On 7th February 2020, I attended a day long seminar in Hotel Trident, Mumbai organized by the National Insurance Academy Pune jointly with Swiss RE.
The program titled “Digital Disruption..Embracing Digital Innovation in [RE] Insurance business” was a grand success and well attended by all the Insurance Professionals. It was inaugurated by the Chairman of IRDAI in the presence of the CMD of LIC and other dignitaries.
While there was interesting discussions on the innovative use of technologies in Insurance, there was also a discussion on Cyber Insurance.
Despite the enormous enthusiasm that the industry is showing towards the adoption of technology, it was observed that the industry appears to be significantly lagging behind the developments in the field of Cyber Insurance and needs to re double its efforts in developing the Cyber Insurance products and services.
I had observed in my earlier article “Golden Era ushered in for Cyber Insurance industry through personal data protection act of India” that there was a huge opportunity begging to be harnessed by the industry consequent to the Personal Data Protection Act that is on the anvil.
However the industry appears to be even now looking at only how to adopt IT in their traditional Insurance business and the level of adoption of risk assessment and insurance coverage in the Cyber Space is in very nascent stages. It appears that the insurance industry in India will miss the Gold rush arising out of PDPA.
More importantly, if the Insurance industry does not gear up to the needs of the industry which will be embracing the PDPA, the industries who will try to adopt PDPA will be left high and dry unable to get adequate coverage they would be looking for. In the process there will be many insurance contracts which are likely to be written without a proper understanding of the inherent risks covered. In a way the industry has to go through a period of blind PDPA Risk coverage policies which will be only on paper and would neither be useful to the insurer or the insured.
During the discussions it was a surprise to note that there was no mention of the recent Breach Candy hospital data breach which should have actually dominated the discussions if there was a proper appreciation of the impact of the industry had it come after the PDPA was in force.
There was also a lot of discussions on the use of AI in Insurance which needs to be moderated and adopted to the advent of the PDPA. There was a complete lack of the recognition that many of the AI solutions will have a serious conflict with the PDPA.
It was interesting to note that the IRDAI has recently introduced a “Sand Box” system for the insurance industry to test new products. Since the PDPA is also coming out with a Sand Box concept of its own, the users of new Insurance Products based on the use of AI will need to contend with two Sand Boxes, one for the use of personal data in developing profiles of the insured which will be under the under PDPA and the other for the structuring of the insurance policy.
Naavi pointed out that PDPA will usher in new challenges such as providing a cover for the “Administrative Fines” which will conceptually mean coverage of failure to do the obvious. The industry will have to decide on the coverage based on the reasons for which an administrative fine is imposed. If the reason is an external cyber attack, the coverage may stand. But if the main reason is failure of the internal systems then there could be a resistance from the insurance industry to honour a claim.
Naavi also pointed out the difficulty in valuing the personal data since its value in the hands of the data fiduciary/processor would be varying as it travels through a life cycle. Even the data ownership may change during the lifecycle of personal data requiring proper capturing of the ownership in the insurance contracts. (Some of these problems would be evident to readers who go through Naavi’s recent book on PDPA).
Naavi also pointed out the conflict with the general principle of “Co-Insurance” when the limit on administrative fine under PDPA is defined as 4% of the Global turn over. Since this becomes the bench mark of “Insurable Interest” for a company, if the actual policy for administrative fines is less than 4% of global turnover, then there could theoretically be an “Under-Insurance” of the liability.
Additionally the PDPA Risk is almost always a risk of “Consequential Loss” while the primary risk is one of a “Cyber Crime” arising out of information security failure. Hence the risks covered under the existing Cyber Insurance policies themselves expand to invoke the administrative fines under the PDPA unless they are specifically excluded.
In view of all the complexities that the Cyber Insurance as well as the PDPA Risk insurance involves, a time has come for the industry to think if there is a need to make a major surgical change to the Insurance law in India on the lines of what China has done, by giving up the principle of “Utmost faith” to a contract of “Honest disclosure”.
Without this major change in Insurance law, it will be difficult for the industry to provide the required risk coverage to the industry arising out of Cyber Risks and PDPA risks.
Hope the IRDAI and the Government will take a look at this requirement.
In the immediate future, IRDAI has to try to establish some codes and practices that it can suggest to the DPA so that the insurance industry is able to adopt to the PDPA without much of a problem. If necessary, IRDAI should set up an expert committee for this purpose at the earliest.
One of the requirements that will arise in the context of the inability of the insurance industry to come up with a suitable product is for the other sectoral industry regulators come up with a concept of “Peer to Peer Insurance” through the constitution of a “Data Insurance Fund” on the lines similar to the Deposit Insurance and Credit Guarantee Fund” in the Banking industry. I will expand on this concept in subsequent articles.