This article is written by Aniket Tiwari, a student of Law School, Banaras Hindu University. In this article, he explained various aspects of Cyber Insurance Policy. He also explained the need for Cyber Insurance Policy.
Insurance can be defined as the means of protection from financial losses against the risk of contingent or uncertain loss. Here a person or entity who takes such insurance is known as a policyholder and the entity that provides insurance is known as an insurance carrier or underwriter.
A cyber insurance policy, also referred to as cyber risk insurance or cyber liability insurance coverage (CLIC), is designed to help an organization mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. Like any other insurance product, it is also used to protect businesses and individual users from the risk relating to information technology infrastructure and activities. Such risks are generally excluded from traditional commercial liability policies or it can be also said that these are not specifically defined in traditional insurance products.
Why is it needed?
Cyber insurance, as the name suggests, insulates one’s company or individual from damages incurred during a cybersecurity incident. Here the main idea behind this is to shift some of the risks damages to the insurance company.
In today’s age and time, cyber risks have drawn significant attention. Whether it is corporate or individual, digitization has touched all the entities. Digitization generates a huge amount of DATA, which when used prudently can become a coveted asset. However, these information are misused and cyber-attack has become very common. Cyber risk has become more pertinent nowadays as it elevates attacks from an individual level to that of a ‘State’.
According to the World Economic Forum Risks Perception Survey, 2018-2019 puts the “Cyber Attack: Theft of data or money” fourth in the list and there is 82 percent probability of such attacks on system. “ Cyber Attacks: disruption of operations and infrastructure” is also fifth in the list and there are 80 percent chances of such incidents.
Impact of security breaches
Apart from monetary losses, there are various hidden costs of a data breach, which includes lost businesses, partnerships, and reputation. This could be more debilitating, necessitating a better risk management strategy.
Apart from these, there are several other impacts of cybersecurity breaches and these are as follows:
- Losses relating to Intellectual Property.
- It will lead to legal engagements that are hectic.
- It will affect business supplier relations.
- It degrades the company’s reputation.
- Financial losses.
- It becomes difficult to retain the customers of the company.
Also, the “Cyber Risks” are increasing in India. India has even become the second most affected country due to cyber-attacks (from 2016-2018). The average monetary loss due to breach in cybersecurity has raised by 7.9%. According to Allianz Risk Barometer 2019 also, ‘Cyber Incidents’ is defined as the top risk for businesses in India.
Cyber Liability Coverage
Cyber liability insurance primarily covers those breach of events where personal identifying information is lost, stolen or disclosed. Some examples of Personal Identifying Information (In Europe it is called Personal Data) are as follows:
- Account Numbers of persons
- Credit Card information
- Social Security patterns like passwords
- Driver’s License number
- Healthcare data of anyone
Cyber Insurance includes breach of these personal identifying information. It even covers the smallest incident, like disclosing a single customer record to the wrong party (it should be noted that this type of incident should happen accidentally). There is a requirement to report these breaches to appropriate authorities but every incident does not rise to the level of reporting. Basically, the cyber insurance policy covers the legal fees and expenses associated with such kinds of breaches. In addition, it also includes:
- Assisting with customer notifications following an incident,
- Working to restore the personal identities of affected customers,
- Recovering data that was lost during such incidents,
- Repairing computer systems and networks that were damaged in such incidents.
Many insurance policies also offer affected customers credit monitoring services. This helps to rebuild the company or organisation’s reputation after a cyber breach.
The cyber insurance policy covers economic losses that result from data breaches and other cyber incidents. Most of the cyber insurance policies include first-party and third-party coverages. Some coverages are included automatically while others can be available ‘a la carte’. So let’s discuss the first party coverages and third party coverages.
First-Party insurance is between the policyholder (the first-party) and the company providing such insurance (the second-party). An example of first-party insurance coverage would be a computer owner who suffers from any cybersecurity breach. Here, in this case, the computer owner will make a claim with the insurance company to cover damages and repairs. The insurance company will compensate the computer owner according to the insurance policy.
However, there are certain categories that are covered under first-party coverage. Here is a list of some of such categories that are covered under such coverages:
- Damage to electronic data- It covers the cost to replace or restore electronic data or programs destroyed or stolen in any kind of data breach. However, it should be noted that the losses must result from a covered peril such as a hacker attack, a denial of service attack, or a virus. The cyber insurance policies also include the cost of hiring experts or consultants to help preserve or reconstruct data.
- Loss of income and extra expenses- Cyber insurance policies also cover the income losses which a company or individual suffers due to cyber attack. It also covers extra expenses that one incurs after his/her computer system fails due to a covered peril. Some insurance policies cover the income losses which one suffered when his/her network provider’s system has been breached.
- Cyber extortion- Cyber insurance also applies when a hacker breaks into the computer system of the policyholder and threatens him/her to commit a criminal/ wicked act like damaging one’s data, introducing a virus, releasing confidential data, or initiating a denial of service attack unless one pays a specified amount of money. Coverage usually extends to any extortion payments that the policyholder makes and expenses that he/she incurs in responding to the demands.
- Damage to one’s reputation- Some of these policies also cover costs that the first party incurred for marketing and public relations to protect them from damage to one’s reputation following a data breach. This coverage may be known as ‘Crisis Management’.
In a third party insurance claim, there are three parties. The first one is the policyholder or insured individual, the second is the insurance company and the third party is another individual. The third-party insurance claim is made by someone who is neither the policyholder nor an insurance company. The most common type of third party insurance claim is the liability claim (they are called so because someone else is liable for the injuries suffered by the third party). Example of third party cyber insurance policy is as follows. Suppose due to some cyberattack on the computer system of a company, personal information of its customer is leaked. Then the customer can claim money from the company and it would be covered under the third party coverage.
The liability coverages afforded by a cyber policy are usually claims-made. Here the coverage applies to damages that result from the covered claims as well as the cost of the security of the one. Here it should be noted that the defense costs may reduce the limit of insurance. Now we will see some areas that are covered by third party insurance:
- Network Security and privacy liability- It covers claims against the negligent actions of firms, for errors or omissions of the firm or individuals that result in the cyberattack, unauthorized access, introduction of a virus, or other security breaches of a system of the policyholder. It also covers the claims alleging that policyholder has failed to properly secure sensitive data stored in his/ her system.
- Electronic Media Liability- Third-party insurance coverage also covers the lawsuits against the first party for acts like libel, slander, defamation, invasion of privacy, copyright infringement or domain name infringement. These acts are covered only if they result from the publication of electronic data on the internet by the policyholder.
- Regulatory Proceedings- It also covers the fines or penalties imposed on first-party by regulatory agencies that oversee data breach laws. It also covers the cost of hiring an advocate to assist in response to a regulatory proceeding.
Factors insurance that company look while deciding coverage
All the above-mentioned categories for giving insurance to policyholder needs to be checked by the insurance company before actually giving financial assessment to the policyholder. An insurance company or second party wants to see that the policyholder has assessed its vulnerability to cyber attacks and he/she follows the best precautionary step by enabling defenses and controls to protect against cyber attacks as much as possible. The firms should hold seminars and workshops for their employees about security awareness, especially about phishing and social engineering, and this would be part of a protection plan. The other factors which are looked upon while deciding the coverage amount include the use of threat intelligence services for the latest information on zero-day and targeted attacks by the policyholder.
Here the cyber insurance company may also request an audit of organisation processes (policyholder). The policy granting company also looks at the governance of the policyholder before granting any coverage.
What to look for as a cyber insurance buyer
There are lots of well-known insurance policies in India, such as Bajaj Allianz General, HDFC ERGO General, ICICI Lombard, etc. and it becomes difficult for the customers to go with anyone cyber insurance policy. Insurance industry analysts believe that clients/consumers will soon expect a cyber insurance policy to be part of every business insurer’ product line. When the person is going to have a cyber insurance policy he/she must compare various policies. The customer must find out whether the policy covers all of the items listed in the previous section. He/ she must inquire about the following special circumstances:
- Does the insurance company offer more than one type of cyber insurance policies or is the coverage policy simply an extension to an existing policy? A stand-alone policy is considered to be more comprehensive. Also, the customer needs to find out if the insurance policy is customisable to an organisation.
- One should always compare the deductibles among the insured, just like he/she does with the health, facility and vehicle policy.
- One should look at how do limits and coverage apply to a first and third party? For example, does the given policy covers the third-party service provider.
- The next thing which an individual or a firm must look at is whether the insurance policy covers any attack to which policyholder falls victim or it covers only the targeted attack against the policyholder in particular.
- The person who is looking for cyber insurance must also look at whether the insurance policy covers non- malicious action by an employee of the company.
- It should be clear that the policy covers social engineering as well as network attacks. Social engineering plays a role in all kinds of attacks, including phishing, spear-phishing and advanced persistent threats (APTs).
Every cyber insurance policy has certain clauses mentioned in it. For example, in Bajaj Allianz Individual Cyber Safe Insurance Policy there are 10 clauses mentioned in it, and each of these clauses has a sub-limit. The claim for phishing, email spoofing, and social media cover will have a maximum limit of 25%, 15%, and 10% respectively. In addition to this, the insurer pays for IT Consultant Service Cover cost.
Similarly in cybersecurity insurance of HDFC ERGO, there are sub-limits but protection from malware attack has been kept optional and thus will be charged extra.
Types of Cyber Insurance every business should have
Many business owners think that data breaches can only take place in a big multinational company. But the reality is that most data breach first starts from small and pop up businesses. For this reason, only it becomes important for these businesses owner to have a cyber insurance policy.
Three main types of Cyber Insurance Coverage that each business owner should have are Cyber Security, Cyber Liability, and Technology Errors and Omission Insurance. Here the first two insurance policies deal with risks relating to a Data Breach, while the third one deals with the company that provides technology products and services.
As a user, one needs to take adequate precautions even though there is cyber insurance for the breach of security. In cyber insurance, there will be a subjective situation as monetary compensation varies from claim to claim, also it will depend on various factors as to how has the cyberattack took place and what were the circumstances under which the loss has triggered. Also, it is important to know that cybersecurity is a pretty young sector and data about the risks are changing very rapidly. Business companies and individuals are still having doubts about whether they need such a policy or not. This is because they do not know whether they are at risk of a cyber breach or not.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: