and includes theft, such as fraudulent claims for benefits, and evading taxes. B.Need Of the Study: Professional hackers and cyber terrorists have been working overtime to develop various techniques for compromising a firm’s security, thereby damaging their IT infrastructure. So, organizations need to build up capabilities for anticipating attacks which are serious and at times catastrophic and paving inroads into critical corporate information. Apart from building up organizational resilience to cyber-attacks it will also be prudent for organization to obtain cyber insurance. In a digital age, where online communication has become the norm, internet users and governments face increased risks of becoming the targets of cyber-attacks. As cyber criminals continue to develop and advance their techniques, they are also shifting their targets focussing less on theft of financial information and more on business espionage and accessing government information. To fight fast-spreading cybercrime, businesses and governments must collaborate globally to develop an effective model that can control the threat. 1CYBER CRIME IN INDIA:  28,481 websites were hacked in India in 2013  Cyber-crimes have cost India INR 24,630  India is ranked as one of the top 3 targets The study elaborates on cyber-attacks and also provides insights into proper structuring of cyber insurance. 1 iNotes published by India Insure Risk Management & Insurance Broking Solutions Pvt. Ltd., Issue No. 51, December 2014
  • 10. Cyber Crime Liability Report 2015 P a g e 10 | 29 C. Organizational Profile: India Insure was conceptualized way before the liberalization of the insurance sector in India. Started in the year 1999 as insurance consultants, the company was given birth to by a team of 4 professionals who came in from diverse backgrounds with a common dream of doing something different. Sensing the huge opportunity that existed in the insurance industry post- liberalization the idea to create a world-class insurance broking firm emerged. Insurance broking operations commenced in India, in the year, 2003 and India Insure acquired the first insurance broking license in the country, a historical statistic now, but a proud moment for Team India Insure then. In the year 2004, India Insure started recruitment of core insurance professionals from the insurance industry. India Insure is India’s leading Insurance Broker – the first to be licensed by IRDA. India Insure is a composite insurance broker licenced to handle both domestic and international business. The firm is more focused on commercial and corporate insurance. With a dedicated team size exceeding 100 trained and experience professionals having over 550 man years of experience, India insure operates in from ten locations across India. Products handled are diverse, ranging from health insurance to complex project deals. India insure believes that “Winning and sustaining customers trust “is the key to professional broking. India insure has expertise in handling large power projects to some of the largest liability deals, they provide a comprehensive array of property, health, employee benefit, liability, reinsurance and risk management services. In addition, India insure have developed product-specific competencies that allow them to respond to unique demands and opportunities in specific vertical markets. Major lines of business:  Employee Benefits Insurance.  Liability & Specialty Insurance.  Project Insurance.  Claims Handling Services.  Reinsurance. Value added service offerings:  Risk Inspection.  Risk Audit Reports.  Industry Benchmarking.  Insurance Manuals.  Training on Claims Handling.
  • 11. Cyber Crime Liability Report 2015 P a g e 11 | 29 2.Literature Review: Cybercrime is a range of illegal digital activities targeted at organisations in order to cause harm. The term applies to a wide range of targets and attack methods. It can range from mere web site defacements to grave activities such as service disruptions that impact business revenues to e-banking frauds.2 In the modern data centric business era where trades are driven by information, communication and technology; the haunting and tormenting of cyber-attack including hacking, malware, cyber terrorism, fraud, DOS, DDOS, etc. serve as a potent reason for business interruption causing financial as well as reputational losses. Cyber hacking can be a threat to almost any industry ranging from IT to manufacturing. Even, financial markets are vulnerable to cyber hacking. The impact of cyber risk can be moderate to catastrophic. Its frequency of occurrence is also quite possible. So, cyber risk can be mapped from medium to very high. Severity Frequency of occurrence Insignificant Minor Moderate Major Catastrophic Frequent Medium High Very high Very High Very High Occasional Medium Medium High Very High Very High Possible Low Medium Medium High Very High Unlikely Low Low Medium High High Remote Low Low Medium Medium High 1. Risk Matrix KPMG’S cyber-crime survey report 2014 reveals that India is third most vulnerable and easy target for worldwide hackers as cyber regulation is not so stringent. Cyber attackers can disrupt critical infrastructures such as stock markets / power infrastructure; air traffic control systems; carry out identity theft and financial fraud; steal corporate information, state and military secrets. Anyone can take advantage of vulnerabilities in any system connected to the Internet and attack it from anywhere in the world without being identified The Information Technology Act, 2000 came into force on 17th October, 2000 and was 2 KPMG Cyber Crime Survey Report 2014
  • 12. Cyber Crime Liability Report 2015 P a g e 12 | 29 amended twice in 2008 and 2011 for amendments related to reasonable security practices, procedures and sensitive personal data. Tampering with computer source documents (sec65), hacking with computer system (sec66), Publishing obscene information in electronic form (sec67), breach of confidentiality and piracy (sec72), offence relating to digital signature (sec73) are some of the cyber–crimes listed under the law for which maximum punishment is fine of Rs. One lac or two years of imprisonment or both. With the current law, the victims feel they are not reimbursed properly for the loss they suffer due to cyber-attack. Data is one of the most important assets of a business and with hackers stealing tens of millions of customer details in recent years, firms across the globe are pushing network security beyond IT department to the boardroom. Bar chart 13 Bar chart2 reports the average size of data breaches for organizations in the 10 countries. As shown, organizations in the Arabian region, India and US had the largest average number of records lost or stolen 3 Ponemon Institute© Research Report (2015) 19214 19788 20456 20650 21695 22902 24103 28070 28798 29199 0 5000 10000 15000 20000 25000 30000 35000 JAPAN AUSTRALIA CANADA FRANCE UNITED KINGDOM BRAZIL GERMANY US INDIA ARABIAN CLUSTER The average number of breached records by country
  • 13. Cyber Crime Liability Report 2015 P a g e 13 | 29 Pie chart1 4 The root causes of data breach: Malicious or criminal attacks are most often the cause of a data breach globally. Above Pie Chart1 provides a summary of the main root causes of a data breach on a consolidated basis for all 10 countries represented in the 2015 Cost of Data Breach Study: Global Analysis. Forty- seven percent of incidents involve a malicious or criminal attack, 25 percent concern a negligent employee or contractor (human factor), and 29 percent involve system glitches that includes both IT and business process failures. Below are some statistics from Symantec 2014 Report5  62% increase in the number of breaches in 2013  552,000,000 identities were exposed in 2013  23 zero-day vulnerabilities discovered in 2013  38% of mobile users have experienced mobile cybercrime in 2013  1 in 392 emails contain a phishing attacks  1 in 8 legitimate websites have a critical vulnerability 4 Ponemon Institute© Research Report (2015) 5 Symantec 2014 Internet Security Threat Report Malicious/cyber attack 46% system glitch 29% human error 25% Distribution of causes of data breach Malicious/cyber attack system glitch human error
  • 14. Cyber Crime Liability Report 2015 P a g e 14 | 29 Cyber Crime Insurance Policy: So, from above deductions studying cyber-crime becomes more and more important. As we can see the quantum of risk is getting bigger and bigger. And to cater such risks the traditional insurance policies were also not of much use. And cyber-crime insurance bridges these gaps. Below are the coverage’s offered currently under cyber risk insurance policy.  First Party Losses: a) Direct or extra expense of responding to the breach. Covered expenses typically include: Hiring an independent information security forensics firm, Public relations Notification of affected parties (i.e., business customers and/or individuals whose data was accessed or acquired in the data breach), Credit monitoring for individuals, Identity theft resolution services, Costs to re-secure, re-create and/or restore data or systems, Legal services/advice, Crisis management services, E-extortion costs (company is forced to pay hacker in order to get data/access back) b) Fines/penalties: While civil fines themselves are usually covered, some carriers may not offer coverage for costs to investigate, defend and settle fines. c) Denial of service costs to business: These costs include loss of use and resulting business interruption. Coverage can be set as a per day amount or can be tailored to a company’s specific loss. For example, losses to an online retailer would likely be higher on Cyber Monday than on Memorial Day. d) Losses resulting from misappropriation of the insured’s information assets or confidential business information. Under some policies, losses related to misappropriation of intellectual property, trade secrets, company records, customer lists, company credit card numbers, budgets, proposals, work papers, and any other proprietary or sensitive company data that results from a data breach are covered. e) Damage to systems: This could include losses resulting from damage to the insured’s computer systems resulting from the breach. Some policies include coverage for the cost of restoring lost or compromised data. f) Disclosure of information: Some policies include coverage for damages in connection with the disclosure of information to a competitor. g) Intellectual property: Coverage could include expenses related to the restoration or recreation of intellectual property, including trademarks, copyrighted material and proprietary business information, up to amortized value  Third Party Losses: a) Third-party claims: This includes claims for damages brought by customers, consumers or outside business entities for damages they incurred as a result of the insured company’s breach of security, namely their losses from the inability to transact business, including punitive and exemplary damages, settlements and costs.
  • 15. Cyber Crime Liability Report 2015 P a g e 15 | 29 b) Defence costs: These costs include attorney fees and expert fees for outside claims made against an insured related to a data breach. c) Media liability: This provides coverage for losses related to libel, slander, defamation and other media torts, as well as copyright, trademark and patent infringement. This can include losses resulting from information posted to social networking sites, such as Facebook and LinkedIn. d) Data and (personally identifiable information (PII) loss: This covers losses or breach of a third party’s data, including dissemination of PII. One example would be if confidential third-party information, such as Social Security numbers or passwords, was used to breach the third party’s data. Policies define PII differently in the absence of an industry-standard definition. e) Fines and penalties: These include fines that may be assessed under state privacy statutes as well as under federal privacy regulations. But, still the cyber-crime insurance is in nascent stage. Also most of the organisations in India still don’t consider cyber-crime as a risk to them and are not aware about the utility of this policy. So, above discussed is the current progress in the cyber liability domain.
  • 16. Cyber Crime Liability Report 2015 P a g e 16 | 29 3.Research Methodology: This research methodology has many dimensions. It includes not only research methods but also considers the logic behind the methods used in the context of the study and explains why a particular method is used. So that research could lend itself to proper evaluations. A. Purpose and Objective:  To understand the growing incidences of cyber-crimes associated with the Indian industries (viz. Stock Broking, IT, Multimedia, Custodian).  To understand the preparedness of the companies in handling cyber threats.  To analyse the feasibility and scope of cyber insurance policy in the Indian market. B. Research design:  Descriptive Research: A descriptive study is one in which information is collected without changing the environment (i.e., nothing is manipulated).  Method used to conduct descriptive research: Questionnaire survey.  Sample Size: Twenty Five companies.  Data collection method: Primary Data (questionnaire survey).  Sampling Method-Simple random sampling: A subset of a statistical population in which each member of the subset has an equal probability of being chosen. A simple random sample is meant to be an unbiased representation of a group. 8% 84% 4% 4% SECTORWISE DISTRIBUTION OF COMPNIES IT Stock broking Multimedia Custodian
  • 17. Cyber Crime Liability Report 2015 P a g e 17 | 29  Geographical Region: Mumbai Region  Number of companies: Twenty Five companies visited.  Number of Interviewees: Twenty Five. 24% 56% 20% INTERVIEWEE COMPOSITION IT Compliance Sr. Management
  • 18. Cyber Crime Liability Report 2015 P a g e 18 | 29 4.Data Analysis And Interpretation A sample of 25 participants was taken and following was analysed. A. Hypothesis Testing: Perception about cyber-crime as a threat is a qualitative phenomenon. The data available with us is on the basis of either presence or absence of such threats (attribute). Thus, we record the proportion of successes in each sample. Hence, we apply hypothesis testing proportions to understand if the sample taken during May-June 2015 is appropriate for further analysis. Norton cyber-crime report 2012 states that 56% Indians consider cyber-crime as a threat. As per our survey, we claim that more people now foresee cyber threat to their organisations. A random sample of 25 organisations from stock broking, IT, custodian and media was taken out of which 20 claim that there is a threat. Can this claim be accepted with regards to a larger population? Note: Tested at 1% Level of significance. The null hypothesis can be written as; H0: p = 0.56 And alternative hypothesis can be written as – Ha: p>0.56 Hence, p=0.56, q=0.44 Observed sample proportion p̂ = 20/25 = 0.80 And test statistic is, Zcal = p - p̂ √ 𝐩. 𝐪 𝐧 = 0.80-0.56 √𝟎. 𝟓𝟔 ∗ 𝟎.𝟒𝟒 𝟐𝟓 =2.41 As Ha is one-sided, we shall determine the rejection area applying one-tailed test (in the right tail because Ha is of more than type) at 1% level of significance. R: Zcal > 2.33
  • 19. Cyber Crime Liability Report 2015 P a g e 19 | 29 As Zcal falls in the rejection region, we reject the null hypothesis and conclude that our claim can be accepted at 1% L.O.S. on the basis of our sample information. B. Distribution of Responses From the Survey Questionnaire: 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Response Distribution yes no 2.33 Accept Reject 2.41
  • 20. Cyber Crime Liability Report 2015 P a g e 20 | 29 C. Risk Assessment:  Awareness about cyber incidences: Only 56% were aware about the cyber-crime incidences taking place in the market. 44% had no idea about such events.  Perception about cyber threat: 80% of survey respondents consider cyber-crime as a serious threat to their business operations, while remaining 20% do not consider cyber- crime as an immediate threat to their business. 56% 44% AWARENESS YES NO 80% 20% PERCEPTION OF CYBER-CRIME AS A THREAT Threat Not a threat
  • 21. Cyber Crime Liability Report 2015 P a g e 21 | 29  Perception about losses in case of an cyber-attack: 88% of the respondents think financial as the major impact of a cyber-attack they may face, followed by 76% fearing reputational losses. 65% feel Business interruption would cost them huge due to such event, 41% feel regulatory fine as a major cost and 32% consider loss of data would be their biggest loss.  Quantum of financial Loss: A major 41% feel the amount of loss they could face would be low, 29% feel it would be high, 18% don’t consider they might incur any financial loss due to such event and the remaining 12% feel they might incur moderate loss. 88% 65% 41% 76% 32% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% financial loss Business interruption loss Reglatory compliance fine Reputation damage loss Data Loss Perception about losses 18% 41% 12% 29% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% NO Loss Low Moderate High Quantum of Financial Loss
  • 22. Cyber Crime Liability Report 2015 P a g e 22 | 29 D. Risk Management Strategy: a) System Auditing: Apart from mandatory audits by various regulatory audits (e.g. Exchange Audits for stock brokers (annually) and SEBI audits (once in four years)), 43% of the respondent companies have their regular internal audits on a frequent basis. b) Redundant Systems: 29% survey respondents claim that they have backup systems at different locations being capable of recovering from business interruption due to unforeseen events in very short span of time. c) Security Pool: 9% of the firms have a separate pool of resources set aside for such events to meet the losses which may occur due to cyber-attacks. They prefer to self- insure themselves by creating such a pool, rather than going for a commercial insurance. d) Other Measures: 19% of the respondent firms believe the below measures are sufficient to protect their business from cyber-crime.  Investor Protection Fund (stock Brokers): The members of stock exchanges at present contribute to this Fund Re.0.15 per Rs.1 lakh of gross turnover, which is debited to their general charges account. The Stock Exchange contributes on a quarterly basis 2.5% of the listing fees collected by it. Presently the maximum compensation available for investor is Rs.1, 00,000. So, the stock brokers consider this fund enough to take care of litigations filed by their clients, in case they get affected by an unforeseen event.  Data backup by KRA: KRA stands for KYC Regulatory Authority. Some of them feel that their data backed by firms such as NSDL, CSDL, CRISIL, NSE, etc. are also enough to get back to work in case of cyber-attack where their data is lost. 29% 43% 9% 19% 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% Redundant Systems Internal Audits Security Pool Other measures Methods of combatting cybercrimes adopted by organisations
  • 23. Cyber Crime Liability Report 2015 P a g e 23 | 29 5.Summary: A. Conclusion and Findings:  Is there a need of Cyber Liability Policy? In our survey, a majority of respondents feel that their organisations are putting in quite a lot of efforts for uninterrupted and proper business operations. Though various security measures are employed by the organisations, they aren’t always sufficient. But, many believe in the false hope that their system is 100% secured. But, there were also few respondents who knew the gravity of the situation in case a cyber-attack occurred. They feel that with the expansion of their business lines, there is definitely a need for such a product. As we can see a majority of 72% feel there is a need for such an insurance product Which would help them to counter these new threats to their business operations. They feel that they are exposed to cyber threats even after spending heftily on security. So, cyber policy with some modifications would provide a sound base to their uninterrupted business operations. But, 28% of the respondents feel there is no need of such a product. They consider it as an additional cost to their business operations and of no use to them. They don’t feel they are vulnerable to such threats or their business operations would be affected due to such events in near future. 72% 28% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% YES NO Need of Cyber Policy
  • 24. Cyber Crime Liability Report 2015 P a g e 24 | 29 According to our survey 54% of the respondents feel that they would go for such a Policy only if it is required by law. 23% of the participants feel that the provisions for cyber-crime liability should be put on as an add-on to an existing liability policy rather than an exclusive policy. And remaining 23% of the respondents would like to have cyber-liability as a separate product with some modified terms. A cyber-crime insurance policy wouldn’t be preferred by small brokers easily as they do not operate on a large scale and thus, would consider it as an additional cost. Indian financial markets lack awareness about emerging cyber-crimes which can prove to be one of the grave threats in near future. Many survey respondents are of the opinion that cyber-attacks won’t take place in India as Indian markets are developing but aren’t so huge. They do not foresee cybercrime as a risk to their business operations currently but do not deny that situation can change in the upcoming five to ten years. They believe that their IT security systems are completely updated and cent percent accurate, though they aren’t confident that there are no loopholes in it. 54% 23% 23% 0% 10% 20% 30% 40% 50% 60% If required by law As an Add on cover Separate Policy Views about Policy
  • 25. Cyber Crime Liability Report 2015 P a g e 25 | 29 B. Suggestions:  Stock Brokers-  Stock brokers would benefit cybercrime insurance policy if it was given as an add-on or an alteration to the current Stock Indemnity Policy or Commercial General Liability Policy.  With regards to third party liability coverage, even loss due to vendor’s technical irresponsibility needs to be covered.  If the number of cyber-attacks in the stock broking industry increases over time, SEBI should make cyber liability policy mandatory for protection of investors against losses arising due to such events.  Media-  Regulatory coverages should include cost incurred by content providers to sue the culprit who infringed their data.  IT-  Many companies outsource data processing or storage to third party vendors. So, for IT firms, it is necessary to cover them for claims that arise from misconduct by their vendors.  IT firms demand that the terms “Hardware” and “Software” should be well- defined and neatly framed in the policy language.  General-  Awareness about cybercrime should be created in the Indian markets especially among the BFSI Sector.  The severity of losses, whether financial or non-financial, can take a catastrophic form. It can be huge and thus, its severity needs to be explained.  There should be a standardized policy language. It should give more significance to brand reputation clause.  Period of such policy coverage should be larger/longer since, the frequency of such attacks is very less and renewing it every year isn’t economical as the premium is high of this policy. C. Future Leads: This study will provide a good work to carry out more vigorous analysis in this field with more effective statistical tool and with latest data of boom period. The Indian stock market has grown and growing in terms of volume since last decades implementing all new technologies. Thus, it has become more and more susceptible to cyber-crime. It can prove to be a flourishing market for a cyber-liability policy. Media also will prove to be a leading industry covering its cyber liabilities under an insurance product in the near future. Though IT companies (claiming to have 100% security) won’t agree to such a product until their myth is broken.
  • 26. Cyber Crime Liability Report 2015 P a g e 26 | 29 6.Appendix This report has emphasized the importance of creating awareness among Indian Industries about cybercrime and it’s vulnerabilities to their business organisations as well as highlighted an insurance product which can be utilized to transfer such risk. It is based on a random sample of 25 industries and hypothesis testing found in chapter 4 proves that it is appropriate to predict the results of the survey over the entire population. The survey was conducted on the basis of a questionnaire whose responses are recorded in chapter 4 and conclusions upon the same are found in chapter 5. The questionnaire is given herewith. Also, responses of some participants are given. Form Found on Page Hypothesis Testing Page 12 Distribution of responses from the questionnaire Page 14 Conclusion and Findings Page 18 Questionnaire: The use of technology has become an integral part of our lives. Our increasing use of technology consolidates itself as a powerful platform that has revolutionized the way we do business and communicate with people, leaving us in the open to threats of cybercrime. Organizations must recognize this environment and must identify methods to address these RISKS proactively. Name of Summer Intern: _________________ Date of Interview: _________________ Client / Corporate Name: _________________ Person met in Client Office: _______________ Designation of person: ____________________ Business Details: Client Industry :____________( manufacturing/IT Services/BOP/ KPO/Stock Broking/Financial Services/distribution) In business since when: _______________ (Number of years/ Year of incorporation) No. of employees: ______________ 1. Do you have an online business? 2. Do you have a website? If yes, is any sensitive information stored in the website? 3. How do you store critical data (internal or client)? 4. If your data is managed by third party/cloud, what extra measures do you take for data security? 5. Have you ever faced any cyber-attack in the past? If yes, please state when and what happened? 6. Post a cyber-attack, did you suffer business interruption? If yes, how long? 7. Did you incur a heavy cost in terms of restoring your IT System? 8. Did you have to pay any consultation cost to restore your IT system? 9. Have you ever faced any regulatory scrutiny due to any cyber related problem? 10. If faced regulatory scrutiny, have you been imposed any fine? 11. Do y’all collect any personal information of customers? If yes, what? 12. Have any of your employees ever lost any laptop or blackberry or computer tapes? 13. Do all your employees have internet access? Date of Meeting: ____________
  • 27. Cyber Crime Liability Report 2015 P a g e 27 | 29 Reviews of some survey participants: India Capital Markets Pvt. Ltd. They feel even an attack on/through their vendors pose a serious risk to them as they use the technology provided by those vendors. Optimum level of funds are set aside for IT security as and when required by regulatory authority. Employees are provided only email services outside office when travelling and nothing apart from that. No access for any kind of operational activities outside office premises. They think insurance companies should come forward and draft a request for such issues and their serious threats to broking industry and submit it to regulatory authority so that they understand the severity and make it mandatory to some extent to have such a policy or it should be proposed as an alteration/addition to current CGL policy. Knowledge, awareness very low regarding such threats among Indian brokers. Hungama digital media entertainment Pvt. ltd. Business operation: Are content providers and distributors. . The issue they face is that of infringement/piracy of content post release. So they think the policy should be such that if there is infringement and they want to file a litigation against the culprit. They should be reimbursed for that. And not the other way round. Also, in their mobile platform they store just normal details of their customers just as name, number. There are no monetary transactions involved under their website. They have regular security audits. Wrongful acquisition of their content is the major problem they face. VNS Finance and Capital Services Ltd They have online platform to cater their clients. They make use of OTP as well. They also have Half yearly system audits. Orders are monitored Constantly. As soon as something suspicious is Observed all the orders are stopped. They do Collect details of customer and think they might
  • 28. Cyber Crime Liability Report 2015 P a g e 27 | 29 Be at risk. But, they don’t think the quantum of Loss would be huge. Sharekhan LTD. They have multiple back-ups available for their smooth execution of their business in case of business interruption. But, they feel IT cannot assure 100% full proof security. There are loop holes in every technology. The main issue is the additional cost to bear. In case of settlement issue, if they are not able to process themselves, their pool at the clearing banks is also always quite sufficient. Their major threat is business interruption. It might incur a hefty loss to them. Since, their client base is very large ranging from small traders to big institutions. They feel the period of policy cover should be longer. Since, the frequency of such attacks is also very less and renewing it every year doesn’t seem economical as the premium is also usually very high of such kind of policies. INVESTERIA FINANCIAL SERVICES PVT. LTD They use 3 level security and use 256 bit encryption: 1) hardware firewall( a device connected between ISP and their own network) 2)software firewall 3) antivirus/antispam, user id and password After passing through these layers only can a hacker get into their system? Also have a backup lease line. Have 2 connectivity options, through their system or connected directly to the exchange. In case of an attack to their system the clients connected directly to the exchange platform do not get affected. Losses cannot be huge apart from business interruption losses and loss of reputation. Since, the brokerage is limited to 0.7% of turnover. IT security is as per the standard required by regulatory authority. Back office software’s are LAN based and web based application available where employee can only see (read only no write and copy/download). Value of money during trading is virtual nothing real. Logs are captured and monitored of every activity executed on their system. They make sure IP address from which the system was accessed was from within the organisation.
  • 29. Cyber Crime Liability Report 2015 P a g e 29 | 29 7.Bibliography and References  http://businesstoday.intoday.in/story/cybercrime-hit-42-mn-indians-in-2011- cost-$8-bn-norton/1/187969.html as accessed on 21/06/2015  http://www.bseindia.com/members/MembershipDirectory.aspx?expandable=2 as accessed on 11/05/2015  http://www.gcl.in/downloads/bm_cybercrime.pdf as accessed on 22/06/2015  http://infosecawareness.in/cyber-crime-cells-in-india as accessed on 24/06/2015  www.cybervictims.org/CCVCresearchreport2013.pdf as accessed on 24/06/2015  Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis  KPMG’s Cyber Crime Survey Report 2014  iNotes published by India Insure Risk Management & Insurance Broking Solutions Pvt. Ltd. , Issue No. 51, December 2014  Symantec 2014 Internet Security Threat Report