This article has been written by Harshita Shah pursuing the Diploma in Cyber Law, FinTech Regulations and Technology Contracts from LawSikho. This article has been edited by Dipshi Swara (Senior Associate, Lawsikho).
Table of Contents
Cyber insurance is no longer a fancy option but a need of time. Hackers are on the lookout to hack your systems and demand ransom. The ransom attacks have been shooting up across the globe since 2020. A report by Check Point research suggests that ransomware attacks around the globe have gone up to 102 percent in 2021. India is also rising top in the list of countries which are prone to ransomware attacks. Since the beginning of the year 2021, organizations in India have reported nearly 213 weekly ransomware attacks per organization. Hence, insurance companies have witnessed a rise in insurance policies against cyber risks. Cyber insurance policy helps an organization to bear the brunt of “the aftermath of hacking”. A potential hack can disrupt the computer systems of organizations, damage the hardware, software, result in loss of data and goodwill of the organization. One of the infamous cases that can be recalled at this point is the colonial pipeline ransomware attack, wherein the company had paid ransom to recover the decryption keys from attackers; the cost of ransom was covered by the insurance policy.
Cyber insurance policy, like all other insurances, is a mechanism through which companies safeguard themselves from the brunt of cyber-attack. Many insurance companies are now providing a completely separate package that covers cyber risks. A cyber insurance policy would indemnify the insured against costs arising out of business interruption, extortion and ransom, breach notifications, investigation of the attack, and determining the loss. However, unlike other insurance policies, a cyber-risk insurance policy would not indemnify the insured if it is found that the breach was a result of haphazard security practices adopted by the insured, or any willful fraudulent act or violation on its part. Typically, a cyber-insurance policy would cover for the immediate loss after such a cyber-attack and it will not account for any future loss of goodwill or intellectual property on account of such attack.
Before buying any cyber-insurance policy any organization needs to check the types of losses that are covered by the insurance policy. In recent times, hackers most commonly infuse malware in computer systems, which is then clicked by some employee of the company, and thereafter hackers gain complete control over the system including data, and promise to give away the decryption keys only if the ransom is paid. Even if organizations have a backup of data, chances are high that if the ransom is not paid, the data will be sold on the dark web. Hence, ransomware must be included in the insurance policy along with other risks.
Should you consider buying a cyber insurance policy?
Cyber insurance policy premiums can be expensive, depending upon the risks associated with the data of your organization or business. Also, broad coverage of cyber insurance policy may not be required by your organization. Before buying a cyber insurance policy, you should ideally evaluate the requirement, inclusions, and exclusions in the policy and assess the risks associated with the data. The categorization below will help you in deciding an ideal policy fit for your company.
1. Processing large volumes of data– If your business is something that deals with large volumes of personal or sensitive personal data then you must get an insurance policy. Organizations in the finance industry that keep a record of card details, transaction values, and amounts, or in the healthcare industry, must obtain a cyber insurance policy. How much data do you store or process, the nature of data, what would be the effect on business or supply chain if any cyber-attack is attempted are all such questions that should be answered. E.g. in the colonial pipeline ransomware attack case, the ransomware attack had disrupted the operations of the company. The company is in the business of supplying fuel, diesel, and petrol. Due to the attack, many airlines had to change their schedules because fuel could not be supplied and a state of emergency was declared across many states of the USA. Companies that operate their supply and logistics chain using data must obtain an insurance policy.
In any case, even if your company does not process large volumes of personal or sensitive personal data and is a small company still you may opt-in to buy a cyber insurance policy to safeguard loss resulting from damage to your computer hardware and software system. Premiums in cyber-insurance policy would vary as per the risks associated. It will also help to cover the cost of breach notifications, investigations, additional security safeguard that has to be taken post-investigation and for compliance with any state or national or international law post-security breach.
2. Heavy fines for security breaches- If your organization or business is one that stores, processes large volumes of personal or sensitive personal data and as per the laws/regulations is subjected to fines, penalties, investigations, cyber-security reports, then a cyber-insurance policy would cover those costs for you. E.g. Under the General Data Protection Regulation (GDPR), it is mandatory to report a data breach to a data protection officer of the company and the DPO will inform the supervisory authority. Additionally, if the breach involves significant harm to the user, then users will have to be informed about the data breach, thus, a cyber insurance policy will help you to cover costs for such notification.
3. Contractual requirement under the agreement– Sometimes, a party to an agreement may specifically ask you to cover the risk associated with data breach with a cyber-insurance policy. Secondly, if you fail to deliver the services or products as per the terms and conditions mentioned under the agreement because of any cyber-attack, the other party to the contract can be indemnified for the loss arising out of non-performance of the contract
4. No Cybersecurity measures are guaranteed– Even though your organization has robust cyber-security measures, there will always be chances of bad actors penetrating your systems, hence a periodic security audit is also important. Nonetheless, due to the evolving nature of cyber threats, indemnify your company from the consequences of attacks.
5. Confidentiality obligations– Are you in a business that deals with large amounts of confidential information? A piece of confidential information may not fit into the “Sensitive Personal Data” column, however, it is what the parties to a contract agree to keep confidential. Moreover, more and more people now use online mediums to communicate, exchange files and confidential information. Most of the time companies adopt loosely encrypted platforms to share such data and the passage of such information over such networks may risk the privacy of confidential information.
Not only that, sharing information over such unencrypted platforms can risk the system with viruses, malware, and other bad actors. Such organizations can also be the prime target for cyber attackers. Hence, in case of a cyberattack, which puts you at risk of breach of confidential information or confidentiality obligations, a cyber insurance policy can cover up several costs that follow such breach or disclosure.
6. Do you collect login credentials of your customer?– If your company runs a website or other platforms which let users create their account and use the website, then you should regularly keep scanning the health and safety of your website application. Some common forms of web-based cyber attacks include cross-site scripting, denial of service attacks, SQL injection, etc. These kinds of attacks mainly originate from networks of weak computer systems or those whose security is compromised. Hence, if you are into the business of e-commerce or someone for whom a website is an integral part of marketing, delivery, revenue, then you must have an insurance policy in place.
7. Third-Party Services– We are all aware of the recent cyber attack which compromised the personal and sensitive personal information of Air India passengers. Air India uses the services of SITA (Société Internationale de Télécommunications Aéronautiques), a data processor that processes passenger details on behalf of Air India and it accounts for providing services to 90% of airlines across the world. The data breach had happened at the end of SITA. Thus, in case your company also uses third-party services for processing of data, then ideally you should opt for a cyber insurance policy because a breach at the end of a third-party service provider will be followed by an investigation into the incident, and you will need a reputation management personnel to be on the ground.
Also, when entering into a contract with any third-party service providers, you must take extra pain to review the contract, security practices followed by the third party, and the timeline for breach notification. In the case of Air India, SITA had informed about the breach in March and the full disclosure was revealed in April, whereas the cyber attack took place in February itself. These delayed notifications increase the cost of dealing with the magnitude of cyber attacks. Hence, a cyber insurance policy can help in such cases, where loss is compounded due to negligence or breach of obligation by a third-party service provider.
What all should you include in your cyber insurance policy?
A good cyber insurance policy addresses all possible consequences that may be the result of such cyber attacks. Depending upon the requirement of your business, the data and confidential information, and the magnitude of harm that can result on account of such breach you should negotiate your cyber insurance inclusions and seek the assistance of your cybersecurity team, and lawyers who can guide you well. There are certain key clauses that you must address in your cyber insurance policy.
- Cybersecurity Incident Response Plan– Post a cyberattack, a company or business would hire an incident response team to know the vulnerabilities in the system that were exploited to do a cyber attack or would have its homegrown incident response committee. The incident response committee will conduct a detailed investigation and audit the loss that must have been caused due to such a breach. The IT specialist will review your systems, figure out the cause of the attack, measure the extent of the breach, review your backups and produce an investigation report. The object of such a plan is to act immediately and thereby try to minimize the harm, protect the data and enable your business to recover from the disruption. A cyber insurance policy can cover the cost of such investigations.
- Reputation management– Post a cyberattack, the one thing that will spread like wildfire is your inability to protect the data of your customers. Sometimes even the biggest corporations are vulnerable to cyber-attacks and despite good cybersecurity governance, they fall victim to such attacks. It is also because these big corporations can pay out a huge ransom to get all the data back. Hence, in such cases, it is essential to deploy employees or you may outsource these services to an agent who would help you in preventing your reputation and goodwill from crumbling down.
- Legal Expenses– If you stay in a country that respects data protection and strong enforcement for breaches of data, cyber insurance will help you cover these expenses and provide any compensation to your customers.
- Loss arising out of identity theft– If the cyberattack is followed by identity theft, then it may risk the credibility of your customers and put them in financial crisis and other social media crises. A cyber insurance policy will help you cover such compensation and remedy for your customers.
Problems with the current landscape of cyber insurance practices
- Bodily injury and property damage– A Cyber insurance policy does not cover bodily injury and damage to tangible property. In a 5G world, where physical properties are interconnected with each other, any cyber attack on such infrastructure can not only damage the property but may take life or injure someone`s body. Ever since lockdown, ransomware demands have risen.
Until the company pays for it, the hacker would not give the decryption keys and the procedure for recovering data is tedious as the network infrastructure becomes weak post-attack. Imagine if a critical infrastructure of a nation is targeted by hackers, then any physical damage or loss of life caused by such an attack is not attributable. Imagine if a critical infrastructure such as Air traffic controller is attacked by hackers, it will leave the state in chaos, there will be no real-time update on the movement of airlines and the air traffic. This can risk the life of air passengers. However, currently, the cyber insurance policy does not account for any loss of life in case any critical operations operating on computer systems are attacked.
- Exclusion for Hostile or warlike action– NotPetya was a malware that encrypted the files on a network of computers and demanded 300$ to decrypt the same. The Petya attack was the subsequent Wanna Cry ransomware attack. Some research suggests that Notpetya first emerged in a tax filing software used by several companies in Ukraine, and followed from there to infect other networks. Mondelez had also been the victim of the NotPetya cyber attack. As many as 1700 servers and 24000 laptops of Mondelez company were damaged due to this cyber-attack. Mondelez had an insurance policy with Zurich Insurance company, USA. The terms of Mondelez’s property insurance policy covered “physical loss or damage to electronic data, programs, or software, including physical loss or damage caused by the malicious introduction of a machine code or instruction”. However, the policy had an exclusion for hostile or warlike action in times of peace or war by a government or sovereign power. Zurich insurance company claimed that the NotPetya attack was backed by the state government and as a result of hostility and war.
- Future risks– Cyber insurance policy does not consider the evolving nature of cyber attacks and is limited to widely recognized forms of cyber-attacks only. E.g. crypto-jacking is another evolving cyber attack. Cryptojacking is the process where crypto-miners use the computing resources of a business to mine cryptocurrency transactions and get a reward in return. Crypto Jacking does not lead to breach or loss of data or identity, hence it can be difficult to detect if any such activity is running in the background. It only uses the device computing power to mine cryptocurrency and this can result in overheating of systems, slowing down of the processor, and huge consumption of electricity. Cyber insurance presently does not account for such inclusions. Cyber insurance comes into the picture only after a cyber attack is performed which results in a breach of data or threat related to such breach.
- Security Practices – Currently, if any company faces a ransomware attack, the insurance policy covers the ransom amount. In 2020, across the world, there was a steep rise in ransom demands. Attacks have also become frequent since employees are working from home and using their own devices, which makes them more vulnerable and easy to attack. The ordinary practices of using VPN are not anymore helpful. Hence, an insurance company must access the security practices adopted by companies to match the evolving trends in cyber attacks. Else, rolling out ransom amounts from the insurance companies will dissuade the insured from adopting and implementing best security practices.
- Absence of Regulations– Currently, the IT Act or the rules thereunder on ‘Reasonable security practices” does not lay down provisions for cyber insurance. Companies recover the amount paid as ransom from their insurance companies. In the absence of unified cybersecurity standards under statutory rules, companies do not adopt the new age cybersecurity practices and rely on the same age-old methods.
In the state of New York, the government has proposed a ban on paying ransom amounts where the attackers targeted the systems of government agencies. The regulation proposed to create a Cybersecurity Enhancement Fund so that government agencies can upgrade their security practices. The U.S. Department of the Treasury has added multiple crimeware gangs to its sanctions program, prohibiting U.S. entities or citizens from doing business with them. India as well needs to have deliberations on this front. The Data Security Council of India reports that post-GDPR Indian companies have started to take cyber insurance policy as data security obligations under GDPR are very robust. In the UK, the cyber insurance framework encourages to have better risk mitigation and risk management in place along-with active recovery plan and financial resilience.
Cyber Insurance will soon turn into a hot sector and every industry will have to make place for it. However, industries also need to make room for robust cyber-security initiatives. Small startups and companies can share their cybersecurity design, implementation, and infrastructure. Some zero trust initiatives also need to be in place so that in case if there’s any computer system that is compromised then requests may not be accepted from such a server. Companies and governments shall pool their resources to map data and cyber disaster scenarios so that they can better determine the liability of insurance companies and insure the premiums, and inclusions in the cyber insurance policy.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:https://t.me/joinchat/J_0YrBa4IBSHdpuTfQO_sA