Taming the Cyber Insurance Dog… Key lies with IRDA

“Cyber Insurance-a dog that can bite you and itself” says my friend  Mr Dinesh Bareja (Information Security Expert) in an interesting article. Mr Dinesh has well brought out the risk of an insurance company being sued by its client when there is a rejected claim. He has also pointed out how many insurers may find themselves unable to enforce the insurance claim even after incurring the cost. He has rightly concluded that both the Insurer and the Insured will learn in due course how to keep the Cyber Insurance dog under a tight leash.

Let me add to the comments of Mr Dinesh….

Cyber Insurance is a legitimate tool of an Information Security Manager for “Transferring the Risk” at a cost to an insurer. This is after he has taken reasonable steps to mitigate and avoid. The goal of an Information Security manager (ISM) is to ensure that the “Residual Risk” is within the “Risk Absorption” capacity of the organization as set by the Financial Managers.

However, in most practical situations, Cyber Insurance Contract is not conceived and structured with a good assessment of “Total Risk” reduced by  “Avoided Risk”, ” Mitigated Risk” and “Risk Absorption capacity”. (All reduced to a common denominator of Money).

I am not sure if any ISM has ever made a presentation to the Board stating to the effect that….”Our Cyber Risk is estimated to be around 100 crores to the best of our knowledge and ability…. By avoiding this process we can reduce it to Rs 80 crores….. By our ISM we can bring it down to Rs 10 crores…… Beyond this ISM cannot mitigate and the organization needs to absorb or cover through Cyber Insurance if possible.

In order to make an assessment of the kind above, we need to have metrics to evaluate our ISM program. If we intend to cover the residual risk with  Insurance, the best option is to work along with the Cyber Insurance Company what they consider as adequate “Information Security” and develop a mutually acceptable information security program.

If the Information security program of a company is approved by the Cyber Insurance Company, there will be less opportunities for rejection of claims and litigation between the Insurer and the Insured. But the Insurance industry is not interested in this approach for reasons stated below.

We should always remember that Indian Insurance Industry is working under the concept of “All Insurance Contracts are “Uberrimae Fedei Contracts”. Uberrimei Fedei contracts are contracts of “Utmost Faith” where the insured (applicant) has the onus of disclosing all matters that may affect the decision of the Insurer (The Cyber Insurance Company) in accepting the proposal. The Insurer has no obligation to verify and accepts the proposal as declared. But when a claim situation arises, the Insurance Company will undertake an investigation to find whether the Insured had disclosed all risks as were known to him on the date of the proposal and if there is any short fall, the claim would be rejected. The Insured will end up paying the premium but does not enjoy the benefit of the policy.

This system is to the advantage of the Insurance industry and there is no incentive for them to change it while the user industry has every reason to challenge this proposition.

This nature of the Insurance Contract as a “Contract of Utmost Faith” if accepted, puts the CISO in a spot. If he highlights all the risks, the management may say.. “too bad that you are the CISO”. If he does not…then he is postponing the day of reckoning to the day when the Insurance claim may arise.

In most companies, the CISO is not even consulted when a Cyber Insurance deal is negotiated with a Cyber Insurance Company. Some times, Cyber Insurance is taken because the Business Manager says that the vendor of a data processing contract has made it mandatory. It is only the CFO who takes the decision since he has to write the cheque. He will chose to insure to the extent his budget allows or to the extent a business contract mandates. It would be great if he checks with the CISO but it may not happen all the time. (This was corroborated in our Cyber Insurance Survey 2015).

IS specialists know that apart from all the risks that they are theoretically expected to assess and mitigate there are “Zero Day Risks” that no CISO knows. Ransomware payments in “Bitcoins” may involve an illegal acquisition of bitcoins which the Insurance company may refuse to fund. There is also a difficulty in stating the “Value of the insured assets” since financial valuation of data is difficult. Further most of the insurance claims are not for pre-determinable costs but liabilities that arise based on the third party claims. Hence to state in Good faith that “This is the Risk I face and this is the risk I can mitigate and this is the Risk which I want the Insurance Company to cover” is a near impossibility if we want to respect the “Uberrimae Fidei” nature of Insurance contracts.

Another risk that a CISO finds himself in is that when all the risks that he has identified are not mitigated and/or covered through insurance, when the claim arises, the Insurance company may hold the company of undervaluing its assets for insurance and either call it a fraud or at least reduce its coverage under the clause that “Insured is considered a Co-Insurer to the extent of under insurance”.

It is therefore clear that the decks are stacked against the Insurance seeker and this is one of the reasons that Cyber Insurance is slow to take off. In turn this also puts the Insurance industry in a state that they are not able to spread their risks and bring down the premia. If business expands, it is better for both the insured and the insurer. Efforts are therefore required in this direction.

I refer to my earlier article “If China can have a PRC law, Can we not too have a similar law?..for Insurance?“.

In this article I had highlighted the fact that In China, the Insurance law has been modified to make Insurance contracts, “Contracts of Honest Disclosure” and not “Contracts of utmost Faith”.

We in India need to introduce a similar modification to our Insurance law if we want the Cyber Insurance contract to be a useful tool in the hands of the industry.

What this “Honest Disclosure” could imply is that the Insurance Company is given the freedom to ask as many questions as they like on the “Cyber Insurability” of the proposer and even allow them to do their own risk assessment after which a mutually acceptable premium is fixed for the coverage sought and approved. In such cases, the possibility of a claim being rejected and bad blood developing between the user industry and the Insurance industry would reduce.

In the coming days, the GDPR regulations will force more and more IT companies to look for Cyber Insurance and for the benefit of all the contracts should be made acceptable to both the parties so that there is no misunderstanding.

It is for this reason that any organization that intends to take Cyber Insurance needs to have a suitable consultant to advise them to understand the limitations of what the Insurance company proposes rather than being surprised later at the time of claim.

Some of the Insurers particularly the Banks are used to issuing an RFP and chose the lowest bidder. This approach is dangerous since the RFP will become the base on which the “Utmost Faith” is determined on a later date.

Instead, they should enter into a negotiation with a short listed group of Cyber Insurers and discuss what is possible to be insured and take the insurance contract with the full understanding of what is covered and what is not.

This objective of having Cyber Insurance which is acceptable under a “Negotiated Risk Assessment” between the Insurer and the Insured can be achieved by IRDA coming out with necessary guidelines by declaring “Cyber Insurance” as a separate category of Insurance and instituting the “Honest Disclosure” element as part of the Proposal clearance.

So… the power to tame the Cyber Insurance Dog and make it a saviour of the IT industry without biting its master, now lies with IRDA.

Naavi