Introduction
In the age of digitalisation, cybersecurity issues such as cyber-attacks, data-breaches, phishing, etc., have become rampant and inevitable. Further, following the COVID-19 pandemic, there was a notable increase in cyber awareness as individuals, organisations, and industries were forced to rely on digital choices for day-to-day operations due to travel limitations. As a result, cybercriminals now have more options to target weaker populations. The war between Russia and Ukraine worsened the situation, leading to an increase in coordinated cyberattacks that targeted governments and organizations throughout the globe. Although there has been an increase in such attacks in every business and sector, the government sector was subject to most targeted attacks in 2022; over 40% of all events in the government sector globally were reported from China, India, the US, and Indonesia. Furthermore, global cyberattacks surged by 38% in 2022 as compared to 2021.
Highlighting things in the context of India, in terms of the overall number of victims of cybercrime, India comes in fourth place out of the top five nations, according to the FBI’s Internet Crime Report for 2022. The nation saw 1.39 million cybersecurity events in 2022, according to the Computer Emergency Response Team of India (CERT-IN), the leading authority on cyber incidents in India. Parallel to this occurrence, the demand for cyber insurance in India has been on a consistent rise, with the current market value ranging between $50-60 million. Over the past three years, the market has witnessed a compound annual growth rate of 27-30%. Looking ahead, it is anticipated that the demand for cyber insurance in India will continue to increase by approximately 30% in the coming years. This article advocates that Cyber insurance despite being in its nascent stage, can be considered a tool for cyber risk reduction and privacy law compliance. Although there are certain concrete challenges due to the dynamism of the cyber sphere and the immaturity of the cyber insurance market in the present scenario, the utility of the same cannot be undermined.
About cyber insurance
The increased reliance on technology and rise in cyberthreats led to the emergence of cyber insurance in the late 1990s. Initially, it concentrated on data breaches and computer attacks. Over time, it grew to encompass a wide spectrum of cybercrimes, including ransomware, cyber extortion, social engineering assaults, system failures, and business interruptions from cybersecurity disasters. In response to the need to reduce losses brought on by cybercrime, the market for cyber insurance has changed over time. Cyber insurance products assist organisations going digital in paying for damages and recovery expenses in the case of a cyberattack. In 2022, the size of the global cyber insurance market is estimated to be at US $12.83 billion. With a compound annual growth rate (CAGR) of 22.46 percent, the market is expected to reach US $97.74 billion in 2032.
Cyber insurance is a form of insurance that aims to shield organizations from financial losses and liabilities stemming from cyber incidents, such as hacking, malware, and ransomware. It offers financial protection against losses incurred from data breaches, cyber-attacks, network damage, and disruptions to business operations. Providing extensive coverage, cyber insurance protects against the financial impact and reputational consequences of cyberattacks. This insurance safeguards businesses from both first-party and third-party liabilities, covering scenarios like cyber extortion, unauthorized data access, and data breaches.
Cyber insurance can be instrumental in privacy law and safeguards compliance on part of companies
In the context of defence and indemnity, cyber insurance extends beyond risk transfer because it also gives access to services meant to address, look into, defend, and lessen the effects of a data breach incident or privacy law infringement.
When a company faces a cybersecurity breach, the immediate priorities include identifying the breach’s source and cause, containing it, and restoring any damaged network processes. This typically necessitates the expertise of a cybersecurity professional. Cyber insurance seeks to provide organisations with forensic experts.
Research shows that the insurance company plays a significant role in driving incident response for data loss through its cyber insurance and risk management services. Incident response teams often have direct relationships with the insurer, providing efficient one-stop shopping for organizations during a data breach. This close partnership grants insurers influence over the organization’s compliance process.
The Digital Personal Data Protection Act of 2023 imposes fines of up to INR 250 crore for each instance of failing to prevent a personal data breach. Noncompliance, including failure to notify the data protection board and processing children’s data without fulfilling obligations, can result in fines of up to INR 200 crore. Significant data fiduciaries may face fines of up to INR 150 crore for noncompliance. These penalties are expected to drive companies to consider cyber insurance to mitigate financial risks. With increasing accountability and regulatory scrutiny, companies are likely to proactively manage cyber risks and safeguard against data breaches. Cyber insurance can aid in demonstrating compliance with the DPDP Act by offering financial protection in case of a breach. The Act can prompt companies to reevaluate their cyber risk exposure and incorporate cyber insurance into their overall risk management strategy.
Other regulations with respect to cyber insurance
Further, as per the Insurance Regulatory and Development Authority of India (IRDAI) guidance document on product structure for cyber insurance, certain standardisation measures for cyber insurance policies have been recommended. It encourages statutory recognition of regulatory fines and penalties coverage analogous to that provided in the UK Financial Conduct Authority’s prohibition of insurance payments. It endorses the intentional act exclusion provision, which provides for preclusion from availing reimbursement in cases where dishonest or improper conduct of the employees has been reported. It seeks to confine the applicability of such provision only to key personnel of the company, such as the Chief Executive Officer, Chief Financial Officer, Chief Risk Officer etc. Also, it recommends the prevention of misuse of the exclusion provision in cases where companies fail to comply with minimum standard requirements. It seeks to confine the application of this exclusion when the failure of compliance is directly linked with cyber loss. Furthermore, requiring insurers and insurance intermediaries to adhere to cybersecurity standards, the IRDAI issued the Information and Cybersecurity Guidelines, 2023 (“2023 Guidelines”) on April 24, 2023.
On April 10, 2023, the RBI published the Master Directions for IT outsourcing for banks, financial institutions, and other regulated companies. According to the regulation, financial institutions have to make sure that, within six hours after the incident, they report cyber incidents to the RBI. Notifying insurers of a cyberattack within a specific time frame is one of the requirements of cyber insurance plans, which aid in the quicker and more transparent processing of claims. Financial institutions can steer clear of any coverage issues resulting from delayed reporting under the new guidelines. This also gives them the ability to collaborate with insurers to assess the attack’s full damage and create a strategy to lessen it.
Some judgements related to cyber insurance.
The Tübingen Regional Court has set a noteworthy legal precedent by being the first in Germany to rule on cyber insurance. The court decision in case (4 O 193/21) dealt with common issues raised in cyber insurance claims, covering aspects such as pre-contractual disclosure responsibilities, elevated risk, and gross negligence resulting in the insured event. The court sided with the insured, rejecting the coverage defenses put forth by the insurer. In particular, the court dismissed the insurer’s claim that the insured was grossly negligent for not implementing standard IT measures to prevent cyber-attacks. The court emphasized that the insurer had the opportunity to assess these specific IT security conditions during the pre-contractual risk assessment phase.
In the case of Merck & Co., Inc. v. ACE American Ins. Co., the Appellate Division of the Superior Court of New Jersey determined that a war exclusion, similar to those commonly found in many cyber insurance policies, did not preclude coverage for losses stemming from a 2017 cyberattack linked to the ongoing conflict between Russia and Ukraine. This decision in Merck marks the first time an appellate court has considered the applicability of a war exclusion to a state-sponsored cyberattack. With the insurance industry responding to the Merck ruling and the persistent threat of state-sponsored cyberattacks, policyholders should carefully monitor any proposed endorsements or policy language changes that involve the war exclusion or seek to limit coverage for such cyberattacks sponsored by states.
Challenges for the implementation of cyber insurance
By their very nature, cyber threats are difficult to define and are dynamic in nature. As a result, customers are ill-informed about the kinds of cyber risks (such as company loss) that cyber insurance covers and are much less aware of the extent and quantity of the best coverage. Cyber insurance may not cover all indirect events of cyberattacks. Many businesses base their insurance purchasing decisions—rather than considering their true needs—on industry benchmarking because they are unaware of their financial risk. Also, one of the greatest challenges is state-sponsored cybercrime, which leads to enormous losses. The cyber insurance companies can include a war exclusion clause to preclude themselves from the burden arising in such a situation.
Additionally, cyber insurance, even though projected to boom in India, is still in its nascent stage. It is a matter of fact that there is not sufficient money for cyber insurance. For instance, approximately 250 companies purchasing at least $200 million in insurance collectively could exhaust an entire year’s premium, with just five insured losses slightly surpassing that amount. This constitutes only 2% of the market’s companies acquiring such coverage, and the time required for insurers to recover from such losses could span decades. Consider companies with a minimum of $500 million in coverage, totaling around 40. Two complete losses could offset a year’s premium, necessitating insurers to wait potentially half a century to recoup a sufficient premium against these losses.
Conclusion
In conclusion, it can be said that although cyber insurance is in its initial stage, it has the potential to address cyber legal compliance issues. With the upcoming projected boom in India, the government has to take responsibility to ensure that effective regulatory machinery is put in place. The RBI and IRDAI regulations may be effective but only serve a partial purpose. A holistic fulfillment of the objective can be realised by having a dedicated law with respect to cyber insurance in place, which will be efficacious in overcoming the challenges discussed above.
