Cyber Insurance - Liability Insurance Practice

The marvellous achievements in the information technology space have also brought along with them attendant threats significantly affecting various facets of the business operations.

One of the greatest gifts of human efforts working towards improvement of technology is the introduction of Internet which has changed the way the world operates. But, it also has proven to be a dangerous place exposing businesses to cyber risks emanating from cyber attacks which have the potential to significantly affect businesses. Cyber risk has become a leading issue for many organizations in an increasingly harsh legal and regulatory environment.

Cyber attack is an attempt by hackers to damage or destroy a computer network or system or exploit its vulnerabilities. Cyber attack means unauthorised access, unauthorised use or transmission of a computer virus which alters, copies, misappropriates, corrupts, destroys, disrupts, deletes or damages the organisation‘s computer system causing losses to the victim organisation and/ or may result in Failure of Security or Denial of Service.

Failure of Security – Failure of security means failure of the organisation’s hardware, software or firmware (including firewalls, filters, DMZs, computer virus protection software, intrusion deletion or theft and the electronic use of passwords or access codes or similar identification of authorised users) whose purpose is to prevent a computer attack, unauthorised access, unauthorised use and/or disclosure of confidential or private information and/or the transmission of a computer virus into or from the organisation’s computer system to actually prevent any of the foregoing events.
Denial of Service – Denial of service means the inability of a third party, who is authorised to do so, to gain access to the organisation’s computer system through the internet in a manner in which the third party is legally entitled.

Consequences and other implications of Cyber Attacks – First Party Loss:

Cyber attacks could lead to property loss (including laptops), disclosure of confidential data ( data pertaining to clients, the company’s own financial and other confidential data, sensitive HR data relating to Employees) corruption or loss of an organisation’s systems or data, corruption or loss of third party systems or data thereby resulting in :

Suspension of activities leading to Business Interruption Losses
Regulatory actions including fines and penalties and increased supervision from Government authorities thereafter.
Notification expenses
Significant other costs such as Forensics costs (to investigate the Security breach) Public Relation costs, Crisis communication costs and consultancy costs.

Consequences and other implications of Cyber Attacks – Liability

Law suits from people affected by the breaches leading to legal and defense costs and ultimately settlements alleging a number of violations including:

Negligence
Breach of warranty
Failure to protect data
Failure to disclose defects in products or services regarding capabilities of protecting data
Unreasonable delay in remedying suspension of service or loss of data
Violations of various applicable state/federal laws
False advertising

Cyber Insurance addresses covers the following broad categories of losses and expenses likely to be suffered after a cyber attack.

First party losses	Regulatory actions	Crisis management costs	Liability claims
Damage to property Data restoration costs Forensic costs Business interruption losses	Costs to investigate, defend, and settle awards including fines and penalties that may be imposed by a regulator ( allowed depending upon admissibility of the same in various jurisdictions)	Investigation Public relations Customer notification Credit Monitoring Extortion rewards and payments	Defence costs Awards Out of court settlements

First party losses

Regulatory actions

Crisis management costs

Liability claims

Damage to property
Data restoration costs
Forensic costs
Business interruption losses

Costs to investigate, defend, and settle awards including *fines and penalties that may be imposed by a regulator

(* allowed depending upon admissibility of the same in various jurisdictions)

Investigation
Public relations
Customer notification
Credit Monitoring
Extortion rewards and payments

Defence costs
Awards
Out of court settlements

While liability from cyber risks may arise from various sources/ legislations, in the Indian context the Information Technology (IT) Act 2000 Information Technology (IT) Act 2000 and Information Technology Amendment Act 2008 and Personal data protection legislation( The Personal data protection bill, 2018 is yet to be passed by Rajya Sabha) merit attention.

As in the case of other insurance policies, this Cyber insurance policy also has extensions and exclusions which need to be clearly understood before the commencement of cover so as to avoid contract unpredictability.

(The information contained and ideas expressed herein represent only a general overview of subject covered. It is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insurance buyers should consult their insurance and legal advisers regarding specific coverage and/or legal issues)