On account of an unprecedented increase in cybercrimes since the advent of the Covid-19 pandemic, the Insurance Regulatory and Development Authority of India (the “IRDAI”) has recently released a guidance document on the product structure for cyber insurance policies (the “Guidelines”), focusing on cyber insurance products targeting individuals.
Cyber insurance in India
Cyber insurance is an insurance policy to protect policyholders from cybercrimes and is primarily targeted towards individuals (as opposed to organisations). Cyber insurance is offered in India, both as a standalone product and an add-on coverage to traditional policies, such as insurance covers for property. It can include coverage for first-party liabilities (i.e., liabilities borne as a direct result of the incident) as well as third-party liabilities (i.e., liabilities incurred as a result of litigation by alleged injured parties).
The salient features of an individual cyber insurance policy include protection against theft of funds, identity theft cover, social media cover, cyberstalking/bullying, malware cover/data restoration cost, phishing cover, unauthorized online transaction, e-mail spoofing, media liability claims cover, cyber extortion cover and data breach cover.
Recommendations to improve the currently offered cyber insurance product
The IRDAI has provided the following recommendations to address gaps in cyber insurance products currently offered by insurers:
- In respect of small claims up to INR5,000 (approx. US$68), insurers may ask for e-complaints lodged at the National Cyber Crime Reporting Portal, instead of asking policyholders to file a first information report (FIR) with the police.
- The policy can extend coverage for instances which are usually excluded, such as unsolicited communications, damaged computer hardware (known as bricking), sim-jacking, card cloning and skimming.
- Insurers can offer options for worldwide territory (with the jurisdiction for claim settlement being in India), to tackle syndicated frauds originating outside India.
- Insurers can offer limited coverage for online shopping frauds. The Guidelines clarify that the non-delivery of goods ordered online from merchants or non-receipt of payments when goods are sold by individuals online are prime facie business risks and cannot be classified under cyber coverages unless resulting directly from cyber-related events.
- A cyber-attack usually targets multiple web users/content users. However, the cyber insurance policies usually define cyber-attack/cybercrime as “targeted intrusion into the individual’s system,” leaving the individual uninsured due to this restricted definition. The IRDAI has suggested the use of wider language such as “unauthorised access,” which would indicate that the intrusion may or may not be targeted towards an individual’s system.
- Claims are usually only admissible when the insured beneficiary is completely innocent. Typically, gross negligence is excluded from coverage, and individuals are expected to take due diligence, care, and reasonable precautions to protect their identity and personal details on the internet. In this regard, the IRDAI has suggested using more explicit language, which excludes claims on account of “deliberate, criminal, fraudulent, dishonest or malicious act or omission of insured beneficiary.” Further, the exclusion should be triggered only when the negligence has directly caused the loss.
Other suggestions by the IRDAI
In order to popularize cyber insurance policies, the IRDAI has made the following suggestions to insurers:
- launch awareness campaigns to educate consumers;
- use simple wording for policy drafting and ensure that the claim process is easy to understand and implement;
- disseminate information about claim settlements without breaching confidentiality requirements;
- offer group policies, including affinity policies (where, insurance is targeted to a particular community, niche market or class, representing a group of similar needs or risks that require products designed and priced for those risks);
- offer cyber insurance as a part of a package policy with other components; and
- offer a base version of the policy at an affordable premium and then give the customer an option to choose additional covers.
Additionally, the Guidelines also prescribe practical Dos and Don’ts for policy buyers to safeguard themselves from cyber-security breaches, such as installing anti-virus, using virtual private networks, and not clicking on links from unknown sources.
Lastly, the Guidelines provide for a model insurance policy. However, given the evolving nature of cyber threats, the IRDAI has recognised that the standardisation of a cyber insurance policy is not desirable.
With the rapid advancement of technology, cyber threats have increased manifold and in innovative ways as well. Given this, in our view, the IRDAI has correctly assessed that a “one size fits all” approach cannot be taken for cyber insurance products, and insurers have to tailor their policies on the basis of the need of the hour. The Guidelines are a good starting point and will provide guidance to insurers to improve their products for the enhanced benefit of policyholders.
About the Author
Amrit Mehta has over 12 years of experience in corporate/M&A, insurance and real estate financing, and has advised on domestic and cross-border acquisitions, joint ventures, private equity investments, foreign direct investments and insurance matters.
Amrit has completed a 4 months’ secondment as a foreign lawyer at the Tokyo office of Mori Hamada and Matsumoto, a leading law firm in Japan in 2016. He spoke on “Current legal developments in M&A in Asia” at the International Bar Association’s Asia Pacific Mergers & Acquisitions Conference held in Tokyo in November 2019.