As cyber-attacks escalate in frequency and intensity, cyber insurance policies can serve as an essential risk management tool for businesses, providing coverage for losses resulting from such events. Businesses are coming to terms with the consequences of cyber exposure and cyber insurance uptake is expected to increase. While the insurance industry has been responsive in addressing this space, cyber insurance is still at a nascent stage in India and with the evolving nature of cyber risks, cover can often be disparate and inadequate. The industry is also impeded by lack of data on past losses and the systemic effect of cyber-attacks, besides actuarial and underwriting challenges.

It is in this context that the insurance regulator, IRDAI, constituted a Working Group in 2020 to study cyber liability insurance, recommend a scope for insurance covers and explore the possibility of developing standard coverages. The Working Group assessed the challenges of standardisation of cyber insurance policies and rightly concluded that cyber risks can be dynamic and evolving and as experts, insurers and reinsurers continue trying to develop a better understanding on exposures and insurance solutions, standardisation of policies may not be the best approach and may not provide an effective means to combat emerging forms of risk. With this in mind, the IRDAI issued model policy wordings for individual cyber insurance in 2021 and while the model policy provided for some suggestive forms of cover (such as financial loss, data restoration, cyber extortion & stalking, identity theft, data breach and media liability), it was not intended to be exhaustive.

Given the evolving technological landscape today, risk and coverage profiling in cyber insurance policies is likely to be a dynamic exercise which is peculiar to each business. It is therefore important for businesses to be conscious of their own risk profiles and vulnerabilities while determining the form of cover that is optimal for them. With a wide spectrum of potential cyber threats and attacks, different businesses and insureds can face differing circumstances.

For instance, IT firms may be more prone to data theft risks than others, while banks, digital payments and other financial service providers may face a relatively higher risk of fund theft. Social media companies may have more user-facing risks such as cyber bullying, identity theft and privacy breaches while reputational and third-party liability risks may be a stronger consideration for a consulting or legal advisory set up.

Similarly, within industries as well, it is critical for any business to assess and map the risks and threats that are peculiar to itself, keeping in mind its operations, customer base, technological infrastructure and dependencies, security practices and other relevant factors. A “one size fits all” approach may not be ideal for businesses looking towards cyber insurance policies at this stage.

While the IRDAI has been keen on changing status quo and popularising cyber insurance as a niche offering, the uptake of this product in India remains limited in relative terms, owing to several factors, including reliance on traditional forms of cover like property, general liability insurance to address losses related to cyber incidents.

Having said that, it is anticipated that the demand for cyber insurance in India will increase significantly in the next decade, as entities are being subjected to greater regulatory scrutiny and accountability. For instance, under the Digital Personal Data Protection Act, 2023, which proposes fines of up to INR 250 crore for failing to take reasonable security safeguards to prevent a personal data breach. Such strict regulatory measures are expected to encourage companies to view cyber insurance as a risk management investment rather than a “cost”.

This article was originally published in The Economic Times on 10 December 2023 Co-written by: Shailaja Lall, Partner; Akshay Sachthey, Principal Associate; Christina Shaju, Senior Associate. Click here for original article

Read Less-