What is Cyber Security Insurance Policy?

The Working Committee set up by the IRDAI has proposed detailed regulations to address cyber risks. It has recommended the introduction of a Cyber Liability Policy that will protect the policyholders from cybercrimes.
Created On: Jan 29, 2021 19:09 IST
Modified On: Jan 29, 2021 19:09 IST
Cyber Security Insurance Policy
Cyber Security Insurance Policy

Amid the ongoing COVID-19 pandemic, there have been rising incidents of cyber attacks and data violations. In view of this, the Working Committee set up by the Insurance Regulatory and Development Authority of India (IRDAI) has proposed detailed regulations to address cyber risks. 

The committee has recommended the introduction of a Cyber Liability Policy that will protect the policyholders from cybercrimes. The Committee has also underscored the significance of the cover for individuals and recommended for creation of more awareness of such products. 

In October 2020, IRDAI set up a committee for cyber liability insurance. The committee submitted its report on the same. 

The report submitted by the committee states, "Cyber insurance policies, currently available, address the requirements of individuals reasonably well. But there are some areas in the product features and processes which need improvement. Recommendations made to fill in the gaps include the need for flexibility in the insistence of a First Information Report (FIR) at the time of claims, clarity in exclusion language relating to compliance with reasonable practices and precautions, targeted intrusion, unsolicited communication and the need for coverage for bricking costs etc."

Highlights of the report:

1- The number of internet users in India is approximately 700 million. They are estimated to increase in both rural and urban areas. 

2- In 2019, India was ranked as the second-largest online market in the world, next to China.

3- Increase in online banking users is noted by the committee.

Recommendations made by the Committee:

At present, the cyber insurance policies available address the requirements of individuals reasonably well. However, some areas need improvement. The committee has recommended the following:

1- FIR on higher claims: Insurers must not insist on Police First Information Report (FIR) for claims up to Rs. 5,000. However, FIR is a critical requirement to assess claims.

2- Clarity in language: It is required in exclusion language related to compliance with reasonable practises and precautions. It also needs coverage for bricking costs-- loss of use/functionality of hardware as a result of a cyber incident.

3-Standardisation of Cyber Insurance Policy: The committee noted that it is a good idea but may not be able to address all the emerging risks and is likely to limit innovation. 

What will the Cyber Insurance Policy cover?

Cyber Events First Party directly paid or incurred by the Insured Liability arising from a claim or
an investigation targeting the Insured
Data Breach Emergency Response Costs Damages
Event Management Costs Regulatory Fines and Penalties
Notification Costs Defence Costs
Monitoring Costs Investigation Costs
Recovery Costs -
Cyber Attack Emergency Response Costs Damages
Event Management Costs Defence Costs
Diverted Funds Investigation Costs
Recovery Costs -
Human Error Emergency Response Costs Damages
Event Management Costs Defence Costs
Recovery Costs Investigation Costs
Insured's Systems Disruption BI Loss N/A
PCI Non-compliance

Emergency Response Costs Damages
Event Management Costs PCI Penalties
- Defence Costs
- Investigation Costs
Electronic Media Claim

Emergency Response Costs Damages
Event Management Costs Defence Costs
E-threat E-threat Response Costs Damages
- Defence Costs

Salient Features of the Cyber Insurance Policy:

1- The policy provides protection in case of theft of funds due to cyber event/hacking of insured's bank account/credit card/debit card/mobile wallet by a third party. 

2- It also provides protection in terms of defence costs for claims made against the insured by the third or affected party to identity theft fraud. 

3- The policy provides coverage in terms of defence costs for claims made against insured by the third or affected party due to hacked social media account of insured.  

4- It provides expenses to prosecute the stalker. 

5- The policy covers data restoration cost due to malware.

6- It also provides phishing cover. 

7- As per the committee report, it provides protection against the fraudulent use of bank account/credit card/debit card/e-wallet by the third party to make online purchases over the internet. 

8- The policy provides expenses in respect of financial losses as a result of a spoofed email attack and provides expense to prosecute perpetrators. 

9- It provides defence costs in third party claims in defamation/invasion of privacy due to insured's publication/broadcasting of any digital media content. 

10- It provides protection for extortion loss as a result of cyber extortion threat and provides expense to prosecute perpetrators.

11- It also provides indemnity for defence costs and damages in claims lodged by a third party against the insured for data breach and or policy breach. 

What is a Cyber Attack?

As per IRDAI, the fraudulent, malicious or dishonest:

(a) causing or use of a Security Breach,

(b) disruption or overload of the Insured’s Systems by a Third Party for any purpose.

As per a report by Nasscom's Data Security Council of India (DSCI) in 2019, India witnessed a second-highest number of cyber attacks worldwide between 2016 to 2018. 

It is to be noted that Cyber Attack shall not include any Human Error.

Types of Cyber Attacks:

1- Pishing Attacks: Sensitive information of a person such as a bank account details is stolen. 

2- Spoofing Attacks: Identity theft where the identity of a legitimate user is stolen. 

3- Malware/Spyware: Spyware is classified as a type of malicious software which facilitates access/damage to one's computer without his/her knowledge. It gathers one's personal information and provides it to advertisers, data firms and so on. 

4- SIM Swap: Orginal SIM of a user is cloned which becomes invalid. The duplicate SIM can be used to access one's online bank account to transfer funds. 

5- Credential Stuffing: It is a kind of cyberattack where stolen account credentials are used to gain unauthorised access to user accounts through large-scale automated login requests directed against a web application.

6- Man-in-the-middle attacks: These kinds of attacks are made during online payments or transactions, etc. 

Top Cyber Risk Scenarios

As per a survey by Swiss Re’s global, the top four cyber risk scenarios are:

1- Illicit access to financial credentials.

2- Identity theft.

3- Data loss due to technical issue.

4- Illicit publication of personal data. 

What to do in case of a cyber event?

In case of a cyber event, contact the Incident Coordinator as soon as possible to reduce any potential/actual loss. Once contacted, the incident coordinator will guide the insured person to avoid or contain any cyber event. 

Initiatives by Government of India to curb Cyber Attacks:

1- In 2018, the Government of India launched 'Cyber Surakshit Bharat' initiative to spread awareness about cybercrime and to build capacity for safety measures for CISO and frontline IT staff across all government departments of the country.

2- National Cybersecurity Coordination Centre (NCCC) scans internet traffic and communication metadata coming into the country to detect real-time cyber threats. 

3- In 2017, the Government of India launched 'Cyber Swachhta Kendra' for internet users to clean their computers and devices by wiping out viruses and malware. 

4- The Government of India introduced Information Security Education and Awareness Project (ISEA) to raise awareness and to provide research, education and training in the field of information security. 

5- National Computer Emergency Response Team (CERT-In) is the nodal agency for coordination of all cybersecurity efforts, emergency responses, and crisis management.

6- Under the Information Technology Act of 2000, NCIIPC was established to secure the country's critical information infrastructure. The National Critical Information Infrastructure Protection Centre (NCIIPC) operates as the nodal agency for the protection and resilience of critical information infrastructure. 

International initiatives to curb Cyber Attacks:

1- The International Telecommunication Union (ITU) within the United Nations aims in standardizing and developing telecommunications and cybersecurity issues. 

2- Budapest Convention on Cybercrime is an international treaty which deals with internet and computer crime by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It came into force on 1 July 2004. It is important to note that India is not a signatory to this treaty. 

3- Internet Governance Forum (IGF) brings together all the stakeholders-- government, private and public sector on the Internet governance debate. 

Science, Technology and Innovation Policy (STIP 2020): Here's all you need to know

'School Bag Policy, 2020': All you need to know

Comment ()

Related Categories