Recently interest on Cyber Crime Insurance has been on the rise in India. According to a recent report in Business Standard, the premia for such policies is around o.5% to 1.5%.
It is important for the insured to however consider what are the exclusions in the policy and there is clarity on the valuations of the insurable assets at the time of purchase and the valuation of claims.
According to the above BS report “distribution of unsolicited email”, “wire tapping”, “eavesdropping”, “fraudulent acts”, “failure to maintain standard computer security” are some of the major exclusions.
Out of the above exclusions, the failure to maintain standard computer security is understandable. However, what is “Standard computer Security” is debatable.
Also it is not understandable how “eavesdropping”, “Fraudulent acts” etc can be excluded. If these are true, insurance companies must be considering more of “Loss due to technical failures” rather than “Loss arising out of Cyber Crimes”.
Technical failures may lead to loss of data. However in most of the cases where a claim is to be preferred there will always be a human hand, malicious or otherwise. Hence “Fraud” cannot be eliminated from the risks. Hence if “Frauds” are excluded, there is insufficient coverage. Also if the coverage does not cover “Liabilities” arising out of the security breach, it is not beneficial to the insured.
The question of “Standards” is always daisy. At present in India law requires “Reasonable Security Practice” which is often not interpreted properly by the companies. Hence what constitutes “Failure to meet Security Standards” is always a debatable issue. While many may be able to produce a certificate such as ISO audit or PCIDSS audit, these does not constitute indisputable standards under the “Reasonable Security Practice” under ITA 2000/8.
It would be interesting to see how insurance companies define such exclusions. Unless some data is built up over time on the claim settlements of different companies, it is difficult to evaluate which policy is better for a prospective insurance seeker.
As regards valuation, in a liability insurance, the value of the asset has to be based on the value of “Information” rather than the value of the hardware and software. Hence in companies where “Data Loss” is the prime criteria, the “Data” need to be valued. Will this be based on acquisition cost or replacement value or liability potential is a matter to be discussed. Normally the acquisition cost of data is relatively low while the liability potential is high. The insurance premium would therefore be on the lower value but the claims would be on the higher value.
According to one of the recent security reports, in case of data breaches the biggest loss comes out of the “Reputation Loss”. At the time of insurance, is it possible to add the “Value of Reputation” as part of the assets to determine the premium? is therefore a valid point for discussion.
Probably the role of insurance brokers s therefore very critical in the current juncture since they need to ensure a fair coverage for the clients at affordable premia.
We need to watch out the performance of such insurance brokers.
Naavi.org calls upon insurance seekers to share their experience with insurance companies and insurance brokers so that we can evaluate their performance from time to time.