Cyber Crime Liability Report 2015 Page 1 | 29 CYBER CRIME LIABILITY REPORT 2015 A report submitted to India Insure Risk Management and Insurance Broking Services Pvt. Ltd., Mumbai. Ms. Sayali Sawant S.Y.B.Com (Banking and Insurance) Under the guidance of Mr. Manish D. Parikh AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd. Duration of the Project: 1 st April, 2015- 30 th June, 2015 Date of Completion of the Project: 26 th June, 2015
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cyber Crime Liability Report 2015
P a g e 1 | 29
CYBER CRIME LIABILITY REPORT 2015
A report submitted to India Insure Risk
Management and Insurance Broking Services Pvt. Ltd., Mumbai.
Ms. Sayali Sawant
S.Y.B.Com (Banking and Insurance)
Under the guidance of
Mr. Manish D. Parikh
AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd.
Duration of the Project: 1st April, 2015- 30th June, 2015
Date of Completion of the Project: 26th June, 2015
Cyber Crime Liability Report 2015
P a g e 2 | 29
Declaration I, Sayali Sawant, hereby declare that this is report on “FEASABILITY STUDY OF CYBER
CRIME AND INSURANCE POLICY” has been written and prepared by me as a part of my
summer internship since 1st April, 2015 – 30th June, 2015 under the guidance of Mr. Manish
Parikh, AGM, India Insure Risk Management and Insurance Broking Services Pvt. Ltd. All the
statements in this format are true to the best of my knowledge.
Place: Mumbai
Date: 23rd June, 2015 (Sayali Sawant)
Cyber Crime Liability Report 2015
P a g e 3 | 29
Certification
Cyber Crime Liability Report 2015
P a g e 4 | 29
ACKNOWLEDGEMENTS Management ideas without actions based on them, means nothing. This is why practical
experience is vital for any management studies. Theoretical studies in the classroom are not
sufficient to understand the functioning climate and the real problems hindering management.
Thus practical exposures are indispensable as the act like a supplement to the classroom studies.
With respect to the same, I would like to acknowledge India Insure Risk Management
and Insurance Broking Services Pvt. Ltd., for accepting my request for the internship with the
company. I would like to express my gratitude to Mr. Arindam Ghosh, VP Mumbai, India
Insure Risk Management and Insurance Broking Services Pvt. Ltd., for offering me this
opportunity to team with them and for entrusting me with this project research. I am also
grateful to Mr. Manish D. Parikh, for being my guide and mentor and helping me throughout
my training period.
Lastly, I would like to say a big “THANK YOU” to the entire staff at the Vile Parle,
Mumbai office of India Insure Risk Management and Insurance Broking Services Pvt. Ltd.
To understand the preparedness of the companies in handling cyber threats.
To analyse the feasibility and scope of cyber insurance policy in the Indian market.
B. Research design:
Descriptive Research: A descriptive study is one in which information is collected
without changing the environment (i.e., nothing is manipulated).
Method used to conduct descriptive research: Questionnaire survey. Sample Size: Twenty Five companies. Data collection method: Primary Data (questionnaire survey). Sampling Method-Simple random sampling: A subset of a statistical population in
which each member of the subset has an equal probability of being chosen. A simple
random sample is meant to be an unbiased representation of a group.
8%
84%
4%4%
SECTORWISE DISTRIBUTION OF COMPNIES
IT Stock broking Multimedia Custodian
Cyber Crime Liability Report 2015
P a g e 17 | 29
Geographical Region: Mumbai Region
Number of companies: Twenty Five companies visited.
Number of Interviewees: Twenty Five.
24%
56%
20%
INTERVIEWEE COMPOSITION
IT Compliance Sr. Management
Cyber Crime Liability Report 2015
P a g e 18 | 29
4.Data Analysis And Interpretation
A sample of 25 participants was taken and following was analysed.
A. Hypothesis Testing:
Perception about cyber-crime as a threat is a qualitative phenomenon. The data available with
us is on the basis of either presence or absence of such threats (attribute). Thus, we record the
proportion of successes in each sample. Hence, we apply hypothesis testing proportions to
understand if the sample taken during May-June 2015 is appropriate for further analysis.
Norton cyber-crime report 2012 states that 56% Indians consider cyber-crime as a threat. As
per our survey, we claim that more people now foresee cyber threat to their organisations. A
random sample of 25 organisations from stock broking, IT, custodian and media was taken
out of which 20 claim that there is a threat. Can this claim be accepted with regards to a larger
population?
Note: Tested at 1% Level of significance.
The null hypothesis can be written as;
H0: p = 0.56
And alternative hypothesis can be written as –
Ha: p>0.56
Hence, p=0.56, q=0.44
Observed sample proportion p̂= 20/25 = 0.80
And test statistic is,
Zcal = p - p̂
√𝐩.𝐪
𝐧
= 0.80-0.56
√𝟎. 𝟓𝟔 ∗𝟎.𝟒𝟒
𝟐𝟓
=2.41
As Ha is one-sided, we shall determine the rejection area applying one-tailed test (in the right
tail because Ha is of more than type) at 1% level of significance.
R: Zcal > 2.33
Cyber Crime Liability Report 2015
P a g e 19 | 29
As Zcal falls in the rejection region, we reject the null hypothesis and conclude that our claim
can be accepted at 1% L.O.S. on the basis of our sample information.
B. Distribution of Responses From the Survey Questionnaire:
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Q1 Q2 Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13
Response Distribution
yes no
2.33
Accept Reject
2.41
Cyber Crime Liability Report 2015
P a g e 20 | 29
C. Risk Assessment:
Awareness about cyber incidences: Only 56% were aware about the cyber-crime
incidences taking place in the market. 44% had no idea about such events.
Perception about cyber threat: 80% of survey respondents consider cyber-crime as a
serious threat to their business operations, while remaining 20% do not consider cyber-
crime as an immediate threat to their business.
56%
44%
AWARENESS
YES NO
80%
20%
PERCEPTION OF CYBER-CRIME AS A THREAT
Threat Not a threat
Cyber Crime Liability Report 2015
P a g e 21 | 29
Perception about losses in case of an cyber-attack: 88% of the respondents think
financial as the major impact of a cyber-attack they may face, followed by 76% fearing
reputational losses. 65% feel Business interruption would cost them huge due to such
event, 41% feel regulatory fine as a major cost and 32% consider loss of data would be
their biggest loss.
Quantum of financial Loss: A major 41% feel the amount of loss they could face would
be low, 29% feel it would be high, 18% don’t consider they might incur any financial
loss due to such event and the remaining 12% feel they might incur moderate loss.
88%
65%
41%
76%
32%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
financial loss Businessinterruption loss
Reglatorycompliance fine
Reputation damageloss
Data Loss
Perception about losses
18%
41%
12%
29%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
NO Loss Low Moderate High
Quantum of Financial Loss
Cyber Crime Liability Report 2015
P a g e 22 | 29
D. Risk Management Strategy:
a) System Auditing: Apart from mandatory audits by various regulatory audits (e.g.
Exchange Audits for stock brokers (annually) and SEBI audits (once in four years)),
43% of the respondent companies have their regular internal audits on a frequent
basis.
b) Redundant Systems: 29% survey respondents claim that they have backup systems
at different locations being capable of recovering from business interruption due to
unforeseen events in very short span of time.
c) Security Pool: 9% of the firms have a separate pool of resources set aside for such
events to meet the losses which may occur due to cyber-attacks. They prefer to self-
insure themselves by creating such a pool, rather than going for a commercial
insurance.
d) Other Measures: 19% of the respondent firms believe the below measures are
sufficient to protect their business from cyber-crime.
Investor Protection Fund (stock Brokers): The members of stock
exchanges at present contribute to this Fund Re.0.15 per Rs.1 lakh of gross
turnover, which is debited to their general charges account. The Stock
Exchange contributes on a quarterly basis 2.5% of the listing fees collected
by it. Presently the maximum compensation available for investor is
Rs.1, 00,000. So, the stock brokers consider this fund enough to take care
of litigations filed by their clients, in case they get affected by an unforeseen
event.
Data backup by KRA: KRA stands for KYC Regulatory Authority. Some
of them feel that their data backed by firms such as NSDL, CSDL, CRISIL,
NSE, etc. are also enough to get back to work in case of cyber-attack where
their data is lost.
29%
43%
9%
19%
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
Redundant Systems Internal Audits Security Pool Other measures
Methods of combatting cybercrimes adopted by organisations
Cyber Crime Liability Report 2015
P a g e 23 | 29
5.Summary:
A. Conclusion and Findings:
Is there a need of Cyber Liability Policy? In our survey, a majority of respondents feel that their organisations are putting in quite
a lot of efforts for uninterrupted and proper business operations. Though various
security measures are employed by the organisations, they aren’t always sufficient. But,
many believe in the false hope that their system is 100% secured. But, there were also
few respondents who knew the gravity of the situation in case a cyber-attack occurred.
They feel that with the expansion of their business lines, there is definitely a need for
such a product.
As we can see a majority of 72% feel there is a need for such an insurance product
Which would help them to counter these new threats to their business operations. They
feel that they are exposed to cyber threats even after spending heftily on security. So,
cyber policy with some modifications would provide a sound base to their uninterrupted
business operations. But, 28% of the respondents feel there is no need of such a product.
They consider it as an additional cost to their business operations and of no use to them.
They don’t feel they are vulnerable to such threats or their business operations would
be affected due to such events in near future.
72%
28%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
YES NO
Need of Cyber Policy
Cyber Crime Liability Report 2015
P a g e 24 | 29
According to our survey 54% of the respondents feel that they would go for such a
Policy only if it is required by law. 23% of the participants feel that the provisions
for cyber-crime liability should be put on as an add-on to an existing liability policy
rather than an exclusive policy. And remaining 23% of the respondents would like
to have cyber-liability as a separate product with some modified terms.
A cyber-crime insurance policy wouldn’t be preferred by small brokers easily as they do
not operate on a large scale and thus, would consider it as an additional cost.
Indian financial markets lack awareness about emerging cyber-crimes which can prove to
be one of the grave threats in near future.
Many survey respondents are of the opinion that cyber-attacks won’t take place in India as
Indian markets are developing but aren’t so huge.
They do not foresee cybercrime as a risk to their business operations currently but do not
deny that situation can change in the upcoming five to ten years. They believe that their
IT security systems are completely updated and cent percent accurate, though they
aren’t confident that there are no loopholes in it.
54%
23% 23%
0%
10%
20%
30%
40%
50%
60%
If required by law As an Add on cover Separate Policy
Views about Policy
Cyber Crime Liability Report 2015
P a g e 25 | 29
B. Suggestions:
Stock Brokers-
Stock brokers would benefit cybercrime insurance policy if it was given as an
add-on or an alteration to the current Stock Indemnity Policy or Commercial
General Liability Policy.
With regards to third party liability coverage, even loss due to vendor’s
technical irresponsibility needs to be covered.
If the number of cyber-attacks in the stock broking industry increases over time,
SEBI should make cyber liability policy mandatory for protection of investors
against losses arising due to such events.
Media-
Regulatory coverages should include cost incurred by content providers to sue
the culprit who infringed their data.
IT-
Many companies outsource data processing or storage to third party vendors.
So, for IT firms, it is necessary to cover them for claims that arise from
misconduct by their vendors.
IT firms demand that the terms “Hardware” and “Software” should be well-
defined and neatly framed in the policy language.
General-
Awareness about cybercrime should be created in the Indian markets especially
among the BFSI Sector.
The severity of losses, whether financial or non-financial, can take a
catastrophic form. It can be huge and thus, its severity needs to be explained.
There should be a standardized policy language. It should give more
significance to brand reputation clause.
Period of such policy coverage should be larger/longer since, the frequency of
such attacks is very less and renewing it every year isn’t economical as the
premium is high of this policy.
C. Future Leads: This study will provide a good work to carry out more vigorous analysis in this field with
more effective statistical tool and with latest data of boom period. The Indian stock
market has grown and growing in terms of volume since last decades implementing all
new technologies. Thus, it has become more and more susceptible to cyber-crime. It can
prove to be a flourishing market for a cyber-liability policy. Media also will prove to be a
leading industry covering its cyber liabilities under an insurance product in the near
future. Though IT companies (claiming to have 100% security) won’t agree to such a
product until their myth is broken.
Cyber Crime Liability Report 2015
P a g e 26 | 29
6.Appendix This report has emphasized the importance of creating awareness among Indian Industries about
cybercrime and it’s vulnerabilities to their business organisations as well as highlighted an insurance
product which can be utilized to transfer such risk. It is based on a random sample of 25 industries and
hypothesis testing found in chapter 4 proves that it is appropriate to predict the results of the survey
over the entire population. The survey was conducted on the basis of a questionnaire whose
responses are recorded in chapter 4 and conclusions upon the same are found in chapter 5. The
questionnaire is given herewith. Also, responses of some participants are given.
Form Found on Page
Hypothesis Testing Page 12
Distribution of responses from the questionnaire Page 14
Conclusion and Findings Page 18
Questionnaire:
The use of technology has become an integral part of our lives. Our increasing use of technology consolidates itself
as a powerful platform that has revolutionized the way we do business and communicate with people, leaving us in
the open to threats of cybercrime. Organizations must recognize this environment and must identify methods to
address these RISKS proactively.
Name of Summer Intern: _________________
Date of Interview: _________________
Client / Corporate Name: _________________
Person met in Client Office: _______________ Designation of person: ____________________
Business Details:
Client Industry :____________( manufacturing/IT Services/BOP/ KPO/Stock Broking/Financial
Services/distribution)
In business since when: _______________ (Number of years/ Year of incorporation)
No. of employees: ______________
1. Do you have an online business?
2. Do you have a website? If yes, is any sensitive information stored in the website?
3. How do you store critical data (internal or client)?
4. If your data is managed by third party/cloud, what extra measures do you take for data security?
5. Have you ever faced any cyber-attack in the past? If yes, please state when and what happened?
6. Post a cyber-attack, did you suffer business interruption? If yes, how long?
7. Did you incur a heavy cost in terms of restoring your IT System?
8. Did you have to pay any consultation cost to restore your IT system?
9. Have you ever faced any regulatory scrutiny due to any cyber related problem?
10. If faced regulatory scrutiny, have you been imposed any fine?
11. Do y’all collect any personal information of customers? If yes, what?
12. Have any of your employees ever lost any laptop or blackberry or computer tapes?
13. Do all your employees have internet access?
Date of Meeting: ____________
Cyber Crime Liability Report 2015
P a g e 27 | 29
Reviews of some survey participants:
India Capital Markets Pvt. Ltd. They feel even an attack on/through their
vendors pose a serious risk to them as they
use the technology provided by those
vendors. Optimum level of funds are set
aside for IT security as and when required by
regulatory authority. Employees are
provided only email services outside office
when travelling and nothing apart from that.
No access for any kind of operational
activities outside office premises. They think
insurance companies should come forward
and draft a request for such issues and their
serious threats to broking industry and
submit it to regulatory authority so that they
understand the severity and make it
mandatory to some extent to have such a
policy or it should be proposed as an
alteration/addition to current CGL policy.
Knowledge, awareness very low regarding
such threats among Indian brokers.
Hungama digital media entertainment Pvt.
ltd.
Business operation: Are content providers
and distributors. . The issue they face is that
of infringement/piracy of content post
release. So they think the policy should be
such that if there is infringement and they
want to file a litigation against the culprit.
They should be reimbursed for that. And not
the other way round. Also, in their mobile
platform they store just normal details of
their customers just as name, number. There
are no monetary transactions involved under
their website. They have regular security
audits. Wrongful acquisition of their content
is the major problem they face.
VNS Finance and Capital Services Ltd They have online platform to cater their