Why ITA 2008 Compliance enhances Insurability?

Posted on July 16, 2015 by Vijayashankar Na

It is one of the established principles of Insurance that when the Insurance Company pays a claim, it does make its efforts to recover its loss in whatever manner possible. When the loss has been caused on account of a Cyber Crime, the Insurance Company tries to recover its losses by pursuing the legal options against the criminals/accused.

In order to pursue legal options against the accused, the Insurance Company needs to step into the shoes of the victim and fight the case in a Court of law. This right is called the “Right Of Subrogation”. This is considered a natural ingredient of all Insurance Contracts. The principle of subrogation also creates certain responsibilities to the insured. It is expected that despite having insurance, the insured has to take such protective measures about the insured asset as he would take as if there was no insurance. In other words, the insured should not be negligent in his security measures because there is an insurance company to cover his losses.

Obtaining insurance therefore does not absolve the company to have a good Information Security practice. In fact, Insurance creates a fiduciary responsibility for the insured to protect the interests of the insurance company. One such responsibility is to be in a good legal position to pursue recovery of losses against the accused.

If the insured company has a legal right against the crime accused, it can transfer this right to the insurance company after the claim is settled so that the insurance company can continue its legal action. However, if out of negligence the insured has lost legal remedy against the accused, it is possible for the Insurance company to take a stand that the insured company has not acted in good faith in protecting the legal interests of the insurance company upon exercise of its right of subrogation.

Normally, we donot expect the Insurance company to take such an unfriendly stance. But if the loss is substantial, it is not prudent to ignore this risk.

When a claim is made an assessor of the Insurance company will not only assess the value of the loss but also the reason for the loss and the status of the subrogation rights. For the claim to be approved, the reason of loss should not indicate abetment of a crime by the insured and also an irresponsible reckless attitude that might have caused the loss or makes it impossible for the subrogation rights to be effectively pursued.

The means by which an insured company can document and prove that it has not lost the subrogation rights by negligence is following the principle of “Due Diligence” as envisaged under ITA 2008. Hence ITA 2008 compliance could be the differentiator between the insurance company having an effective subrogation right or a diluted or lack of subrogation rights.

In other words, an Insurance Company could prefer a company with ITA 2008 compliance to another without it, for determining the eligibility for insurance or for considering a premium reduction or for easy claim settlement. Hence ITA 2008 compliance could improve the insurability of a company under a Cyber Insurance policy.

Not all Information Security professionals may agree with this stand. May be Insurance Companies also contest that they are not that mean as to reject a claim for lack of subrogation rights. Well opinions may differ. The best thing to do when there is disagreement is to know what the majority of people in the market and the experts think. This is one of the views that the India Cyber Insurance Survey 2015 aims to capture.

Don’t miss to participate in the survey and express your opinion today. Also ensure that your friends also participate in the survey by passing on this information and sharing it with your social media friends.

Naavi

india_insurance_logo_2

Posted in Cyber Law | Leave a comment

Is Domain Name an Insurable Asset?

Posted on July 15, 2015 by Vijayashankar Na

Ever since Internet became a key channel of contact with prospective customers for a business entity, domain Names have become an important identifier that enables this customer connect.  Today, a domain name is the most important element of “Brand building”.  Facebook and Twitter handles some time act as extensions of this identity in the social media space. Presently mobile Apps are also gaining importance as business tools and soon the names of mobile apps will also be considered as an important brand contributors.

If I am a corporate CEO, I understand that building a brand costs money as well as time and effort. If therefore I have built a certain value for my brand, I would like to ensure that this value reflects in my asset register and in the balance sheet. At the same time, I am aware that if for any reason, I lose this asset, then my company will lose value. I should therefore protect my “Domain Name” as an asset like any other tangible asset.

Domain Name is a peculiar kind of asset. It is intangible but has a cost and is transferable. It has a cost of acquisition when acquired from the registrar but may be transferred for a premium thereafter.  Though it is an asset created out of a contract between the registrant and the registrar and backed by the system managed by ICANN, it is considered more as an “Intellectual Property” of the type of “Trade Mark” and treated as such in case of disputes.

india_insurance_logo_2

The UDRP process or the accompanying INDRP or URS processes of dispute resolution determines how the property of domain names change hands in case of a dispute.

A CEO should normally be worried of circumstance when a brand on which he has invested money and chosen as a domain name suddenly comes under a dispute and he has to part with it. A natural thought that occurs to him at this stage is “Can I insure this domain name loss risk”?

If Domain Name is an asset, then it is logical that it should be insurable. If so, the issues to be settled are, what is the value to which a domain name is insurable?, What protective measures should a domain name owner should take before registering a domain name, after registering a domain name and when a dispute is raised? He also needs to consider What is the premium payable and what is the claim settlement process?

Presently, there does not seem to be clarity on these issues either with the corporate world or the Cyber insurance companies and we need to find out the current status of insurability of a domain name and other similar assets such as “Potential trademarkable assets”.

The India Cyber Insurance Survey 2015 is expected to throw some light on this issue. If you are a corporate manager or even an ordinary Netizen, you might have a view on this issue and you need to express it by participating in this one of a kind survey that tries to capture the perception of Cyber Insurance as a product.

If you have not so far participated in the survey, do so now.. The online survey questionnaire is available here

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

If there is a “Glassdoor Attack” on my company, am I covered by Cyber Insurance?

Posted on July 14, 2015 by Vijayashankar Na

india_insurance_logo_2

Indian Companies are facing a new kind of reputation attack by  disgruntled employees posting defamatory messages through companies such as Glassdoor who have built a business model around monetizing the disgruntlement of employees.  The essence of this model is to encourage  employees present and former to write a review about their employer so that it would be a guide to others who may be seeking employment in the company. There are also similar companies such as Mouthshut who operate in the area of products and services asking product users to write reviews about the product experience.

At first glance, such services appear to be  oriented towards consumer information as it helps people who would be dealing with the company to get information that can help them make an informed purchase decision.

However, in practice we often find that disgruntled elements use such opportunities to post unsubstantiated defamatory comments which can unfairly hurt the genuine business of the Companies.

Among such  companies who have built a business around publishing consumer responses, those like Glassdoor stand out since they publish remarks from those who pose as present or former employees. Compared to product users, employees have a close emotional attachment to a company and hence when they are dissatisfied,  their reactions tend to be more volatile and vindictive. Also competitors can use the service to hurt their rivals. Human tendency is such that when we feel good about another person, we keep it to ourselves, but when we feel bad, we tend to go an extra mile to “teach a lesson”. Hence negative comments of employees always find more expression than the positive comments. By the very design therefore such services are geared to making money out of negative responses.

Some organizations try to achieve a balance by their PR firms monitoring the negative postings and countering with positive postings to match them. But ethical companies try to avoid such artificial means of creating a positive opinion and try to live with the reputation loss or look for other options.

When the reputation of a company gets hurt by motivated employees who have been either unhappy with their promotions or for having been removed from service, the victim companies need to launch legal action against the erring employee or ex-employee as well as the abetting service provider like Glassdoor. However, many of these services take shelter under privacy concepts and hide the identity of the persons posting the remarks and seek privileged protection under freedom of speech regulations both in India as well as in their countries.

As a result, the Victim companies are denied legal remedy available to them through Courts.  A legal discussion on the rights of such companies to hide behind the glass door of privacy and throw stones at others is out of place here. These companies survive more because the cost of pulling them up legally is considered uneconomical for most business entities. Indian law under ITA 2008 coupled with IPC is still strong enough to deal with such issues despite the erroneous deletion of Section 66A by the Supreme Court.

This loss on account of reputation risk cannot be avoided since employer-employee relations do go sour for various reasons. There is one employer and many employees and it is unthinkable that there would be any company which does not have one or more disgruntled employees to contend with.

Information Security professionals cannot defend against this type of risk through technical means. Hence the risk cannot be mitigated as well.

The only other options are “Risk Absorption” and “Risk Transfer”.

But Corporate risk managers consider it necessary to defend such risks which have an adverse impact on the business of the company and cannot absorb the risk indefinitely.

The natural corollary to this is therefore whether such a risk is covered by a Cyber Insurance Policy? so that it can be transferred.

If a Cyber Insurer is made to pay for the reputation damage caused by a defamatory remark posted on say glassdoor.com, then the Cyber insurance company will take up the legal battle against the offending website which has abetted the disgruntled, vindictive employee or at least bear the cost of such legal fight.  The advantage for the Insurance company in fighting such battles is that it can aggregate several losses of this kind and find the means to fight a battle even in a foreign country. The legal fight therefore becomes feasible for an Insurance company.

If you are a corporate manager therefore, you would like to know if Cyber Insurance policies cover such reputation damages.  We are trying to understand what the market perception on this is, through the India Cyber Insurance Survey 2015. Participate in the survey and record your views so that it will become a guide to the Insurance companies in structuring the policies.

Naavi

Posted in Cyber Law | Tagged , | Leave a comment

If I am ISO 27001 certified, am I getting a premium cut for Cyber Insurance?

Posted on July 13, 2015 by Vijayashankar Na

india_insurance_logo_2

Cyber Insurance is a means of transferring the risk that an organization is unable to avoid,  mitigate or absorb.

However when a company approaches a Cyber Insurer or a Cyber Insurance Broker, and a question of the cost of insurance crops up, an Information Security Professional is bound to ask a question if his company is considered as a “Standard Risk” or a “Sub Standard Risk” or a “Super Standard Risk”?. The expectation is that if a Company has undertaken more than average measures to secure itself and reduce the risks, it should get some advantage in the premium front.  For example, if a Company has spent money in getting itself certified for ISO 27001, it is a natural expectation that the risk levels in that company should be lower than other comparable entities. Hence it should be considered as a “Super Standard Risk” and a corresponding reduction in premium. Conversely, if the information security preparedness of an organization is low, then the insurance company is entitled to consider the subject as a “Substandard Risk” and charge a risk premium.

In practice however, companies may not know how much of value benefit its ISO 27001 certificate would provide. Alternatively, it may not know what  a COBIT audit or a PCI DSS or multiple audits are worth. Many times an entity would have undergone a security audit from its client though not certified by an ISO or COBIT. In such cases, the company would like to know if there is any difference in the premium charged by an Insurance company.

This is also a very important aspect for Information Security professionals since any reduction in Cyber Insurance Premium on the consideration of the Information Security implementation status of a subject company would directly determine the Return on Investment for investments made on the CISO or the ISMS.

Well, it is time that we the potential buyers of Cyber Insurance or the Information Security professionals know what benefit that a Cyber Insurance Company attributes to our Information Security initiatives.

We expect that some light will be thrown on this issue in  the Indian Cyber Insurance Survey 2015 presently being undertaken in India. The survey will capture what the industry expects in this regard and hopefully we will also capture if there is any gap in perception between what we think it should be and what it actually is.

On your part, please participate in the survey and let your views be recorded.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Should Zero Day Vulnerability be covered under Cyber Insurance?

Posted on July 12, 2015 by Vijayashankar Na

india_insurance_logo_2

A Google Research Reporter has just released information about a vulnerability in Windows 8.1 which has remained unpatched for more than 90 days after even Microsoft was informed about it.

Read the Details here

A discussion is going on whether Google was right in publishing the vulnerability which could be existing in millions of computers worldwide and could be exploited for commission of various kinds of Cyber Crimes.

Ethics apart, this also raises the issue of what happens to the thousands of computer users who may find the vulnerability exploited by a criminal who either uses it to siphon off money from Banks and other financial assets or simply uses it for e-extortion.

Until Microsoft itself is able to find a solution, it is unfair to expect any user as well as a CISO in an organizational environment to be able to effectively defend against this vulnerability.

This raises another question in the minds of conservative corporates who may be inclined to cover every known/unknown risks with an insurance cover, on whether a “Attack based on a Zero day vulnerability” would be within the scope of the insurance policy.

What if an Insurance company equates this to “An Act of God kind” or at least ” Special Premium case” and refuse to cover the losses under the current standard policy?

Whether the status of the risk will change after it has become public knowledge so that exploits prior to this day would be covered and subsequent days or not?

Well these are the issues that the insurer and the insured need to discuss and settle at the time of writing the contract.

We are trying to understand what is the market perception on this issue in our India Cyber Insurance Survey 2015. Please participate in the survey and contribute your thoughts also to the pool. You can access the survey form here:

 https://fs22.formsite.com/SBYrSa/form2/index.html

I would appreciate if you can also ask your friends to participate and contribute their views to make the survey a success.

Naavi

 

Posted in Cyber Law | Leave a comment

Is Cyber Insurance a B2B product? or B2C product?

Posted on July 11, 2015 by Vijayashankar Na

india_insurance_logo_2

Insurance is a means by which certain risks are transferred to an expert. All of us are familiar with Life Insurance, Health Insurance and Motor Vehicle Insurance. We take insurance because we know that a certain contingency needs to be covered. In the case of Motor Vehicle Insurance, part of the insurance namely damage to third parties is mandated by law while part is prompted by a need to cover a contingent loss in case of loss or damage to the insured asset or the insurer.

All of us who use a computer or a mobile in some form are exposed to the risks of Cyber Crime. We often hear that there are Bank frauds, Credit Card frauds or ATM card frauds. We also hear about reputation damage, broken marriages, lost jobs etc because of harmful content being posted on Face Book etc. These are Cyber Risks that haunt every Netizen and some times even those who never want to touch a computer.

Today the environment is adopting to use of technology at such pace that the users have little time to adapt. Also the technology developers have accepted that there is no “Safe” technology and push usage of products which are impregnated with “Vulnerabilities” often unknown to the creators themselves.

Commercial organizations adopt technology and use it for their service to customers because of the commercial advantages such as usage features and economy. They also push technology even before the risks on its usage are properly evaluated and safeguarded. For these organizations, it is a question of revenue and profits.

As a part of a natural progress in the society, technology is presently engulfing the area of Governance also. The Digital India concept indicates such a scenario where the Government will force adoption of technology on its citizens.

When individuals voluntarily adopt a technology, they assume the risks themselves. But when a Government forces adoption on its Citizens, there is a moral responsibility for the Government to ensure that citizens are pushed to levels of insecurity that they cannot withstand.

We know that some times we all have to take tough decisions in life and so is the Government when it has to take decisions on adoption of new technology with unknown risks.

But the Government can soften the potential damage through various measures. One such area is in the provision of “Cyber Insurance” as a cover for risks that may be generated with the increased adoption of technology by the society.

Over the last two days, deliberations were held at Bangalore under the aegis of the DSCI on building an Architecture for Digital India. During these deliberations the undersigned did raise the need to promote “Cyber Insurance For All”. While the industries readily agree that their own cyber risks can and should be insured at an affordable cost as a means of “Transfer of Risk”, there is some hesitation when it comes to taking a view on whether Cyber Insurance is required to be available to the public. The reason could be that there is an apprehension that cost of insurance would fall on the industry.

One of the questions which we need to answer is therefore  “Whether Cyber Insurance is only a B2B product/service and not a B2C product/service”.

We would like to know what you think about this question. If you have a view on this, please participate in the India Cyber Insurance Survey 2015 and record your views on various aspects of Cyber Insurance. Your views can shape the future of Digital India.

To access the survey, visit here: India Cyber Insurance Survey 2015

Naavi

Posted in Cyber Law | Leave a comment