In order to facilitate insurers in developing standalone cyber insurance products, the insurance regulator has issued a guidance document on product structure for cyber insurance. The guidance will enable insurers to evaluate new technologies posing heightened cyber risk, identify protection gaps in existing products and address the changing needs of customers.
In fact, a working group set up by Insurance Regulatory and Development Authority of India (Irdai) has concluded that standardisation of policy wording for cyber insurance is not desirable because of the evolving nature of legislative frameworks in dealing with cyber risk, fast growing digital ecosystem, increasing interconnectedness globally and complexity of IT systems and emergence of new risks. Experts say the guidance will improve the development of the cyber insurance market with new products and enhance benefits for policyholders.
At present, general insurance companies are offering cyber insurance products with exclusive coverage for individuals to protect against cyber perils. The policies cover first party losses such as direct financial loss, data recovery and regulatory actions.
Individual cyber insurance cover
The regulator’s guidance document suggests some salient features of individual cyber insurance policy such as theft of funds, which will provide protection against theft of funds due to hacking of insured’s bank account, credit or debit card, mobile wallets by a third party. The identity theft cover will provide protection in terms of defence cost for claims made against insured by third / affected party due to identity theft fraud while the phishing cover will provide protection against any financial losses due to a phishing attack and provides cost of prosecuting perpetrators.
The regulator has suggested that the policy wording of cyber insurance policies should be easy to understand and the claim process must be easy to comprehend and implement. It has suggested insurers should consider offering cyber insurance as a part of package policy like householders package policy, offer a base version of the policy at an affordable premium and then give the customer an option to choose additional covers and group policies, including affinity policies.
Gaps to address
The regulator has noted that in the existing policies there are gaps which have to be addressed in order to make cyber insurance customer-friendly. At present, an FIR has to be mandatorily filed in case of a cyber incident while filing a claim which becomes a hassle for individuals and creates distrust in their minds when claims are not settled because of the same. The guidance document has suggested that FIR is a critical requirement to assess claims and cannot be fully dispensed with. However, for small claims up to Rs 5,000, the insurers may ask for e-complaint lodged at the National Cyber Crime Reporting Portal.
In the existing policies, individuals are required to take due diligence, care and reasonable precautions to safeguard their identity/personal details while on the web and claims are admissible only if the individual is an innocent victim of the cyber fraud and gross negligence is excluded from the coverage. As this creates a grey area in the coverage, the guidance suggests more explicit exclusion language to be used such as deliberate, criminal, fraudulent, dishonest or malicious act or omission of insured beneficiary.
At present, territory and jurisdiction is restricted to India only in most of the policies. A number of syndicated frauds originate from outside India such as phishing, ransomware, malware attacks. Cyber insurance clauses may or may not be clear on the coverage in this regard. So, to address this gap, the regulator has suggested that insurers may offer options for worldwide territory and the jurisdiction for claims settlement should be India.
One of the major reasons of cyber related losses is that unsolicited communications are excluded from the scope of cover in many insurance policies. The regulator has suggested that insurers could offer coverage for such losses to make cyber insurance policies customer-friendly. It has also suggested that insurers could offer coverage for losses related to sim-jacking, card cloning and skimming.