It is one of the established principles of Insurance that when the Insurance Company pays a claim, it does make its efforts to recover its loss in whatever manner possible. When the loss has been caused on account of a Cyber Crime, the Insurance Company tries to recover its losses by pursuing the legal options against the criminals/accused.
In order to pursue legal options against the accused, the Insurance Company needs to step into the shoes of the victim and fight the case in a Court of law. This right is called the “Right Of Subrogation”. This is considered a natural ingredient of all Insurance Contracts. The principle of subrogation also creates certain responsibilities to the insured. It is expected that despite having insurance, the insured has to take such protective measures about the insured asset as he would take as if there was no insurance. In other words, the insured should not be negligent in his security measures because there is an insurance company to cover his losses.
Obtaining insurance therefore does not absolve the company to have a good Information Security practice. In fact, Insurance creates a fiduciary responsibility for the insured to protect the interests of the insurance company. One such responsibility is to be in a good legal position to pursue recovery of losses against the accused.
If the insured company has a legal right against the crime accused, it can transfer this right to the insurance company after the claim is settled so that the insurance company can continue its legal action. However, if out of negligence the insured has lost legal remedy against the accused, it is possible for the Insurance company to take a stand that the insured company has not acted in good faith in protecting the legal interests of the insurance company upon exercise of its right of subrogation.
Normally, we donot expect the Insurance company to take such an unfriendly stance. But if the loss is substantial, it is not prudent to ignore this risk.
When a claim is made an assessor of the Insurance company will not only assess the value of the loss but also the reason for the loss and the status of the subrogation rights. For the claim to be approved, the reason of loss should not indicate abetment of a crime by the insured and also an irresponsible reckless attitude that might have caused the loss or makes it impossible for the subrogation rights to be effectively pursued.
The means by which an insured company can document and prove that it has not lost the subrogation rights by negligence is following the principle of “Due Diligence” as envisaged under ITA 2008. Hence ITA 2008 compliance could be the differentiator between the insurance company having an effective subrogation right or a diluted or lack of subrogation rights.
In other words, an Insurance Company could prefer a company with ITA 2008 compliance to another without it, for determining the eligibility for insurance or for considering a premium reduction or for easy claim settlement. Hence ITA 2008 compliance could improve the insurability of a company under a Cyber Insurance policy.
Not all Information Security professionals may agree with this stand. May be Insurance Companies also contest that they are not that mean as to reject a claim for lack of subrogation rights. Well opinions may differ. The best thing to do when there is disagreement is to know what the majority of people in the market and the experts think. This is one of the views that the India Cyber Insurance Survey 2015 aims to capture.
Don’t miss to participate in the survey and express your opinion today. Also ensure that your friends also participate in the survey by passing on this information and sharing it with your social media friends.
Naavi
