Sharmila Ranade, pursuing a Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho.
Table of Contents
Introduction
Covid-19 Pandemic has set a new normal not only for the individuals but also for the businesses. While individuals were constrained to take the digital route for their day to day transaction, businesses had to make arrangements for work from home for their employees. Businesses are struggling with security issues like data protection, secure connectivity, end to end data encryption, identifying unauthorised software, remotely accessing the data, disabling removable media. Cyber criminals are exploiting this opportunity to hack into the system of companies and institutions to cause data theft, and disrupting the networks, etc. This leads to unwelcomed situations like loss of reputation, huge financial losses, increased expenditure in cyber security software, loss of clientele, complex and damaging attacks have also contributed to the lengthy and complex investigation.
2020 Year End Data Breach Quick View Report revealed that there were 3932 publicly reported data breaches, compromising over 37 billion records. Compared to 2019 the number of publicly reported breach events have decreased by 48%. However the total number of records compromised increased by 141% and is by far the most records exposed in a single year since Risk Based Security (RBS) reporting began in 2005. There were 676 breaches that included ransomware as an event of the attack a 100% increase compared to 2019. They felt a necessity to mitigate the risk by obtaining cyber insurance. Presently, insurance companies offer products that cover the risk for cyber incidents and data breaches. Thus, cyber insurance is becoming popular in India. Considering the necessity and significance of the subject, many organisations fall into the trap when they realise the cyber incident it went through is not covered in the cyber insurance policy.
Businesses are not in a position to gauge as to what risks they might be subjected to. Since cyber insurance is in its infant stage many companies are not aware as to what kind of risk is required to be covered. They realise at the time of the claim that the particular incident is not covered in the insurance policy. We shall discuss the various points that merit serious considerations before buying or renewing cyber insurance cover individually or for business purposes. These tips will be helpful while you consider buying or renewing a Cyber Insurance Policy for your business.
Procure an insurance cover as per your business needs
Presently Insurance Companies are offering cyber insurance to cover the costs for business interruption, third party losses, crisis management, information security, breach notification, forensic investigation, cyber extortion, administrative fines, legal expenses, etc. You have to understand your business model and based on which you should pick and choose the cover that is required for your business. They need to understand the threat level and obtain adequate cyber cover. Notification costs and crisis management expenses coverage and the legal expenses coverage should always be included as there would be a certain amount of litigation by the victims of the cyber-attack. For instance, IT and IT enabled business will need to have business interruption coverage. Time element coverage may be important for small organisations which may not be able to withstand lack of income even for a shortest period.
Determine the appropriate Sum Assured i.e. the limit of liability
Limit of liability is significant while obtaining Insurance cover. You should consider various parameters like the regulatory requirements, potential business liabilities, any other business-specific requirement, etc. It is advisable to take a higher coverage considering the impact of data breaches, cost of reconstruction of data, legal litigations, regulatory fines, etc. need to be included while calculating the limit of liability or the sum assured. You should take the help of experts in determining this amount. You should also lay emphasis on the sub-limits on certain coverage within the total limit of liability. At times having sub-limits in the policy hampers the claim in the unfortunate event. Ensure that the sub-limits are scrutinised carefully and set realistically by your insurer. Sum assured should be a grant total of all the sub-limits mentioned in the policy.
Choose a longer Retroactive Date for undiscovered breaches
Generally, claims can be filed for losses caused since the date of inception of the policy. However, in the case of cyber-crimes such clauses will not be helpful as the data breach may not be discovered immediately. If the breach is discovered prior to the policy inception the insurance company may reject the claim stating it does not fall under the policy period. Thus, you have to consider a prior date as the retroactive date for making claims under the policy. You have to ask for a retro-active date considering the number of years you are in the business. To take an example, if you started your business of KYC due diligence in 2010 and you wish to take the cyber insurance policy now, you may consider keeping the retroactive date as 2010 to protect yourself from the cyber claims that have been breached since 2010. You may have to shell out additional premium for a longer retroactive date but that is worth spending that extra amount.
Pay attention to the Exclusions Clauses
Insurance policies are worded weirdly. There are various parts in the policies and each part may have some specific exclusions. Further there would be some general exclusion which would be applicable to the entire policy document. You need toad all the exclusion clauses carefully and ensure that such clauses are not loosely drafted to dilute the coverage. Exclusions shall be read with the special conditions for coverage of the wait period if any mentioned in the policy. It is very important to understand the clauses and its implication on the claims. You may request the insurer to reword the exclusions to suit your requirement. For example, if a Pathology Laboratory involved storing the medical records of the patients under the confidentiality contract then it should ensure that there is no term in the policy which excludes breach of contract. It may not be able to claim the loss for breach of such confidential data under the said contract.
Loss of data vis-a-vis misuse of data
Generally, the insurance policy shall include loss of data but excluded misuse of data by employees or any other person. The claims get rejects as the data has been misused by someone. It is necessary to ensure that loss and misuse of data both are covered in the policy wording.
Provision for Regulatory Investigation in case of data breach, etc.
Fintech has found its way in the financial sector. These entities are regulated and as such are subject to compliance with the provisions of the applicable law. In case of a data breach or cyber incident, the regulators have a right to conduct investigation and levy fines on such regulated entities. The insurance policy should cover the expenses of such regulatory investigations and ensure that the fine if any levied by the regulator is also getting covered in the policy.
Add your Cyber Expert on the Insurer’s Panel
When a claim is filed the insurance company appoints a surveyor to survey the loss and the claims are finalised based on Surveyor’s report. Similarly in the Cyber insurance policy, the insurer appoints a cyber expert to investigate the claim. Such experts will be from the approved panel of the insurance company. They play a significant role in investigating and assessing the loss caused. It is necessary that while negotiating the insurance policy your cyber expert is empanelled with the insurer. Policies contain clauses that require consent from the insurer to notify their customers of any breach, conduct forensic investigation and any other expenses which may have impact on the claim amount. You should read such clauses and ensure that the wordings “insurer shall not unreasonably withhold such consent” are included in the clause and comply with it failing which the insurer finds a ground to reject the claim.
Determine how the Defence cost will be allocated between the parties
It is necessary to include the litigation cost in the policy and determine the allocation of the defence costs between the insurer and the insured. The terms “duty to defend” or “duty to reimburse” are generally found in cyber policies. Both the terms connote a different meaning. You need to determine whether the insurer will bear the entire costs of litigation or some portion will be allocated to the insured? It is necessary to have a clear understanding and that the same is translated in the policy wordings to avoid future disputes. Further, in case of reimbursement of defence cost, you should check as to whether there is any sub-limit specified for the defence cost.
Acts and omissions of Business Associates/Vendors
Many companies outsource their data storage to another entity or the business is such that the data is stored in different places and then consolidated at the end of day. For example in a securities depository like NSDL, the Depository Participant (DP) facilitates the requests of beneficial owners in respect of transactions in demat account. The requests are collected by the DP in his system and then sent to NSDL at the end of the process. Thus NSDL is required to obtain an insurance policy extending coverage to all the DPs of NSDL. Any act or omission of the DP will have an adverse impact on the business of NSDL and result in a claim from the affected party. The Depositories Act and the Rules framed thereunder also mandates the same. In such cases, it is necessary that the insurance policy is covering the risks associated with the acts and omissions of the business associates or any other data outsourcing vendor for that matter.
Cyber Insurance with Indemnity Agreements
You should be having adequate protection under the indemnity agreements with your vendors and business associates in case any loss is caused due to their act or omissions.
While purchasing cyber insurance ensure that the policy is in line with the Indemnity Agreements executed with the vendors. There should be adequate provision to ensure that you will be able to claim from the vendor under the Indemnity Agreement from the vendor and that shall be in addition to the insurance claim from the insurer. At times the insurer may not allow claiming from two sources. You need to be watchful and ensure that your interest is protected.
Cyber Insurance and Other Insurance
Since you are including your vendors in your policy, you may ask the vendor to procure an insurance policy and suggest they make changes acceptable to all. In case of any data breach due to the developer, you can exhaust the limit of the Vendor first and then shift to your policy.
Subrogation waiver clause
Subrogation is a right to make up the amount of compensation granted to you. You may not be able to pursue a claim against a vender.
Conclusion
The cyber insurance market is relatively a new topic but is picking up slowly and steadily. The insurance companies are currently focusing to build their insurance market. Organisations intending to obtain cyber cover shall anticipate in the event of cyber-attack, as to how the business will cope when a cyber-attack has taken place and how far does it impact them? It is better to mitigate this risk by obtaining cyber insurance. It is advised that you read the entire policy document and take note of the points mentioned herein above with respect to coverage and also be vigilant of the wordings and the meaning it connotes and not to forget the exclusions clause. The various options available today need to be included based on the nature of business. Ultimately choose wisely and be safe is the mantra of the day.
References
- www.securityinfowatchcom
- https://home.kpmg/in/en/blogs/home/posts/2020/11/cyber-insurance-a-proactive-measure-for-enterprises.html
- http://www.rmmagazine.com/2020/02/03/cyber-insurance-10-tips-and-traps/
- https://www.darkreading.com/risk/a-lawyers-guide-to-cyber-insurance-4-basic-tips/a/d-id/1335205
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skill.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join:
