Data Breach Drama: When Trust Turns Costly in a Digital Age Amid surging data breaches, Indian businesses are prone to financial and reputational fallout. Can cyber insurance emerge as a safeguard?
Opinions expressed by Entrepreneur contributors are their own.
You're reading Entrepreneur India, an international franchise of Entrepreneur Media.
Technology disruption is at the forefront of revolutionizing every sector in India. We have witnessed a transition from physical stores to online platforms at an unprecedented speed. Online presence or online activities such as internet searches, social media posts, online shopping, or a newsletter subscription are stored as part of your digital credentials that leave the digital footprints.
Some of these actions, such as accepting cookies or using apps, may seem routine or go unnoticed. However, they contribute to the collection of personal data, expanding your digital footprint and companies are reported of selling your personal data to third parties.
In more concerning situations, one's personal information may be compromised during a data breach. So the question arises: what exactly constitutes a data breach? Do all cyberattacks fall under data breach? The answer is no. A data breach occurs when unauthorized parties access your personal or confidential information, such as bank details, healthcare data, or corporate data among other sensitive data. However, not all cyberattacks are data breach.
For instance, a Distributed Denial of Service (DDoS) attack, which overloads a website or system with traffic, does not involve unauthorized access to data. Thus, it's not a data breach. On the other hand, a ransomware attack is considered a data breach. Additionally, physical theft including files or hard drives also qualifies as data breach. According to FalconFeeds, India experienced 593 data breaches in the f irst half of 2024.
Intentful Initiatives
The Cybersecurity Awareness Month quickly divulged one of India's biggest data breaches-Star Health Insurance. The insurance company suffered a massive data breach after the firm's Chief Information Security Officer (CISO) allegedly sold sensitive credentials of 31 million Indians, including PAN/ Aadhaar numbers, phone numbers, emails, and home addresses, to a Chinese hacker.
This breach is expected to lead to a surge in cyber scams, including phishing attacks, identity theft, spam calls, and other forms of misuse. When Prime Minister Narendra Modi said at the IMC 2024, "India's Data Protection Act and National Cyber Security Strategy show our commitment to creating a safe digital ecosystem," it solidified India's take on developing robust mechanisms—but there's a long way to go.
"The Digital Personal Data Protection Act (DPDPA) was passed in 2023, but the real challenge lies ahead in implementing it effectively. The consumer's data is at stake here—whether it's buying from a company like Air India or any other. Interestingly, Air India was the only company that proactively reached out to me after their data breach, informing me that my data might have been impacted. It's commendable that a public sector company took the responsibility to notify me, even though no concrete action followed. In contrast, private sector companies, particularly fintechs and startups, don't seem to care much about such transparency," said Pankit Desai, co-founder, Sequretek.
Under DPDPA, companies are obligated to notify the affected individuals and the Data Protection Board of India (DPB) about data breaches within 72 hours.
"If you're a company in California dealing with consumer data, and you violate privacy—knowingly or unknowingly—you will face severe penalties, and the authorities will come after you. Similarly, under the General Data Protection Regulation (GDPR) in Europe, the penalty can reach up to five per cent of your global revenue. So, even if you generate only USD 100 million in the UK but have USD one billion in global revenue, a breach would not just result in a USD five million penalty—it could go up to USD 50 million. That's a huge impact, and it's something companies take seriously," explained Desai.
"The DPDPA was designed to bring similar accountability to India. However, although the act has been passed, it has not been operationalized yet. Many of the necessary bodies still need to be set up," he further added.
Under the DPDP Act, failure to implement security measures can cost up to INR 250 crore and if a company fails to notify data breaches has to pay a fine up to INR 200 crore.
Post Breach Recovery
In India, cyber insurance is not a new concept, but only a few big companies have cyber insurance in place. The market size of Indian cyber insurance reached USD 296.3 million in 2023, as per the MARC Group. "Cyber insurance certainly has its place in the post breach recovery process, but it is not a cure-all," said Vijay Verma, Chief Revenue Officer - Service Lines, Persistent Systems.
It is like health insurance; if you keep yourself fit and follow a good diet, health insurance can help you provide medical assistance while you are going through a severe medical condition, but certainly, it cannot guarantee long-term recovery and the same body organs. While the same is with cyber insurance, "it can cover immediate financial losses—such as legal fees, regulatory fines, and data recovery expenses—but it cannot fix the long-term damage to customer trust or brand reputation," Verma added.
Additionally, cyber insurance does not cover insider attacks, which was the case with the Start Insurance breach. For instance, in 2011, Sony's PlayStation Network was breached and exposed the data of 77 million users. Additionally, PlayStation was down for 23 days, preventing users from accessing its services. Sony suffered a cost of over USD 171 million in cyber damage that could have been covered by cyber insurance.
Verma emphasized that companies should adhere to a solid cybersecurity foundation instead of relying solely on cyber insurance. Small startups and companies can focus on bolstering cyber security with cost-effective measures like Cloud Security Posture Management, Endpoint Detection and Response, open-source tools, regular patching, and employ ee training. "These strategies may be low-cost, but they are effective in preventing cyber incidents that could lead to substantial financial losses," said Verma.
Yogesh Agarwal, Founder and CEO, Onsurity, said that regular data backups ensure quick recovery from ransomware attacks, while managed service providers (MSPs) offer access to expertise without high costs. "It is now essential in business risk management, covering legal fees, regulatory fines, data restoration, income loss, and reputational harm. With insurers offering crucial resources for incident response, it's becoming as indispensable as any other form of business insurance," added Agarwal.
The growing awareness and the high tides of cyberattacks is attracting companies to adopt cyber insurance. The domestic market is expected to hit USD 3,556.5 million by 2032, growing at a CAGR of 30.80 per cent during 2024-32. Meanwhile, the global market will also witness a huge jump from USD 16.66 billion in 2023 to USD 120.47 billion by 2032, growing at a CAGR of 24.5 per cent during the forecast period as per Fortune Business Insights.
