Cyber Insurance Cyber Security

Cyber Insurance for ITES

  • September 10, 2024
Cyber Insurance for ITES Sector

One of the major pillars of India’s economy today is the ITES sector. Comprising companies that offer services such as Business Process Outsourcing (BPO), Knowledge Process Outsourcing (KPO), data management, IT consulting, and back-office operations, the industry generates over $180 billion in revenue. It employs 4.5 million people as of 2023.

Giants like Infosys, Wipro, and TCS dominate the market and provide vital outsourced services to clients worldwide. Oh well, but on the flip side, this business is so computerized that it is highly susceptible to hackers.

Cyber attacks in ITES sector

Between 2020 and 2023, the abrupt shift to digitization, cloud, and telework has opened the playing field to cyber intrusion. During this period, cyber attacks on Indian companies have risen more than 400%, and the ITES industry, dependent on technology and holding so much confidential information, has been one of the most brutal hits.

According to Deloitte, the Indian cyber insurance market is growing at a rate of 30% per year, and this growth is primarily due to the increasing awareness among ITES companies.

 

Recent Trends and Challenges

  1. Cloud Adoption: Cloud is what has been done for ITES companies, the capability to expand services and be more effective. However, cloud environments can open companies to data breaches and misconfigurations if not secured correctly.
  2. Remote Work: The COVID-19 pandemic catalyzed the shift to remote work. It made it flexible but, at the same time, very insecure. Remote employees are likelier to phishing and malware attacks because they work on unsecured networks or their own devices.
  3. Ransomware: Ransomware attacks have been on the rise in India. These attacks involve hackers encrypting data and demanding a ransom for the decryption keys. According to Sophos, Indian businesses experienced 75% more ransomware attacks in 2022 than in 2021.

75% more ransomware attacks

With this view, ITES firms require not only advanced cyber security weapons. They need a complete cyber insurance policy to protect them from the money loss that could occur from a cyberattack.

 

The Growing Importance of Cybersecurity

Within the last couple of years, the nature of cyberattacks on ITES companies has exponentially increased in size and complexity. One such case is Air India’s 2021 data breach, which exposed the data of 4. 5 million passengers, including passport numbers, credit card numbers, and other personal identifiers. Those types of breaches cost a company millions of dollars, regulatory fines, and a loss of face.

Palo Alto Networks says that India is in the top 10 most attacked countries in the world, and of these attacks, ITES companies have the most significant percentage.

Phishing attacks in ITES sector

Phishing is still the number one method, responsible for 90% of the breaches in the industry, but ransomware is the most expensive, sometimes charging millions of dollars for a ransom. Without the financial safety net that cyber insurance provides, the consequences of a significant breach could cripple even the largest ITES firms.

 

Why Cyber Insurance is Critical for ITES

Cyber insurance has become a business’s mainstream risk management tool, covering everything from hacking to data theft to business interruption due to a computer virus. ITES companies deal with a lot of confidential client data, and any data breach or service disruption can cost them a lot in terms of money and reputation. As per IBM Security’s Cost of a Data Breach Report, India’s average data breach cost increased to ₹16 crores $2 million USD) in 2022. Cyber insurance can offset many of these costs, covering legal fees, regulatory fines, public relations costs, and lost business due to interruption.

 

Detailed Exploration of Industry-Specific Cyber Threats

Common Cyber Threats in ITES

The ITES sector, in particular, is susceptible to cyber risks due to its reliance on digital infrastructure and its handling of sensitive information. The following are some of the most common cyber threats that this industry is faced with:

  1. Ransomware Attacks: Ransomware Attacks are one of the worst NIs for ITES. Hackers encrypt important data and then demand money for the decryption. For example, last year, Kaseya, a global IT management company, was the victim of a ransomware attack that compromised over 1,500 businesses worldwide. This attack illustrated the potential for interlinked IT systems to be used as a weapon against companies that outsource their services.
  2. Phishing and Social Engineering: Phishing is the latest trend in social engineering, and it involves ripping people off for usernames and passwords. According to the Verizon Data Breach Report, in 2023, phishing attacks accounted for 90% of successful breaches in the ITES sector.
  3. Insider Threats: Much of the cyber risk is internal. From lack of caring to downright evilness, all employees leave important information vulnerable to invasion. According to an IBM study, 30% of all data breaches come from insider behavior.
    IBM report noted that 30% of all data breaches were caused by insider actions.
  4. Distributed Denial of Service (DDoS) Attacks: DDoS floods a company’s servers with so much traffic that their service becomes unavailable; a frequent victim of this is ITES companies, more specifically, cloud or hosting ones.

 

Impact of Cyber Threats on Industry Operations

average ransom demand in India

  • Financial Losses: The financial cost of a cyberattack can be enormous. The average ransom demand in India reached ₹7 crores in 2023, with companies often facing additional costs related to system restoration, customer notification, and regulatory fines. For example, Cognizant got ransomware back in 2020, costing the company 50 million dollars.
  • Operational Disruption: ITES firms depend on continuous service delivery. A decent DDoS attack or ransomware could potentially shut down production for hours, if not days, which equals missed deadlines and lost money. For example, HCL Technologies experienced a significant disruption in operations in 2019 after a ransomware virus infected many of its vital services.
  • Reputational Damage: If a company loses some critical client data, it can hurt its image, and then no one will ever want to do any future business with that company because they cannot trust it. Wipro got hacked about two years ago, and they lost a lot of big contracts because who in their right mind is going to trust their data to a company with loose security?

 

Emerging Threats and Future Risks

Along the ITES frontier, as AI and IoT become more commonplace, so do new threats. In 2025, AI-related attacks, such as deepfake phishing or AI-based malware, will be ordinary. With the growth of IoT, ITES companies that manage smart devices become vulnerable to IoT-related attacks that capitalize on the lack of security in connected devices. Gartner predicts that by 2025, more than 75 billion IoT devices will be connected worldwide, which will really expand the attack surface.

 

In-Depth Look at Key Cyber Insurance Coverages for ITES

Essential Coverage Types

The following kinds of cyber insurance that ITES firms need to have to protect themselves against the different types of liabilities adequately they assume:

  1. Data Breach Response: This covers legal fees, customer notifications, public relations work, and forensic audits in case of data breach. In 2023, India will pass the Digital Personal Data Protection Act(DPDP), and all companies must report any breach within this period. Failure to do so can lead to hefty fines, making breach response coverage critical.
  2. Business Interruption: If the company gets hacked and the operations are halted, it covers the loss of income incurred during that downtime. ITES companies take SLAs very seriously because they can get poorly penalized if their services are down. For instance, last year, the Colonial Pipeline ransomware attack forced the company to shut down for weeks, costing millions of dollars, so that type of coverage is necessary.
  3. Cyber Extortion and Ransomware: As ransomware grows, this insurance will allow companies to decrypt data, hire negotiators, and pay ransom demands.
  4. Legal and Regulatory Liability: This policy protects against legal claims and regulatory fines. ITES companies that deal with international clients must follow laws, such as the GDPR in Europe and the DPDP Act in India. If these laws are violated, penalties of up to ₹500 crores may be imposed.
  5. Third-Party Liability: If an ITES company’s systems are compromised and the client’s data is compromised, the client could very well sue for damages. 3) Third-party liability covers these claims, not to mention the cost of settling.

Why These Coverages Matter

For ITES firms, a cyber incident can be disastrous. Without proper coverage, a ransomware attack could lead to millions of dollars in ransom payments, lost revenue due to downtime, and the cost of legal defense. That’s not even getting into the fact that legal regulatory liability insurance with the GDPR and the DPDP Act 2023 imposes huge fines on companies that do not sufficiently protect personal data.

 

Regulatory and Compliance Considerations

Overview of Industry Regulations

The Digital Personal Data Protection (DPDP) Act 2023 in India has also enforced very harsh regulations on how companies can use personal data. The purpose of this act is to protect an individual’s privacy and ensure that companies store, manage, and process personal and sensitive information more responsibly.

It is the law to ensure that all ITES companies(which deal with a lot of client and customer information) follow strict data protection laws. This law is very strict about how companies are supposed to acquire, store, and use “personal data.” These companies must notify their users precisely what they do with their data and take measures to ensure it isn’t compromised.

The key provisions of the DPDP Act include:

  1. Data Minimization: Firms are only allowed to collect information that is completely necessary for the operation of their business and can only retain it for a limited period.
  2. Purpose Limitation: All information gathered must be used only for the purposes it states it will be at the time of collection.
  3. Data Security: Every organization should have secure systems that prevent information from being hacked into, invaded, or breached.
  4. Data Breach Notification: If there is a data breach, the companies are to inform the victims and the appropriate agencies. Failure to do so can result in significant penalties.
  5. Consent Requirements: Companies must have consent from individuals before they can collect or process any personal data.

Overview of Industry Regulations- ITES sector

The penalties for not complying with the DPDP Act are hundreds of crores (500 to be exact, that’s 60 million dollars), which makes it one of the strictest data protection laws in the world. )Not to mention, ITES companies dealing with international clients must also comply with other international laws like GDPR(General Data Protection Regulation), which regulates the processing of personal data in the EU and can be fined up to €20 million or 4% of the global annual turnover, whichever is higher (Mitigata Insurance)​(Deloitte United States).

 

Cyber Insurance as a Compliance Tool

It’s not just the law that ITES companies must protect data; they must also do so to keep the customer’s confidence. One way that companies can cope with these regulations is cyber insurance. In case of a data leak, the insurance pays for lawyer fees, FCC fines, etc.

For example, almost all cyber insurance policies carry regulatory liability coverage so companies can offset the expenses of breaking laws like the DPDP Act or the GDPR. This type of coverage can help pay for legal defense, fines from regulatory bodies, and the cost of notifying people affected by the data breach, which is mandated by most all data protection laws, both Indian and international ​(Deloitte United States).

The right cyber insurance coverage can strengthen an ITES company’s complying stance because of the risk management solutions that come along with it, such as:

  • Data breach simulations: These services prepare companies for cyber attacks, test their response plans, and ensure they are legally compliant.
  • Legal and regulatory guidance: Then they (the insurers) all give their advice (which they all know too well) on how to wade through the regulatory quagmire to keep the firm in compliance with the DPDP Act or GDPR.

ITES companies can avoid fines and severe reputational damage due to a breach by using cyber insurance as a compliance risk mitigation tool​ (Mitigata Insurance).

 

Compliance Challenges and Solutions

But then again, only a few ITES companies have a 100% compliance history because it is challenging to keep up with all of the international data protection laws, which are incredibly complicated and changing alarmingly fast. Many of the compliance issues that plague ITES (information technology-enabled services) firms are:

  • Cross-border data transfers: There are so many ITES companies that basically host and process data from everywhere, and each place has its own laws. The DPDP Act in India versus GDPR worldwide is much to wade through.
  • Evolving regulatory requirements: Data protection laws are constantly evolving. It is hard enough for ITES companies that serve international customers to keep up with all these changes, much less in so many jurisdictions.
  • Data breach reporting timelines: The DPDP Act says that if a company has a data breach, it must report it to the proper authorities and to the individuals involved within a certain period of time (usually 72 hours). Not many companies have the capability to even know that they have been breached and then report it as the law states.

To overcome these challenges, ITES firms can:

  • Invest in regulatory technologies (RegTech): These tools should streamline the compliance processes, track all regulatory changes, and spit out the required reports.
  • Collaborate with cyber insurance providers: The best insurance companies do more than provide financial coverage, including changes in regulations, court decisions, and compliance “best practices” that will help firms “jump” ahead of the law.
  • Conduct regular compliance audits: Continual auditing will show any weakness in data security and keep the company in compliance with constantly changing laws.

 

Case Study: Real-Life Example

Detailed Case Study: The Wipro Cyber Attack

In 2019, Indian ITES giant Wipro experienced a cyberattack that compromised its internal systems and infiltrated several client networks. The attackers then used Wipro’s network to launch phishing campaigns against Wipro’s customers, leading to gigantic data exposure and operational loss in the banking/retail area.

Pre-Incident Cybersecurity Posture

Like most other ITES companies, Wipro had a very good cybersecurity system, with firewalls, antivirus software, and training for employees on how to recognize phishing. However, the complexity of the assault took the company by surprise; it used trusted internal systems to reach the customers.

How the Incident Occurred

It appears that the hackers gained access to Wipro’s systems by obtaining employee usernames and passwords, most likely through some kind of phishing scheme. After entering, they moved around the network and into client systems, collecting any valuable information they could find. The reason for this was that Wipro’s IT infrastructure was so integrated with that of its customers that the contagion was able to move quickly laterally.

Immediate Impact and Response

This break affected Wipro and its customers. Several large clients experienced service disruptions, and the company faced intense scrutiny from the media, regulators, and clients. Wipro has responded by strengthening its inward security and performing a complete review of its cyber security protocol.

Role of Cyber Insurance in Mitigating Damage

Wipro’s cyber insurance policy made a big difference in recovering from the financial losses caused by the attack. The insurance covered:

  1. Incident response costs, including forensics, to determine the scope of the compromise.
  2. Legal fees associated with defending against client lawsuits.
  3. And 3rd party complaints from customers whose boxes were hacked.
  4. The insurance also covered Wipro’s cost of notifying the victims and giving them free credit monitoring so their information was secure. 
  5. Wipro’s insurance policy included business interruption coverage, which compensated Wipro for lost revenue during the recovery period.

 

Key Takeaways and Lessons Learned

The recent cyberattack on Wipro highlights the need for internal cybersecurity strengths and a complete cyber insurance policy. Targeted attacks will always trickle in, no matter how strong an organization’s defenses are. 

For this reason, insurance must be a large part of any ITES company’s risk management plan. This further supports the idea that ITES companies should have third-party liability because their clients would be mucked if they messed it up. This should be a lesson to all other ITES companies that they need a unique, well-rehearsed incident response plan and cyber insurance coverage not just for direct losses but also for the downstream effects on customers.

 

Complete Primer to Select the appropriate cyber insurance for ITES.

Factors to Consider

Many things need to be considered by ITES companies when choosing a cyber insurance policy to ensure that they are fully covered.

These include:

  1. Company Size and Complexity: The larger, cumbersome ITES companies will require more. Any company that operates transnationally must have some regulation to ensure compliance with international (and national) laws.
  2. Data Sensitivity and Volume: Companies that have a lot of customers’ sensitive information (financial records, health info, PII, etc.) will need to make sure that their policies have good data breach response and legal liability.
  3. Risk Exposure: Every ITES company has its own level of risk depending on its kind of business and the level of security it maintains. For example, a company with many client integrations would be more exposed to third-party liabilities and, thus, should pick a policy that covers this kind of exposure.
  4. Tailored Coverage Options: Cyber insurance is also highly flexible and can be tailored to fit a business. For example, ITES companies might require additional coverage for business interruption, third-party liability, and ransomware.

 

Evaluating Policy Options

When evaluating policy options, ITES firms should:

  • Compare coverage limits across different insurers to ensure they receive adequate protection.
  • Analyze claim settlement history to identify insurers known for quick and fair claims processing.
  • Assess the cost-benefit ratio by balancing premium costs with the extent and quality of coverage offered.

It is also very important to have an insurance broker who knows the ins and outs of the sites. Agents who know this business inside and out can help companies sort through the wording of the policies and ensure that the companies select the proper coverage for their individual risks.

Other Liability Risks and Insurance Policies for ITES

Besides the risk of cybercrime, ITES (Information technology-enabled services) companies are exposed to many other liability risks that can seriously impact their business. These risks all need to be covered by different types of insurance to prevent financial losses and legal trouble. Let’s examine the main liability exposures and the corresponding insurance coverages that ITES companies should consider.

1. Legal Risk

ITES companies, due to the very nature of their business, often get into intricate contractual agreements with customers, suppliers, and 3rd party service providers. These contracts usually have strong language about data security, service-level agreements (SLAs), performance metrics, and deliverables. And any breach of these covenants can result in lawsuits. Common examples include:

  • Breach of Contract: For example, the customer can sue for damages if an ITES (Information Technology Enabled Services) company does not provide a particular service or product as agreed in the contract. This could occur due to delays in service delivery, failure to meet SLAs or inadequate service quality.
  • Intellectual Property Disputes: ITES companies that develop software or deal with proprietary processes could be vulnerable to intellectual property lawsuits if they unknowingly use patented technologies or processes and do not have the appropriate licensing.

That is why Professional Indemnity Insurance (also known as Errors and Omissions Insurance) is a must. This insurance covers the costs of defending legal claims arising from professional negligence, breach of contract, or failure to deliver services as promised. It typically covers:

  • Legal defense costs
  • Settlements and compensation payments
  • Expenses related to client disputes over service performance.

2. Product Liability Risk

ITES companies usually create, deploy, and maintain software applications or IT products for their customers. If the software or IT solution provided does not work as promised or causes operational difficulties, the client can sue for any financial losses. For example:

  1. System Failures: A bug in the software could cause the system to go down, which would mean that the client’s operations would be down.
  2. Security Vulnerabilities: If an ITES provider uses a software product with security holes that result in a data breach or a system compromise, then that ITES provider is liable.

To protect against this, Product Liability Insurance is recommended. This insurance pays for the legal expenses and damages associated with any claims brought against us due to a defect in the product, a software or system failure, or a mistake that caused a customer financial or operational loss.

3. Physical Asset Risk: Property & Casualty Insurance

Although the ITES companies are digital at their core, their physical infrastructure is vital to the continuation of service delivery. That includes office space, data centers, servers, networking equipment, and IT hardware. If any of these physical assets are damaged in any way, such as by fire, theft, natural disaster, or other type of peril, the business can be very disrupted and suffer great financial loss. Property and Casualty Insurance provides protection for:

  1. Fire, water, or other natural disasters damage the office building.
  2. Servers, computers, and various networking devices, if damaged or stolen.
  3. Revenue loss is due to business interruption caused by physical asset damage. 

This insurance allows ITES companies to recover from such disasters without going bankrupt.

4. Directors and Officers Liability Risk (D&O)

ITES firms, particularly those publicly listed or large, are at high risk from the decisions and actions of their top management and board of directors.

Directors and Officers Liability Insurance (D&O) protects the personal assets of senior executives if they are sued for acts or decisions taken within their official capacity.

Examples of situations covered by D&O insurance include:

  1. Allegations of mismanagement: Directors can be sued by shareholders/investors if they mismanage the company’s money.
  2. Breach of fiduciary duty: If the company officers are charged with not acting in the best interests of the company or its stakeholders, then they can be sued.
  3. Regulatory investigations: Government or regulatory agencies could look into the company’s upper management for negligence or dereliction of duty regarding industry laws, like not complying with the Standards of Data Protection Act (DPDP Act).

D&O insurance covers the legal fees, settlements, and judgments from such claims, protecting the company and its directors from personal financial exposure.

5. Employment Practices Liability Risk

ITES companies, like all other companies, are required to follow labor laws and practice fair employment. That is until controversy erupts between employees and the company over wrongful termination, sexual harassment, racial discrimination, etc. Employment-related lawsuits can be costly, both financially and reputationally.

EPLI or Employment Practices Liability Insurance provides coverage for legal defense costs and settlements from claims made by employees such as:

  1. Wrongful termination or layoffs
  2. Discrimination based on race, gender, or age
  3. Harassment or hostile work environment claims
  4. Breach of employment contracts

EPLI is a must-have insurance coverage for ITES companies that employ hundreds of employees, contractors, and freelancers to cover these risks.

ITES Companies have many other liability risks besides cyber threats. Businesses need a risk management strategy to protect themselves from these types of claims; this includes various types of insurance, ranging from professional indemnity to property and casualty and directors and officers liability insurance.

Each insurance policy is designed to cover specific risks, ensuring that ITES companies can operate securely and continue to thrive in an increasingly complex business environment. With the ability to manage both cyber risks and legal, product liability, physical asset, and employment-related risks, ITES firms will have the comprehensive security they need to defend themselves against the many threats they encounter. Since cyber insurance is not a standalone risk management solution, this holistic approach to risk management coupled with cyber insurance will help ITES companies ensure business continuity and protect their financial well-being in the event of such disruptions.

 

Mitigata’s Expertise in ITES Cyber Insurance

Mitigata’s Expertise in ITES Cyber Insurance

Mitigata is one of the foremost firms that offer cyber insurance specifically designed to meet the needs of an ITES company. Mitigata, with its strong background in the industry, knows all about the problems a business has to deal with when it is entrusted with personal customer information and must function in a quick, high-tech world.

Introduction to Mitigata’s Industry Expertise

Mitigata’s cyber insurance solutions go beyond simple coverage. They offer a comprehensive approach to risk management, including cybersecurity assessments, employee training, and proactive monitoring tools to mitigate risks before they become major incidents. With Mitigata’s years of experience in the ITES industry, they offer policies that encompass a wide range of exposures, such as:

  1. Ransomware attacks
  2. Data breaches
  3. Business interruption
  4. Third-party liabilities

Tools and Resources Provided by Mitigata

Mitigata Provides the following tools and resources to ITES companies to strengthen their cybersecurity posture:

  1. Cybersecurity risk assessments: Continual testing to find weak points in IT structures and prevent problems before they result in a security breach.
  2. Employee training programs: Comprehensive programs to educate employees on recognizing phishing attacks, securing work devices, and complying with data protection laws.
  3. Compliance support: Help in compliance with the DPDP Act, GDPR, and other local and international regulations to prevent organizations from massive fines.

Success Stories and Testimonials

Mitigata’s customized insurance products have served many ITES companies. One client, a mid-sized BPO, experienced a ransomware attack that paralyzed its operations for three days. 

Thanks to its comprehensive cyber insurance policy with Mitigata, the firm could cover the ransom payment, recover lost data, and manage the financial impact of business interruption. Other clients’ feedback about Mitigata says they are very responsive, quickly process claims, and know the industry well.

Call to Action: Mitigata offers the most comprehensive and tailored solutions for ITES companies looking to safeguard their operations against evolving cyber threats and liability risks.

Call Mitigata now for a free risk evaluation and to get your business’s correct cyber insurance coverage. With Mitigata’s knowledge, ITES companies do not have to worry about growing because they know they will be financially covered if a cyber incident ever occurs.

 

Also Read: E-commerce Client Recovers from Data Breach and Ransomware Attack

 

Your go-to guru for all things content and marketing! As a seasoned Content Manager and Marketing & Communications Specialist, I'm on a mission to sprinkle some magic into every word and pixel I touch.

Recommended Articles

Leave a Comment

Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Copy link
CopyCopied