One in every two Indians is an active internet user as per a report from the Internet & Mobile Association of India in 2022. Such widespread internet penetration coupled with the effects of Covid-19 have meant that nearly every business in India has been catapulted into the digital age. This transformation has received further impetus from the government’s initiatives to digitise the economy. As businesses go digital, their online exposure is increasing and with that, the threat of cyber- attacks and data breaches looms large.
Moreover, businesses are gathering large amounts of customer data and thereby opening themselves to greater vulnerability. A cybersecurity report by Checkpoint in 2023 suggests that global cyberattacks increased by 38 percent in 2022. The FBI Internet Crime Report 2022 ranks India at #4 behind the US, UK and Canada, in terms of total cybercrime victims. According to the Computer Emergency Response team of India (CERT-In), India’s national agency to deal with cyber security, the country witnessed 1.39 million cyber security incidents in 2022 alone. Some of India’s biggest businesses have faced cyber security threats recently ranging from the data leaks faced by Dr. Lal Path Labs and Justdial to malware and ransomware attacks on AIIMS and BSNL.
Read More+
As cyber-attacks escalate in frequency and intensity, cyber insurance policies can serve as an essential risk management tool for businesses, providing coverage for losses resulting from such events. Businesses are coming to terms with the consequences of cyber exposure and cyber insurance uptake is expected to increase. While the insurance industry has been responsive in addressing this space, cyber insurance is still at a nascent stage in India and with the evolving nature of cyber risks, cover can often be disparate and inadequate. The industry is also impeded by lack of data on past losses and the systemic effect of cyber-attacks, besides actuarial and underwriting challenges.
It is in this context that the insurance regulator, IRDAI, constituted a Working Group in 2020 to study cyber liability insurance, recommend a scope for insurance covers and explore the possibility of developing standard coverages. The Working Group assessed the challenges of standardisation of cyber insurance policies and rightly concluded that cyber risks can be dynamic and evolving and as experts, insurers and reinsurers continue trying to develop a better understanding on exposures and insurance solutions, standardisation of policies may not be the best approach and may not provide an effective means to combat emerging forms of risk. With this in mind, the IRDAI issued model policy wordings for individual cyber insurance in 2021 and while the model policy provided for some suggestive forms of cover (such as financial loss, data restoration, cyber extortion & stalking, identity theft, data breach and media liability), it was not intended to be exhaustive.
Given the evolving technological landscape today, risk and coverage profiling in cyber insurance policies is likely to be a dynamic exercise which is peculiar to each business. It is therefore important for businesses to be conscious of their own risk profiles and vulnerabilities while determining the form of cover that is optimal for them. With a wide spectrum of potential cyber threats and attacks, different businesses and insureds can face differing circumstances.
For instance, IT firms may be more prone to data theft risks than others, while banks, digital payments and other financial service providers may face a relatively higher risk of fund theft. Social media companies may have more user-facing risks such as cyber bullying, identity theft and privacy breaches while reputational and third-party liability risks may be a stronger consideration for a consulting or legal advisory set up.
Similarly, within industries as well, it is critical for any business to assess and map the risks and threats that are peculiar to itself, keeping in mind its operations, customer base, technological infrastructure and dependencies, security practices and other relevant factors. A “one size fits all” approach may not be ideal for businesses looking towards cyber insurance policies at this stage.
While the IRDAI has been keen on changing status quo and popularising cyber insurance as a niche offering, the uptake of this product in India remains limited in relative terms, owing to several factors, including reliance on traditional forms of cover like property, general liability insurance to address losses related to cyber incidents.
Having said that, it is anticipated that the demand for cyber insurance in India will increase significantly in the next decade, as entities are being subjected to greater regulatory scrutiny and accountability. For instance, under the Digital Personal Data Protection Act, 2023, which proposes fines of up to INR 250 crore for failing to take reasonable security safeguards to prevent a personal data breach. Such strict regulatory measures are expected to encourage companies to view cyber insurance as a risk management investment rather than a “cost”.
This article was originally published in The Economic Times on 10 December 2023 Co-written by: Shailaja Lall, Partner; Akshay Sachthey, Principal Associate; Christina Shaju, Senior Associate. Click here for original article
Read Less-
Contributed by: Shailaja Lall, Partner; Akshay Sachthey, Principal Associate; Christina Shaju, Senior Associate
Disclaimer
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that:
Click here for important public notice from the Firm.