Emphasising the necessity for cyber insurance, the Insurance Regulatory and Development Authority of India (IRDAI) has released a circular titled ‘Guidance Document on Product structure for cyber insurance’, focusing on cyber insurance products targeting individuals.
The document responds to a spike in digital crimes and cyber theft during the pandemic. It guides insurers on structuring cyber insurance for individuals and mitigate cyber risks and will benefit people who conduct transactions online. According to the requirements, cyber insurance should cover cybercrimes including theft of funds, identity theft, as well as unauthorised internet transactions and email spoofing resulting in any wrongful loss. The guidelines also reflect on the gaps that exist in current such offerings, besides suggesting a model policy document.
What is a Cyber Insurance? Do we need it?
Cyber insurance is, in simple terms, an insurance policy that aims to protect policy holders from cybercrimes and cyber frauds. Companies offering such a product design it to cover the fees, expenses and legal costs associated with cybercrimes.
Ever since the onset of the pandemic, cyber risks have grown manifold, as much as 500%. As per the CERT-In, hackers are increasingly targeting personal computer networks and routers- majorly because of work from home. As such, they are also designing more phishing websites, releasing more viruses, dropping more spam emails, creating fake social media profiles- all in an attempt to siphon off money.
Further, with the growing number of internet and internet banking users, payment instruments, technologies, the attacks are bound to grow. Hence, it becomes imperative to insure users against any wrongful loss.
Types of losses that a Cyber Insurance Policy may Cover
First Party Losses: Direct financial loss, data recovery, business interruption cover and mitigation costs cover.
Regulatory Actions: Costs of Regulatory actions and investigations, civil fines and penalties and defence costs.
Crisis Management Costs: Forensic Expert Cover including security consultation, Reputation Damage Cover, Legal Costs Cover for matters including notification, coordination with service providers, strategy etc., Credit and Identity Theft Monitoring Cover, Cyber extortion/ Ransomware Cover, Operation of a 24×7 Hotline, Cyber Stalking, Counselling, Information removal and pursuing action.
Liability Claims: Legal liability/damages resulting directly from a breach of privacy or data/security, defamation, IPR infringement, and defence costs.
Salient Features of Individual Cyber Insurance Cover
As per these guidelines, a cyber insurance policy will provide coverage against the following:
Theft of funds: Provides coverage for funds stolen as a result of cyber incidents or third-party hacking of the insured’s bank account, credit/debit card, and/or mobile wallet.
Identity Theft Cover: Protection in terms of Defence costs for claims filed against the insured by a third/affected party as a result of identity theft fraud, as well as expenses to prosecute offenders and other transportation costs.
Social Media Cover/Personal social media: Provides protection in terms of Defence cost for claims made against insured by third/affected party due to hacked social media account of insured, provides expense to prosecute perpetrators and other transportation costs.
Cyber Stalking / Bullying: Provides expenses to prosecute the stalker.
Malware Cover / Data Restoration Cost: Includes coverage for data restoration cost due to malware.
Phishing Cover: Covers in respect of financial losses as a result of a phishing attack and provides expense to prosecute perpetrators.
Unauthorised Online Transaction: Provides protection against third-party fraudulent use of a bank account, credit/debit card, or e-wallet to conduct online purchases.
Email Spoofing: Covers protection in respect of financial losses as a result of spoofed email attacks and provides expense to prosecute perpetrators.
Media Liability Claims Cover: Provides coverage for defence costs in third party claims due to defamation or invasion of privacy due to Insured’s publication or broadcasting of any digital media content.
Cyber Extortion Cover: Provides protection for extortion loss as a result of Cyber extortion threat and provides expense to prosecute perpetrators.
Data Breach and Privacy Breach Cover: Provides defence expenses and damages in the event that a third party files a claim against the Insured for Data Breach and/or Privacy Breach.
What about contributory fraud/ fraud cause by negligence of insured individual?
The guidelines take into account the RBIs policy regarding the liability of a customer. As per RBI circular no. RBI/ 2017-18/15, dated July 6, 2017, the customer shall bear the entire loss in case of a contributory fraud (where loss is due to the negligence of customer- e.g. the customer shared OTP/ PIN).
However, the guidelines note that cyber insurance addresses exposures beyond the situations described in the RBI circular.
Some Do’s & Don’ts for Cyber Insurance Policy Buyers
- Install an anti-virus and firewall on devices.
- Use a Virtual Private Network.
- Regularly update software and operating system.
- Keep hard-to-Guess Passwords or Passphrases, Password should have a minimum of 10 Characters using uppercase letters, lowercase letters, numbers and Special Characters
- Keep different passwords for different accounts. If one password gets hacked, your other accounts are not compromised.
- Use Privacy Settings On Social Media Sites to Restrict Access To Your Personal Information.
- Pay Attention to Phishing Traps in Email and watch for Telltale Signs of a Scam.
- Destroy Information Properly When It Is No Longer Needed.
- Be Aware of Your Surroundings When Printing, Copying, Faxing or Discussing Sensitive Information.
- Lock your Computer and mobile phone when not in use. This Protects Data from Unauthorized Access and use.
- Remember that wireless is inherently insecure. Avoid using public wi-fi Hotspots.
- Report all suspicious activity and cyber incidents.
- Check if the web site being visited is a trusted web site.
- Check if the web site being visited is a trusted web site.
- Always delete mail/ SMS from unknown sources.
- Use Multifactor Authentication (MFA) for email and online portal accounts.
- Leave or share your sensitive information lying around or share with someone.
- Share or post any private or sensitive information, such as credit card numbers, passwords or other private information, to someone, public sites, including social media sites.
- Click on links from an unknown or untrusted source.
- Respond to fake phone calls or emails requesting confidential data.
- Install unauthorized programs on your computer.
- Leave devices unattended. Keep all mobile devices, such as laptops and cell phones physically secured.
- Don’t share personal information with persons unless authenticity and required authority is confirmed, according to the Irdai circular.
You can read the guidelines here.