The Insurance Regulatory and Development Authority of India (IRDAI) has issued guidelines to insurers on structuring cyber insurance for individuals and gaps that need to be filled. As per the guidelines, cyber insurance should provide cover against theft of funds and identity, unauthorised online transactions, and email spoofing.
As per the national cyber security agency, Computer Emergency Response Team of India (CERT-In), there has been an increase in the number of cyber attacks on personal computer networks and routers since professionals have been working from home due to the COVID-19 outbreak.
The IRDAI circular issued on 8 September 2021, titled ‘Guidance Document on Product structure for cyber insurance’, sets out what a cyber insurance policy should cover for an individual. As per these guidelines, a cyber insurance policy will provide coverage against the following:
a) Theft of funds: Protects for theft of funds due to cyber incidents or hacking of insured’s bank account, credit or debit card and mobile wallets by a third party.
b) Identity Theft Cover: Protects in terms of defence cost for claims made against insured by third or affected party due to identity theft fraud, provides expense to prosecute perpetrators and other transportation costs.
c) Social media cover/ personal social media: Protects in terms of defence cost for claims made against insured by third or affected party due to hacked social media account of insured, provides expense to prosecute perpetrators and other transportation costs.
d) Cyber stalking/bullying: Provides expenses to prosecute the stalker.
e) Malware cover / Data restoration cost: Provides coverage for data restoration cost due to malware.
f) Phishing cover: Protects in respect of financial losses resulting from a phishing attack and provides expense to prosecute perpetrators.
g) Unauthorised online transaction: Protects fraudulent use of bank account, credit or debit card, e-wallet by the third party to make online purchasing over the internet.
h) Email spoofing: Protects financial losses due to spoofed email attacks and provides expense to prosecute perpetrators.
i) Media liability claims cover: Provides coverage for defence costs in third party claims due to defamation or invasion of privacy due to the insured’s publication or broadcasting of any digital media content.
j) Cyber extortion cover: Provides protection for extortion loss due to cyber extortion threat and provides expense to prosecute perpetrators.
k) Data breach and privacy breach cover: Provides indemnity for defence costs and damages regarding claims lodged by a third party against the insured for data breach and or privacy breach.
Liability of individuals
As per the product structure of the cyber insurance issued by IRDAI, there will be zero liability of a customer in the following cases:
a) Contributory fraud/ negligence/ deficiency on the part of the bank, irrespective of whether or not the customer reports the transaction.
b) Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorised transaction. Do keep in mind that this is similar to reporting unauthorised transactions with the bank within three days to avoid losses.
In the below-mentioned cases, there will be limited liability of a customer:
a) Where loss is due to the customer’s negligence, e.g. payment credentials are shared, the customer shall bear the total loss until an unauthorised transaction is reported to the bank. The bank shall bear the loss after the customer notifies of the unauthorised transaction.
b) In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount ranging between Rs5,000 to Rs25,000 whichever is lower depending upon the type of account.
Types of losses under cyber insurance Losses covered under a cyber insurance policy can be split into four categories:
a) First Party Losses: direct financial loss, data recovery, business interruption cover and mitigation costs cover.
b) Regulatory Actions: costs of regulatory actions and investigations, civil fines and penalties and defence costs.
c) Crisis Management Costs: forensic expert cover including security consultation, reputation damage cover, legal costs cover for matters including notification, coordination with service providers, strategy etc., credit and identity theft monitoring cover, cyber extortion/ ransomware cover, operation of a 24x7 hotline, cyber stalking, counselling, information removal and pursuing action.
d) Liability Claims: legal liability/damages directly arising from privacy or data/ security breach, defamation, intellectual property right (ipr) infringement and defence costs.
When an insurance claim can be rejected?
If at the time of any loss or damage happening to any property insured there be any other subsisting insurance or insurance whether effected by the insured or by any other person or persons covering the same risk, the insurer should not be liable to pay or contribute more than its rateable proportion of such loss or liability.
In case of financial loss
1. The debit or credit card involved must be blocked immediately within 24 hours after detecting the loss of money or loss of card, whichever happens, earlier.
2. Any cash-back or rewards, if so credited to the concerned card holder’s account against misused transaction leading to loss of money, should be reduced from the loss payable under the policy.
3. Insured should have a registered valid mobile number and email ID to receive SMS alerts or OTP from the bank.
4. This insurance shall not cover losses that can be received from a financial institution, payment wallet or service operator, e-commerce service provider or any such entity that has a primary responsibility to indemnify the insured.