Cyber Liability Insurance Policy: Coverage, Benefits, Cost, Providers, Companies and Claims

A Cyber Risk or Cyber Threat is the potential of loss, harm or disruption resulting from breaches of or attacks on information systems. It is something which results from widespread use of internet enabled devices like Mobile Phones, Tablets, Desktop, Laptop anything which has access to the Internet.

With the increasing trend of digital transformation of the society and increased use of internet enabled digital devices, it has become easy for hackers (who are engaged in unethical practices) to exploit the vulnerabilities of such digital devices and use this opportunity to rob people of money and data.

Today a large part of business is conducted online. No business in today's times can work completely without online networks.

However, conducting business online has its own share of risks. The incidents of cyber-attacks resulting in data breaches is increasing by the day. Such data breaches can cause immense reputational and financial damage for businesses.

Additionally, apart from data breaches, there have been incidents of Cyberattacks like NotPetya and WannaCry which injected malicious malware in thousands of computers across the world and paralysing businesses. In fact, many executives have commented that Cyber Risk is one of the biggest risk that their business is facing. According to this report India has reported a 37% increase in Cyberattacks in Q12020 .

With increasing use of Internet enabled devices, the incidents and costs of Cyber Attacks are only bound to increase in the future.

As a result, a Cyber Security Insurance Policy is extremely important for businesses to protect themselves from risks of Cyberattacks.

A Cyber Insurance Policy usually includes the following coverages:

• Security Breach and Privacy Breach: A Cyber Security Insurance Policy provides coverage for breach of commercially confidential information, personal information, employee information or information outsourced by the Insured Party to contractors, subcontractors, vendors or any other third parties. The Cyber Insurance Policy in India will pay all costs that the Insured Party becomes legally obliged to pay including liability for for claimants' costs and expenses and Defence Costs resulting from any Claim made against the Insured Party following a Security Breach and Privacy Breach Incident.
• System Damage: A Cyber Risk Insurance Policy will pay for Rectification Costs incurred in retrieving, repairing, restoring or replacing any of the Insured's Computer Records (or any other Computer Records for which the Insured is responsible) that have been destroyed, damaged, lost, altered, distorted, erased or mislaid (and which after diligent search cannot be found) as a direct result of any Cyber Event first discovered by an Insured and notified to the Insurance Company in writing as soon as possible during the Policy Period.
• Hacking or Computer Virus Transmission: A Cyber Liability Insurance Policy in India will pay for all costs that the Insured Party becomes legally obliged to pay including liability for for claimants' costs and expenses and Defence Costs resulting from any Claim made against the Insured Party and notified to the Insurance Company in writing as soon as reasonably possible during the Policy Period as a direct result of any Third Party's financial losses arising directly from
  • a Hacking Attack or Virus that has emanated from or passed through the Policyholder's Computer Systems; or
  • a Hacking Attack or Virus that restricts or prevents access to the Policyholder's Computer Systems' by Third Parties authorised by the Insured to gain such access
  • the loss or theft of the Policyholder's data or data for which the Policyholder is responsible or alleged to be responsible for, arising directly from a Hacking Attack or Virus

• Multimedia Liability: A Cyber Insurance Policy will pay for all costs that the Insured Party becomes legally obliged to pay including liability for for claimants' costs and expenses and Defence Costs resulting from any Claim made against the Insured Party and notified to the Insurance Company in writing as soon as reasonably possible during the Policy Period as a direct result of
  • libel, slander or defamation;
  • invasion of or interference with the right to privacy, including those of Employees, or commercial appropriation of names or likeness;
  • plagiarism, piracy or misappropriation of ideas;
  • infringement of copyright, domain name, commercial title or slogan, the dilution or infringement of trademark, service mark, service name or trade name

arising directly from the Policyholder's Internet and Email Content; or the Policyholder's Promotional Material; or third Party digital content downloaded, shared or distributed from the Policyholder's Computer Systems

• Cyber Extortion Cover: A Cyber Insurance Policy in India will pay Cyber Extortion Costs following a Security Threat against an Insured Party.
• Business Interruption: A Cyber Policy Insurance pays for Business Interruption loss Incurred during the Indemnity Period as a direct result of an Cyber Event during the Policy Period.

Cyber Insurance Policy Coverage is exhaustive and is thus very important for a business owner

A Cyberattacks and Security Breach will result in destabilisation of business operations. The Business Interruption has an adverse impact on financial profits of the company.

Disclosure of Confidential Data in a Data Breach Incident has an adverse impact on Company's reputation and might also make existing and prospective customers hesitant to do business with the impacted company as the customers are not confident about the security of their confidential data.

A Data Breach Incident might also result in regulatory scrutiny from the regulators which might also result in fines and penalties as well.

So, the impact of Cyberattack and Data Breach is not restricted only to the company's computer systems but it can impact a company in many ways. The impact may result in severe financial losses for the company.

According to the Chubb's Global Claims data (December 2017) the losses that arise as a result of a Cyberattack on a company's network are as follows:

• Forensic Costs
  is the largest cost component of a Cyber Incident. If there is a Data Breach, it is necessary to appoint a forensic expert to examine a company's network and systems to determine the exact cause of the Data Breach.

  Forensic Experts will pinpoint the vulnerability which was exploited for the Data Breach. The Costs of Forensic Costs have increased with the passage of time.

• Notification Costs:
  If there is a Data Breach incident which has compromised the data of a company's customers, it becomes the company's responsibility to notify its customers that their data has been compromised.

  Consider the example of a recent incident where the Email Ids and Passwords of Yahoo's users was compromised on the dark web. Post the Incident, Yahoo notified its customers requesting the customers to change their account passwords since it was compromised. Yahoo acknowledged as well as notified the Data Breach. The Data Breach Notification can be notified through a Website or through Television.

  Such Notifications costs are substantial costs that need to be incurred following a Cyber Incident. These Notification Costs have increased substantially with the passage of Time.

• Credit Monitoring Costs:
  If a company stores its customer's Credit Card or any other payment-related Information, it becomes necessary for the company, which has suffered from Data Breach, to monitor the impacted customer's credit card information for the next 1 year to ensure that any unauthorised transactions haven't taken place on the customer's credit card. Credit Monitoring Costs are also going up with the passage of time.

• Crisis Management Costs:
  A Cyberattack on a company's network results in an adverse impact on the company's reputation. In order to protect and rectify the company's image, the company might need to take help of Public Relation companies. This might result in substantial Public Relation Expenses for the affected company.

First Party Liability Coverages under a Cyber Insurance Policy are as follows:

• E-Theft Loss
  E-Theft covers loss due to unauthorised or fraudulent data input in the system which has been hacked or compromised resulting in a fraudulent fund transfer and thus a loss to the Insured Party. The Cyber Liability Insurance Policy will pay for such fraudulent transaction or fraudulent transfer.

• E-Communication Loss:
  If there is any fraudulent mail sent by the Insured to its customers resulting in a fraudulent fund transfer/payment by the customer, where such payment shouldn't have been done by the customer since it is based on a fraudulent email with a malafide intention to rob the customer, it is known as an E-Communication Loss. A Cyber Insurance Policy will cover any kind of loss resulting in E-Communication Loss

• E-Threat Loss:
  E Threat Loss is a major concern today. Here, the hacker hacks into the system and encrypts important data which can be unlocked or decrypted only on payment of ransom. This is known as E-Threat and today a major number of cyberattacks today are in the form of E-Threats only. E Threat Loss thus relates to losses or Expenses borne by the Insured to pay the Ransom.

• E-Vandalism:
  E-Vandalism loss means that if the Insured's servers, computers, storage drives hardware or network systems are vandalised out of malafide intention, the Cyber Insurance Policy will cover the costs of restoring or reconstituting the data under E-Vandalism Loss Section of Cyber Insurance Policy.

• E-Business Interruption:
  E-Business Interruption is one of the most important coverages of a Cyber Liability Insurance Policy. Business Interruption means that if your system is down and not running because of a Cyberattack, the resultant loss of Net Profit and fixed expenses that are incurred to run daily activities will be paid under the E-Business Interruption Cover of a Cyber Insurance Policy.

The following expenses are covered under a Cyber Insurance Policy:

• Privacy Notification Expenses:
  Privacy Notification Expenses Cover under a Cyber Liability Policy covers the cost and expenses that have to be incurred by the Insured in notifying the impacted customers or users of a Data Breach or Cyberattack Incident. Such Privacy Notifications Expenses are substantial costs that need to be incurred following a Cyber Incident. These Notification Costs have increased substantially with the passage of Time.

• Credit Monitoring Costs:
  If a company stores its customer's Credit Card or any other payment-related Information, it becomes necessary for the company, following a Data Breach of its systems, to monitor the impacted customer's credit card information for the next 1 year to ensure that any unauthorised transactions haven't taken place on the customer's credit card. A Cyber Insurance Policy will cover such Credit Monitoring Costs.

• Crisis Management Costs:
  A Cyberattack on a company's network results in an adverse impact on the company's reputation. In order to protect and rectify the company's image, the company might need to take help of Public Relation Companies to protect and rectify its image. This results in substantial Public Relation Expenses for the affected company which will be covered under a Cyber Insurance Policy.

• Forensic Costs:
  When a company suffers from a Data Breach incident, it will need to hire Forensic Experts to examine a company's network and systems to determine the cause of the Data Breach. Forensic Experts will pinpoint the vulnerability which was exploited for the Data Breach. The Costs of Forensic Costs have increased with the passage of time.

• Reward Expenses:
  A Cyber Insurance Policy will reimburse the Insured for rewarding an informant for pointing out the vulnerabilities and loopholes of the system. This enables the Insured to take corrective action to plug the loopholes and protect its network and systems from Cyberattacks. Such Informants are normally Ethical Hackers or Bounty Hunters. A Cyber Insurance Policy will also cover such Reward Expenses.

A Cyber Insurance Policy offers the following Third Party Liability Coverages:

• Disclosure Liability
  If you are running a system which has faced a Cyberattack resulting in dissemination of critical information on a public domain, the affected 3rd Party can hold the Insured Party legally liable for the data breach. A Cyber Liability Insurance Policy will cover such costs related to the Data Breach under the Disclosure Liability Section of the Policy.

• Conduit Liability:
  Consider a case where a service provider company is offering technology-based products like applications, softwares, cloud-related softwares to its customers.

  If there is a cyberattack on the Insured's software or a vulnerability in the software is exploited which results in damage to third party systems, the legal liability and the costs related to the damage to the 3rd party systems will be covered under the Conduit Liability Section of a Cyber Insurance Policy.

• Impaired Access Liability:
  If there is a Denial of Service (DOS) or a Distributed Denial of Service (DDOS) attack on the Insured Party's System which impairs the client's ability to access the Insured's system thus impacting profits, the costs and damages related to such attacks will be covered under the Impaired Access Liability Section of a Cyber Liability Insurance Policy,

• Content Liability:
  The Content Liability Section of the Cyber Insurance Policy will cover losses related to Intellectual Property Infringement like Company Trademarks or Patent. Foe eg: The Insured Party had kept the Customer's Trademark or Patent on the company's network which was subject of a Cyberattack resulting in publishing of sensitive Trademark/Copyright/Patent Information on a Public Platform. The Customer can hold the Insured Party legally liable for the Data Breach and can ask for compensation. Such Content Liability Claims will be covered under the Content Liability Section of the Cyber Insurance Policy

• Reputational Liability:
  Consider a case where the Insured Company's network or system has been subject of a Cyberattack resulting in dissemination of such information which has negatively impacted the client's reputation. Such Claims relating to Data Breach Incidents where the reputation of the Insured's Client has been negatively impacted will be covered under the Reputational Liability Section of the Cyber Insurance Policy

• Defence Costs:
  A Cyber Insurance Policy also pays for the legal defence costs associated with defending cases arising out of Cases filed by 3rd Party Customers claiming damages on account of a Cyberattack on the Insured's System.