All organizations, ranging from large corporations to small businesses that utilize technology for their operations, encounter cyber risk. As technology advances in complexity and sophistication, so do the dangers faced by businesses. Hence, it is imperative for every organization to have both cyber liability insurance and a well-designed cybersecurity strategy in place to handle and reduce cyber risk effectively.
What is Cyber Insurance?
A cyber insurance policy covers a broad range of risks such as credit card data leaks, data breaches, cyber-attacks, and other digital threats. Cyber Insurance covers all kinds of risks, whether they are data breaches that expose sensitive customer information, ransomware attacks that enslave your systems, or business email compromises that trick your employees into sending money to criminals.
Who needs Cyber Insurance Policies?
Technology plays a vital role in almost every organization's daily operations in today's digital age. A wide range of businesses handle customers' names, addresses, and financial information, including IT services, product companies, e-commerce companies, finance firms, real estate brokers, online marketplaces, restaurants, and many others. To protect themselves from internet fraud, all such organizations need Cyber Liability Insurance.
Insured Server Attacked with Ransomware
A hospital in Mumbai got a ransomware attack on its server, resulting in encrypted files and a ransom note from the attackers. The damage was worth Rs 4 crore. The insured claimed compensation for the costs of forensic investigation, credit monitoring, and business interruption. The insurer proactively assisted the insured in evaluating the severity of the data compromise and appointed a forensic investigator to assess and contain the threat.
Get Free Quote in Minutes
What is Included in Cyber Insurance?
Cyber insurance offers the following coverages to a business
- Electronic-Cyber Extortion Cover
This clause provides protection for a business in the event that they are the victim of an extortion attempt that involves the use of electronic means, such as email or the Internet. This type of coverage can help a business cover the costs associated with responding to an extortion attempt, such as paying a ransom or hiring a cyber security firm to investigate the incident. However, as per the policy condition, the insured will-
- Keep the terms and conditions of this cover confidential, unless mandatory disclosure to law enforcement authorities is required.
- Take all reasonable steps to inform and cooperate with the appropriate law enforcement authorities.
- Take all reasonable steps, including the involvement of a cyber security consultant with the Insurer’s prior written consent, to effectively mitigate the loss due to such electronic-cyber extortion.
For example, let us assume an insured company receives an email stating that the sender will introduce a virus into the company's website unless he is paid a ransom of Rs 5 Crore. The costs covered by this policy would include the amount paid to meet extortion demands, the cost of hiring cyber security experts to prevent extortion attempts in the future, and the expenses charged by hired professionals to deal with/negotiate with the extortionists.
2. Electronic-Vandalism Loss
This clause provides protection for a business in the event that its electronic systems or data are intentionally altered, damaged, or destroyed by a third party. This type of coverage can help a business cover the costs associated with restoring or replacing its systems and data, as well as any lost revenue that may result from the vandalism.
For example, if the servers, computers, hardware, storage drives, or network systems of an insured are vandalized with malafide intention, this policy would cover the costs of restoring or reconstituting the data.
3. Electronic-Business Interruption Expenses
Electronic-Business Interruption Expenses coverage provides protection in the event of a business interruption, which is a direct consequence of the total or partial unavailability of the computer systems of the insured. This type of coverage can help a business cover the additional expenses incurred as a result of the interruption, such as renting temporary facilities, hiring temporary staff, and other expenses necessary to continue operations.
4. E-communication Loss
This coverage helps protect businesses from loss resulting from a customer or financial institution, having been subjected to a fraudulent communication purporting to have been directed by an Insured and thus entered into a financial transaction. For example, suppose a hacker gains unauthorized access to a company's server and sends unauthorized communication to a customer. Based on this, the customer initiates, authorizes and acknowledges a payment, delivery or receipt of funds or property . In this scenario, if the insured is held legally liable for the loss of the customer, the policy will cover such losses.
5. Privacy notification expenses
This coverage helps protect businesses from the reasonable costs incurred because of disclosure liability or reputational liability of notifying individuals whose personal information may have been compromised and changing of records of such individuals - as a result of a data breach or other cyber incident at the end of the insured business. This can also cover the cost of things like mailing notification letters, setting up call centers, and offering credit monitoring services to the affected individuals.
6. Legal Representation Cost
There is no need to worry about the costs associated with legal representation in the event of a cyber incident. This can include things like hiring a lawyer to represent the business in court or in negotiations with regulators, as well as the cost of any settlements or judgments.
For example, if a business suffers a data breach and is sued by affected individuals or is subject to regulatory investigations in relation to the breach, this coverage would help cover the costs associated with hiring a lawyer to represent the business in court or in negotiations with regulators.
7. Extended Reporting Period
If the policy is terminated or not renewed (for reasons other than termination by the insurer for non-payment of premium) and no event has occurred, the insured is granted an extended period to discover and report any claim. However, such claims should be for wrongful acts occurring prior to, the effective date of termination or non-renewal. No additional charge is levied for such an extension of up to 90 days. However, an additional premium is levied for an additional extension period of 365 days from the expiry of the previous extension of 90 days.
8. Automatic cover for newly acquired subsidiaries
This coverage automatically includes subsidiaries newly created or acquired (during the policy period ) by the insured, under the main policy, without the need for additional paperwork. However, at the start of the policy period and at the time of loss, the insured must declare that the insured controls, directly or indirectly, more than 50% of the interests entitled to vote in the election of the governing body of such a subsidiary organization. Also, the insured should give the insurer sufficient details in the stipulated timeline so that the insurer can evaluate the insurer’s potential increase in exposure after such creation or acquisition. Based on such an evaluation, the insurer may calculate an additional premium to levy and pass necessary endorsement as applicable.
For example, if a company acquires a subsidiary within the policy period and the subsidiary is involved in an incident that results in a cyber liability claim, this coverage can help pay for the cost of damages or injuries caused by the incident.
9. Credit Monitoring Cost
It covers the costs associated with providing credit monitoring services to individuals whose personally identifiable information (PII) may have been compromised as a result of a data breach or other cyber incident for which the insured is held liable. It covers the cost of credit monitoring services for a specific period of time, such as one year, for affected individuals.
For example, if a business suffers a data breach and customer information, such as social security numbers or credit card information, is compromised, the business would be required by law to offer credit monitoring services (such as monitoring of credit history to detect any suspicious activity or unauthorized charges) to affected individuals. This coverage would help cover the costs associated with providing such services.
10. Fines & Penalties- wherever insurable by law
This is a type of coverage that helps protect businesses from the financial penalties and fines that may be imposed by government or regulatory bodies, as a result of a cyber incident or data breach. It typically covers fines and penalties that are insurable by the law, applicable to the jurisdiction in which the payment is to be made, and which the Insured is legally obligated to pay following the conclusion of a claim by a regulator.
11. Reward Expenses
It covers the reasonable costs incurred by the insured (with prior approval from the insurer) in rewarding an informant who provides information that leads to the identification, prosecution, and conviction of persons responsible for a cyber-attack, fraudulent access, or transmission covered under this policy.
For example, if a business suffers a cyber attack and wants to offer a reward to anyone who can provide information that leads to the identification and prosecution of cyber criminals, this coverage would help cover the costs associated with offering that reward.
12. Psychological Support Expenses
The costs associated with providing psychological support to employees or customers following a cyber incident are covered. It typically covers expenses related to providing counseling services, conducting employee assistance programs, and offering other forms of mental health support.
For example, if a business suffers a data breach and customers' personal information is compromised, the business may want to offer counseling services to the affected individuals to help them cope with the psychological stress of the incident. This coverage would help cover the costs associated with providing that support.
13. PCI-DSS Coverage
This policy covers the costs associated with complying with the Payment Card Industry Data Security Standard (PCI-DSS). This is a set of security standards established by the major credit card companies to ensure that businesses that accept credit card payments handle and store sensitive cardholder data securely. This cover includes the cost of PCI-DSS assessments, fines and penalties for non-compliance resulting from a privacy breach.
For example, let us suppose a business suffers a data breach and certain banks have imposed fines on it due to non-compliance with the PCI-DSS standards. In such a case, this coverage would help cover the costs associated with the cost of security audits and fines for non-compliance originating from the said data breach.
14. Fraudulent Fund Transfer
This coverage helps protect businesses from financial losses resulting from unauthorized electronic transfer of funds. It may include losses resulting from fund transfers, such as those made through fraudulent wire transfers, ACH transactions, or other types of electronic fund transfers. The policy may also cover the associated expenses, legal costs, and costs associated with investigating the incident and determining the cause of the fraudulent transfer.
15. Cyber Terrorism Carveback
Most cyber insurance policies essentially limit the scope of coverage for losses caused by Cyber terrorism. It is defined as the use of disruptive technology against the computer systems of the insured, to cause harm for political, economic, or ideological purposes. This is a common practice among insurance companies because cyberterrorism can have far-reaching consequences that are difficult to quantify, and it can potentially cause catastrophic losses.
However, some cyber insurance policies may include a carve-back provision that offers coverage for losses resulting from cyber terrorism, but only with certain restrictions and up to a certain limit. The carve-back clause may also include specific conditions or requirements that the business must meet to qualify for coverage.
16. Crisis Management Cost
It covers the costs associated with managing a crisis resulting from a cyber incident. It may cover the cost of retaining the services of an independent legal counsel, an information security forensic investigator or a public relations consultant to advise an organization in managing the public communication of and limiting the disruption to the business due to claims related to such incidents.
17. Forensic Cost
This policy covers the costs associated with conducting a forensic investigation following a cyber incident. It typically covers expenses such as the cost of hiring a forensic investigator, the cost of computer forensics, software and hardware costs, and other expenses incurred while conducting the investigation.
For example, if a business suffers a cyber attack, and wants to hire a forensic investigator to determine the cause of the attack and identify the attackers, this coverage would help cover the cost of hiring that investigator.
18. Amended Definition of professional fees
This clause refers to a type of coverage that expands the definition of "professional fees" to include a broader range of expenses related to a cyber incident. Professional fee coverage is a standard feature in cyber insurance policies and typically covers expenses related to legal and professional services such as hiring attorneys and IT experts.
With an Amended Definition, the coverage may be expanded to include additional types of expenses that are incurred as a result of a cyber incident. This coverage may include fees related to legal representation and advice, notification and credit monitoring services for affected individuals, data recovery and restoration services, business interruption and extra expenses incurred as a result of the incident, and so on.
19. Content Liability
It protects the insured from claims resulting from loss allegedly sustained by a person because of the actual or alleged infringement of a collective mark, service mark, design right or trademark name, copyright, the name of a product, service, or organization, or the title of an artistic or literary work. Such infringements should result directly from the cyber activities of the insured.
For example, if a business's website includes content that infringes on someone's copyright and the business is sued as a result, this coverage would help cover the costs associated with defending against that lawsuit and any damages that may be awarded.
20. Disclosure Liability
It protects businesses from claims that may result from disclosing personal information, trade secrets, or other types of sensitive information belonging to a person or entity. Such a disclosure should originate from a cyber-attack into a system owned by the insured, unauthorized access to a system or system output owned by the insured or owned by an organization authorized by the insured to process, hold or store such record. This coverage would help cover the costs associated with defending against such claims/lawsuits and any damages that may be awarded.
21. Reputational Liability
It typically covers expenses related to managing and repairing damage to the business's reputation resulting from a covered cyber incident. It may cover the costs associated with public relations and crisis management, advertising and marketing campaigns to rebuild trust and confidence, retaining a public relations firm or reputation management consultant and so on.
For example, if a business suffers a cyber attack and its reputation is damaged as a result, this coverage would help cover the costs associated with repairing that damage, such as hiring a public relations firm to help improve the business's image.
22. Conduit Liability
It covers the financial losses resulting from a cyber incident that occurs through a third-party service provider or "conduit." In other words, it covers losses sustained or allegedly sustained by a person, resulting directly from a cyber-attack into an insured’s system and then received into a third party’s system.
It typically covers expenses related to legal fees and settlements in the event of a lawsuit, notification to the affected parties, offering credit monitoring or other remediation services, public relations and crisis management, and so on.
23. Impaired Access Liability
It covers financial losses resulting from impaired access to the systems or network belonging to the insured. It typically covers expenses related to liability arising from impaired access, such as lost business income, extra expenses, and legal defense costs.
For example, let us suppose a business's network is impaired by a cyber attack and it has led to lost productivity, lost revenue, and potential liability to customers or clients who are unable to access the services provided by the business. If the business is held liable for the resulting losses, this coverage would help cover the costs associated with defending against that claim/ lawsuit and any damages that may be awarded.
What is not included in the Cyber insurance policy?
- Email Spoofing and Phishing - Some cyber insurance policies do not cover social engineering attacks. Instead, commercial crime insurance policies cover such attacks as email spoofing and phishing.
- Physical Injury, Disability, Disease, Sickness, or Death - A cyber insurance policy does not cover claims related to physical injury, disease, disability, sickness, or death. However, it does cover claims related to mental injury or mental anguish caused by a breach of the Data Protection Law.
- Incidents/Litigations Before Policy Commencement - The policy excludes claims arising from incidents or acts that occurred before the policy's start date, including cyberstalking, IT theft loss, malware damage to computer systems, phishing and email spoofing, cyber extortion, privacy breaches, and third-party data breaches.
- Losses or Damages Arising Out of War or Government Actions - War or warlike scenarios are excluded from this policy, including invasions, foreign aggression, armed conflict, rebellions, revolutions, civil wars, government confiscations, and government damage to property.
- Dishonest or Improper Conduct - Employees, outsourcers, and partners are not covered for claims resulting from intentional non-compliance with a ruling.
- Contractual Liability - Claims related to contractual and non-contractual incentives offered by the policyholder to customers or clients, such as service rebates, price reductions, credits, promotions, awards, or other incentives, are not covered under this policy.
BimaKavach comprehends the intricacy of these threats and offers solutions to safeguard and insure your business assets. To get the best cyber security quotes fill in your details in the lead form or visit our product page.
- Online Cyber Fraud Cases Rising in India at an Alarming Rate
A whopping Rs 10,319 crore was lost to online frauds across the country between April 2021 and December 31, 2023. This was revealed recently by Rajesh Kumar, CEO, Indian Cyber Coordination Centre (I4C), at press conference.