The Insurance Regulatory and Development Authority of India (Irdai) has underlined the need for cyber insurance by citing the increase in digital frauds and cyber theft during the pandemic.
In a move that may help individuals transacting online sleep more peacefully, the IRDAI has issued guidelines to insurers on structuring cyber insurance for individuals and gaps that need to be filled. As per the guidelines, cyber insurance should provide cover against theft of funds and identity, unauthorised online transactions, email spoofing among others.
The Insurance Regulatory and Development Authority of India (Irdai) has underlined the need for the above by citing the increase in digital frauds and cyber theft during the pandemic.
As per the national cyber security agency, Computer Emergency Response Team of India (CERT-In), there has been an increase in the number of cyberattacks on personal computer networks and routers since professionals have been working from home due to the COVID-19 outbreak, says the Irdai circular issued on September 8, 2021.
TA Ramalingam, Chief Technical Officer, Bajaj Allianz General Insurance says, “An individual’s exposure to cyber risks is constantly increasing with increase in exposure to the digital world. Considering the dire need of cyber insurance for individuals, IRDAI has charted out some salient features, coverage and suggestions in its guidance document on product structure for cyber insurance which insurers can look to adopt. This document also talks about simplifying the existing products further and expanding their scope of coverage”
The circular titled ‘Guidance Document on Product structure for cyber insurance’ sets out what a cyber insurance policy should cover for an individual.
As per these guidelines, a cyber insurance policy will provide coverage against the following:
a) Theft of funds: Provides protection in respect of theft of funds due to cyber incidents or Hacking of insured’s Bank account, Credit/Debit card and/ or Mobile wallets by a Third Party.
b) Identity Theft Cover: Provides protection in terms of Defence cost for claims made against insured by third/affected party due to identity theft fraud, provides expense to prosecute perpetrators and other transportation costs.
c) Social Media Cover/Personal Social Media: Provides protection in terms of Defence cost for claims made against insured by third/affected party due to hacked social media account of insured, provides expense to prosecute perpetrators and other transportation costs.
d) Cyber Stalking / Bullying: Provides expenses to prosecute the stalker.
e) Malware Cover / Data Restoration Cost: Provides coverage for data restoration cost due to malware.
f) Phishing Cover: Provides protection in respect of financial losses as a result of a phishing attack and provides expense to prosecute perpetrators.
g) Unauthorised Online Transaction: Provides protection against fraudulent use of bank account, credit/debit card, e-wallet by the third party to make online purchasing over the internet.
h) Email Spoofing: Provides protection in respect of financial losses as a result of spoofed email attack and provides expense to prosecute perpetrators.
i) Media Liability Claims Cover: Provides coverage for defence costs in third party claims due to defamation or invasion of privacy due to Insured’s publication or broadcasting of any digital media content.
j) Cyber Extortion Cover: Provides protection for extortion loss as a result of Cyber extortion threat and provides expense to prosecute perpetrators.
k) Data Breach and Privacy Breach Cover: Provides indemnity for defence costs and damages in respect of claims lodged by a third party against the Insured for Data Breach and or Privacy Breach.
Liability of individuals
As per the product structure of the cyber insurance issued by IRDAI, there will be zero liability of a customer in the following cases:
a) Contributory fraud/ negligence/ deficiency on the part of the bank, irrespective of whether or not the transaction is reported by the customer.
b) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within 3 working days of receiving the communication from the bank regarding the unauthorized transaction. Do keep in mind that this is similar to reporting unauthorized transactions with the bank within three days to avoid losses.
In the below-mentioned cases, there will be limited liability of a customer:
a) Where loss is due to the negligence of the customer, e.g. payment credentials are shared, the customer shall bear the entire loss till the time an unauthorized transaction is reported to the bank. Any loss after reporting of the unauthorised transaction shall be borne by the bank.
b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount ranging between Rs 5,000 to Rs 25,000 whichever is lower dependent upon the type of account.
Types of losses under cyber insurance
Losses covered under a cyber insurance policy can be split into 4 categories:
a) First Party Losses: Direct Financial Loss, Data recovery, Business Interruption Cover and Mitigation Costs Cover,
b) Regulatory Actions: Costs of Regulatory actions and investigations, Civil fines and penalties and Defence Costs.
c) Crisis Management Costs: Forensic Expert Cover including security consultation, Reputation Damage Cover, Legal Costs Cover for matters including notification, coordination with service providers, strategy etc., Credit and Identity Theft Monitoring Cover, Cyber extortion/ Ransomware Cover, Operation of a 24×7 Hotline, Cyber Stalking, Counselling, Information removal and pursuing action.
d) Liability Claims: Legal liability/damages directly arising from privacy or data/ security breach, Defamation, Intellectual Property Right (IPR) infringement and Defence Costs.
When insurance claim can be rejected
If at the time of any loss or damage happening to any property hereby insured there be any other subsisting insurance or insurance whether effected by the Insured or by any other person or persons covering the same risk, the Insurer shall not be liable to pay or contribute more than its rateable proportion of such loss or liability.
In case of financial loss
1. The debit card/ credit card involved must be blocked immediately within 24 hours after detection of the loss of money or loss of card, whichever happens, earlier.
2. Any cashback/rewards if so credited to the concerned card holder’s account against misused transaction leading to loss of money, shall be reduced from the loss payable under the policy.
3. Insured should have a registered valid mobile number &e-mail id to receive SMS alerts/OTP from the bank.
4. This insurance shall not cover losses that can be received from a financial institution, payment wallet/service operator, e-commerce service provider or any such entity who has a primary responsibility to indemnify the insured.