This article has been written by Rishabh Mishra, pursuing a Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.

Introduction

Insurance is something that indemnifies one against some loss in exchange for some consideration. Traditionally it is for life, goods, or any uncertainty such as health emergency, accident, fire, etc. With the introduction of innovations or services or needs, risks associated with them also increase. Such as when courier services were introduced people did not find courier insurance as a need till they suffer losses or travel insurance in trains till the time an accident happens. The same tale goes with cybersecurity when computers were introduced no insurance needs were felt but with the change in time innovations in this field becomes extremely beneficial for the entities which gain people’s trust to give them their data in various forms such as customer feedback, e-mail ids, bank details through transactions, etc. However nothing is impenetrable, people’s data were compromised in the biggest leaks ever such as Adobe in which 153 million users’ records were compromised including encrypted credit card details of its 3 million users. Another leak was a Yahoo data breach in which data of 3 billion users were compromised and likewise, there were many such incidents in the past. Thus, all these incidents strongly push the notion of cybersecurity insurance for corporates, governments and individuals to be indemnified in case of a contingency. Cybersecurity insurance covers many risks associated with the product or data, offered or secured by any entity. It generally covers loss of Aadhaar details, bank account number, credit card details, authorized Ids such as driving license, voter id, etc, and various other records such as health.

Whom it covers & what it covers?

In order to meet the demand cybersecurity insurance providers have classified the insurance into two broad categories i.e. “individual cybersecurity insurance” and “cyber liability insurance.” From the name itself of “Individual cybersecurity insurance” it can be inferred that it is for the individual person and the policy covers such individuals from various fraudulent activities such as unauthorized online transaction, e-mail spoofing, phishing, identity theft, damage to e-reputation, cyberbullying, social media liabilities, malware attacks, IT theft loss, etc. Although policy coverage depends upon the insurance provider’s offer and it may cover all or a cluster of some of the above-mentioned coverage. 

“Cyber liability insurance” covers entities such as IT firms, corporate or business entities from various cyber threats to their data including general and confidential information and customer’s personal and financial data.

Above mentioned threats have various heads of classification but are not limited to heads of threats mentioned below, and they cover various risks such as:

• Identity theft—if personal data is hampered by any means for instance its unauthorized use, or loss by alteration or deletion of such data. The insurance provider indemnifies against legal expenses such as the cost of prosecution and clerical charges.

• Social media liability—it is basically an identity theft that occurs on social media. But, it may include defamation, harassment, violation of privacy and intellectual property rights, and improper employment practices through social media platforms such as Facebook, Instagram, Linked In, etc. The insurance provider indemnifies against legal expenses such as the cost of prosecution and clerical charges.

• Cyberstalking—cyberstalking is a part of social media liability in which a stalker harasses or threatens another person virtually. He may track such a person’s cyber movement for personal or financial gains. The insurance provider indemnifies against legal expenses.

• Malware attacks—it is the most common type of cyber attack which is used as bait to attract its target. It may be sent to the target device through text messages, emails, messaging platforms, or by leaving USBs or storage devices at public places such as parks, libraries or malls, etc. Types of malware include ransomware, spyware, command and control, e.t.c. The insurance provider indemnifies against the cost of restoration of lost data and miscellaneous legal expenses such as transportation to a court or photocopy charges of documents.

• IT theft loss—it includes unauthorized online transactions for payment by intrusion or hacking of computer devices of such a person. The insurance provider indemnifies against financial loss incurred and legal expenses for prosecution and claims raised by third parties.

• Phishing—is one of the most common forms of attack. Under this type, an attacker can influence the user to share his personal data and pretend as if it is a trusted person or institution. These attacks generally take place through links or attachments of e-mail. Insurance covers financial loss incurred in such incidents and prosecution charges.

• E-mail spoofing—it is a fraudulent activity in which an attacker basically personates an authentic person and in order to personate, they change the header of the email or manipulate the same. The insurance policy covers financial loss incurred out of such spoofing and prosecution costs incurred by the insured person.

• Cyber extortion—the attacker threatens the target that he shall breach the privacy of such a person if he does something or abstains from doing something. Extortion is basically threatening some person in exchange for something, so when it does virtually through virtual means may or may not be for virtual needs then it is cyber extortion. The insurance policy covers financial loss incurred out of such threats and prosecution costs incurred by the insured person.

• Privacy and data breach by third parties—as the name suggests it can be inferred that some third person breaches the privacy of another person and makes an unauthorized disclosure of his personal data and such data may include sensitive personal data. The insurance policy covers legal expenses incurred by the insured person.

Insurance policy coverage mentioned in the above heads of threats is not a straight jacket formula to ascertain that under this head insurance policy shall cover only this much cost incurred because of such an attack. The coverage mentioned for such heads is only indicative and completely depends upon the insurance provider offers and negotiations. Moreover, the above threats are not limited to individuals as they may escalate to institutional levels. 

Factors that determine the premium of cybersecurity insurance

Factors are associated with the nature and type of business and cyber environment in which such business persists. As the cyber world has no boundaries then there may be a possibility that businesses have a uniform cyber environment. There are six factors that may raise the premium of cyber insurance. These factors are as follows:

• Ransomware—it is one of the most common malware which invades the computer with viruses and extorts money from such a person in exchange for the loss of his data. Recently threats have been increased which makes ransomware a high-risk factor while considering premiums for insurance.

• Rising response cost—increase in the cost of the response to cybersecurity incidents is one such factor for rising in premium. Cost includes legal and forensic expenses and even demands of ransomware.

• Increasing replacement cost—around 44% of businesses are upgrading their technology because of cybersecurity incidents and around 1/4th of businesses have increased their IT spends is yet another reason for rising in the cost of the premium.

• Inadequate cybersecurity hygiene—no implementation of best practices is one of the factors which influences the high premium rate of cybersecurity insurance.

• Lack of incident response plan—organizations that do not have rapid and effective incident response plans even for possible threats end up paying high premiums. According to a survey conducted by Ponemon Institute around 77% of businesses don’t have any response plan or have an inconsistent one.

• Business interruption—prima facie financial loss occurred out lost data is not the only factor that governs premium. Insurers also have to forecast those costs also which may be required to take the business right on track and this factor may raise the premium.

Best practices adopted by organizations and individuals can lower the premiums of cybersecurity risks. Some of the practices and factors which may lower the premium are as follows:

• Conduct regular penetration testing—testing of cybersecurity on a regular basis helps to expose the vulnerabilities.

• Strong password control policy—this policy may make the data impenetrable if the password is strong enough to hold. Best practice for a password may contain words that are unique and are alphanumeric with special characters.

• Encryption of sensitive data—encryption of sensitive data and its access to limited hands create a trust on insurers that best practices are followed by the insured. 

• Control on the access of records—number of records to be dealt with by the organization by way of transfer, storage, or access of such records. Who can access such records is yet another factor to determine premium. The lower the number of records the less the premium.

• Work with your existing carrier—whichever carrier insures one property may charge a lower premium.

• Coverage—it is yet another factor that depends on the nature of business and can only be determined according to the needs of such business. It may increase or decrease the premium.

Law governing cybersecurity insurance in India

There are no data protection laws presently in India. In parliament, the Personal Data Protection Bill was first introduced in the year 2019 but did not get assent. Thus, without any specific law for cybersecurity insurance, it is governed by general laws for insurance. IRDA constituted a committee for “Cyber Liability Insurance Policy ” in October 2020 which recommended that there are certain gaps to be filled in the cyber insurance policy of current insurance providers. The recommendations are as follows:

1. Requirement of FIRs must be for higher claims and its non-requirement may be restricted to claims up to Rs.5000/-.
2. The language of policy must be clear and not ambiguous. It is required in exclusion language related to compliance with reasonable practices and precautions. It also needs coverage for bricking costs–loss of use/functionality of hardware as a result of a cyber incident.
3. Standardized agreements are one such good concept but it may lack to address emerging risk and may limit innovations.

Now so far as guidelines on information and technology for insurers is concerned it is only for the insurer to adopt best practices for all data created, received, or maintained by insurers wherever these data records are and whatever form they are in, in the course of carrying out their designated duties and functions.

Conclusion

Cybersecurity insurance is like any other general insurance which covers specific risk associated with the cyber world. In absence of any specific law for it and even for data protection the insurer and insured have to ascertain premium and risk coverage according to their mutual understanding. Thus, in this scenario, a minimum standard coverage also depends upon the negotiations of parties. As far as insurance for individuals is concerned, the IRDA committee finds that reasonable requirements are met for individual’s insurance in the present policies but so far as entities, it has made some recommendations that should be adopted by insurers. Cybersecurity insurance is the need of the hour because the loss occurred through data breach not only resulting in loss of such data but also revenue and reputation loss of the entity which was maintaining such business. Insurance may help such entities or insured individuals to make good the loss and it may also help the entities to take their business right back on track. 

Best practices play an important role to mitigate the risks as well as the premium of cyber insurances. Insurers are very much particular about the kind of best practices adopted by entities to secure their data as it not only helps the insured but it also mitigates the risk of the insurer. Proactive entities which have a rapid and effective response policy at least for documented threats give an impression of a serious and responsible attitude of such an entity towards its data protection. Thus, a rapid and effective response policy is a must for entities before taking cybersecurity policy.

References

1. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
2. https://www.nationwide.com/lc/resources/small-business/articles/what-is-cyber-insurance
3. https://www.paisabazaar.com/commercial-insurance/cyber-security-insurance/
4. https://www.norrisinsurance.com/insurance-tips/personal-insurance-tips/social-media-liability
5. https://www.rapid7.com/fundamentals/malware-attacks/#:~:text=A%20 malware%20 attack%20is%20a,command%20and%20control%2C%20and%20more.
6. https://www.travelers.com/resources/cyber-security/6-factors-causing-cyber-insurance-rates-to-increase
7. https://www.redteamsecure.com/blog/how-to-lower-your-cybersecurity-insurance-premiums
8. https://www.jagranjosh.com/general-knowledge/cyber-insurance-policy-1611919924-1
9. https://www.aicofindia.com/AICEng/General_Documents/Notices%20And%20Tenders/IRDAI-GUIDELINES.pdf

---

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: