Cyber Risk Insurance
What is Cyber Liability Insurance?
A cyber liability insurance helps an organisation mitigate the financial loss to business due to data breach or any cyber risk. It also covers for legal costs and damages resulting from the data breach.
Also called as “Cyber Security insurance” or “Cyber risk Insurance” this is an insurance policy that pays for both first and third party losses as a result of a computer-based attack or malfunction of information technology systems of any business.
India, has now become a major victim of cybersecurity attacks. According to a CyberPeace Foundation report (CPF), startups and SMEs in India are the most vulnerable segment when it comes to cyberattacks.
Some of the recent attacks that happened in the Indian startup ecosystem in-clude:
- WhiteHat Jr - On November 25, the Quint quoted a security researcher who reported the bug to WhiteHat Jr, who said, “ personal data of over 2.80 lakh students including names of their parents were lying exposed due to a vulnerability on the company's server-side.”
- BigBasket admitted that a data breach had happened where almost 20 mil-lion users’ data were compromised. The blog by cybersecurity research firm Cyble said that their research team found the database of BigBasket being sold for over $40,000 in the cyber-crime market.
- Dunzo, the delivery startup reported a data breach in July 2020. The startup was working with a third-party whose servers were compromised.
- Unacademy, another edtech startup suffered a data breach in January, 2020. As per the report by security research firm Cyble, email data of about 11 million users has been compromised.
What is a Cyber risk?
Cyber risk is any risk of financial loss, disruption or damage to the reputation of the company resulting from the failure of its information technology sys-tems.
Cyber risk could happen in a variety of ways, including:
- Deliberate and unauthorised breaches to gain access to information systems.
- Unintentional or accidental breaches of security.
- Operational risks factors such as poor system integrity
Which are the top Cyber risks that can impact businesses?
- Data breach/privacy:
A breach is as an event in which an individual’s/ corporate’s personal infor-mation including name and other confidential record –medical and financial is potentially at risk and compromised. Three main causes of a data breach are: malicious or criminal attack, system glitch and human error.
- Ransomware:
A type of malware (malicious software) that attempts to encrypt data. Most ransomware is delivered via malicious emails. Actual data is not stolen, but this specific type of virus (malware) can be used to infect the IT system, preventing your business from accessing certain files. Usually, the infected components become encrypted and the authorised user is then unable to access them. There is a demand for a ransom in exchange for restored access to the affected system.
- Denial-of-Service (DOS) or Distributed Denial-of-Service (DDoS) Attack:
Risk of a computer resource unavailable to its intended users or preventing it from functioning efficiently.
- Bring Your Own Device (BYOD) policy:
BYOD policy can put your organisation at risk from cyber attacks. Mobile de-vices like laptops can be stolen from your offices, or employees on travel can lose the devices and expose data of your customers.
- Employee negligence:
This is fast becoming a leading cause for cyber risk. A negligent employee, for example, may open an email attachment that contains malware and compromise confidential information stored in a computer.
How does Cyber attacks impact businesses?
- Financial loss - resulting from litigations from third-parties
- Business disruptions - prevent firms from operating, resulting in loss revenue
- Reputational damage
- Customer data breach and damages to be paid due to loss of such data.
- Regulatory body requirements.
Cyber Liability insurance allows companies to focus on rebuilding and restor-ing their customers' confidence without worrying about the data breach relat-ed expenses.
Why Small Businesses are under a threat of Cyber risk?
- Supply-chain risk – Hackers focus on small businesses as supply chains of bigger companies. A small businesses email system can be hacked and information of the large company who contracts with them is used in phishing attacks.
- Internal threat from employees due to lack of cyber security awareness.
- Small and Medium Businesses are more adopting for cloud-based busi-ness models for efficiency and agility, which are prone for cyber attacks.
- Extensive usage of smart phones, where businesses are rapidly growing can be potential source for cyber risk.
- Little investment in Cyber security tools
Which Industries have a higher exposure of a cyber risk?
Cyberattacks now regularly make headlines. While the implications of elec-tronic threats to IT systems in finance, healthcare, and government administration are well-known, there are also very significant and growing for manufacturers.
When a cyber-attack happens, companies often are required to incur costs for all the defense, personal data monitoring, forensic investigation and network equipment replacement.
Company type | Industry | Key Exposures |
---|---|---|
Companies storing personal data | Technology, Telecom & media, Education, professional services | Customer information, cloud platforms, software source code, client data |
Financial transactions driven | Retail, financial services, business services, hospitality | Credit card and account information, financial transactions, portfolios |
Exposed to operations risks | Manufacturing utilities, energy | Industrial control systems, machine software, IOT devices, vendor information |
Storing personal data and exposed to operational risks | Healthcare, transportation, logistics | Health information, safety systems, communication systems |
What does cyber liability insurance policy cover?
Cyber liability insurance is a type of insurance offering comprehensive cover for companies arising out of unauthorised access or use of its physical and electronic data or software.
First party costs
- Network Interruption / Business Interruption: Covers lost income and relat-ed expenses when an insured is unable to conduct business due to a cyber event either on their premises or at a supplier or customer.
- Cyber Extortion / Ransomware: Pays ransom costs when hackers deny an insured access to their own network and threaten to obtain or disclose sen-sitive information unless a ransom is paid.
- Data Loss and Restoration : covers physical damage to or loss of use of computer-related assets including cost of retrieving or restoring data, hard-ware or software due to a cyber attack.
- Reputational / Crisis Management : costs of engaging a crisis-management team to help mitigate reputational harm due to a cyber event.
- Theft / Fraud : covers destruction or loss of insured’s data as the result of a criminal or fraudulent cyber attack, including theft and transfer of funds.
- Forensic-Investigation Costs : covers costs for legal, technical, and forensic experts to determine the cause and impact of an attack.
- Regulatory Fines : Costs in responding to governmental inquiries related to a cyber attack and provides coverage for fines, penalties, investigations, or other regulatory actions.
Third party liability
- Privacy Liability coverage : Breaches of private information of third parties (e.g. employees, customers, business partners).
- Breach Notification Costs : Expenses to notify customers, employees, and other victims.
- Credit Monitoring costs
- Data privacy and litigation costs
- Media Liability coverage for intellectual property infringement claims result-ing from publication by the insured.
What’s Not Covered by Cyber Liability Insurance?
Cyber liability insurance commonly excludes:
- Bodily injury or property damage claims: Cyber liability insurance won’t protect claims of bodily injury or property damage. This is covered under a Commercial General Liability Insurance (hyperlink to CGL)
- Loss of tangible property
- Any guarantee, warranty and contractual terms or liability assumed or accepted by the company.
- Any act which a business admits to be intentional, deliberate, criminal, dishonest or fraudulent
- Any Network Loss arising out of any seizure, confiscation, nationalisation, or destruction of a Computer System by order of any government entity or public authority.
What claims are paid under a Cyber risk insurance policy?
Typical claims paid | |
---|---|
First-party costs when a security failure or data breach occurs include | Common third-party costs include |
Forensic and investigation costs of the breach | Legal and defense costs |
Notification and communication costs of the breach to customers, regulatory bodies | Settlements, damages and judgements related to the breach |
Credit monitoring costs offered to customers | Regulatory fines and penalties |
Public relations expenses | |
Business interruption (loss of profits) due to a cyber attack when the net-work is down |
Why is Cyber liability Insurance Important for Businesses?
A cyber attack can cause major damage to businesses of all size. The impact of a cyber attack can result financial loss, reputational damage and legal damages.
Economic cost
Cyber attacks often result in substantial financial loss arising from:
- theft of corporate confidential information
- theft of financial information
- disruption to business resulting in business interruption loss
Businesses will incur huge costs associated with repairing affected systems, networks, along side loss of income
Reputational damage
Cyber attacks can damage your business' reputation which can result in loss of confidence of customers and could potentially lead to loss of customers, sales, and contracts. Reputation damage can also impact relationship of the business with their suppliers, partners and investors.
Legal Damages
Data protection and privacy laws have become very stringent and they re-quire businesses to manage the security of all personal data under their pos-session. If this data is compromised, businesses may face fines and regulatory sanctions.
Comparison between Cyber and Other Liability Policies
- Commercial General Liability (CGL) policies respond to claims for bodily in-jury and property damage only. Any lawsuits arising from data breach or loss due to security breach of an intangible IT asset will not be covered un-der CGL.
- Directors & Officers Liability insurance covers lawsuits on directors for any wrongful act committed. This policy typically is a personal liability protection for the directors of the company, and not the company. The company gets covered for litigations from employees for any acts, errors and omissions under employment practices only.
- Errors & Omissions Insurance covers legal liability for act, error, and omis-sion by employees. Although some part of the scope under Cyber liability has come in from Errors & Omissions insurance, a E&O insurance does have some gaps which can be covered under a cyber liability insurance.
Cyber insurance won’t cover you for claims related to the performance of your product or service. If you’re a technology-based business, you will also want to purchase Technology Errors and Omissions (Tech E&O) insurance. This type of professional liability coverage protects you in the event your product or service didn’t perform the way it was supposed to.
Cyber insurance can fill many of the gaps in traditional insurance, as well as provide substantial first and third-party covers relating to the cyber breach.
Sources
https://www.cyberpeace.org/
https://www.businessinsider.in/business/startups/news/from-whitehat-jr-big-basket-and-unacademy-to-dunzo-these-are-the-indian-startups-that-reported-data-leaks-over-the-past-few-months/slidelist/79467618.cms