The marvellous achievements in the information technology space have also brought along with them attendant threats significantly affecting various facets of the business operations.

One of the greatest gifts of human efforts working towards improvement of technology is the introduction of Internet which has changed the way the world operates. But, it also has proven to be a dangerous place exposing businesses to cyber risks emanating from cyber attacks which have the potential to significantly affect businesses. Cyber risk has become a leading issue for many organizations in an increasingly harsh legal and regulatory environment.

Cyber attack is an attempt by hackers to damage or destroy a computer network or system or exploit its vulnerabilities. Cyber attack means unauthorised access, unauthorised use or transmission of a computer virus which alters, copies, misappropriates, corrupts, destroys, disrupts, deletes or damages the organisation‘s computer system causing losses to the victim organisation and/ or may result in Failure of Security or Denial of Service.

  • Failure of Security – Failure of security means failure of the organisation’s hardware, software or firmware (including firewalls, filters, DMZs, computer virus protection software, intrusion deletion or theft and the electronic use of passwords or access codes or similar identification of authorised users) whose purpose is to prevent a computer attack, unauthorised access, unauthorised use and/or disclosure of confidential or private information and/or the transmission of a computer virus into or from the organisation’s computer system to actually prevent any of the foregoing events.
  • Denial of Service – Denial of service means the inability of a third party, who is authorised to do so, to gain access to the organisation’s computer system through the internet in a manner in which the third party is legally entitled.

Consequences and other implications of Cyber Attacks – First Party Loss:

Cyber attacks could lead to property loss (including laptops), disclosure of confidential data ( data pertaining to clients, the company’s own financial and other confidential data, sensitive HR data relating to Employees) corruption or loss of an organisation’s systems or data, corruption or loss of third party systems or data thereby resulting in :

  • Suspension of activities leading to Business Interruption Losses
  • Regulatory actions including fines and penalties and increased supervision from Government authorities thereafter.
  • Notification expenses
  • Significant other costs such as Forensics costs (to investigate the Security breach) Public Relation costs, Crisis communication costs and consultancy costs.

Consequences and other implications of Cyber Attacks – Liability

Law suits from people affected by the breaches leading to legal and defense costs and ultimately settlements alleging a number of violations including:

  • Negligence
  • Breach of warranty
  • Failure to protect data
  • Failure to disclose defects in products or services regarding capabilities of protecting data
  • Unreasonable delay in remedying suspension of service or loss of data
  • Violations of various applicable state/federal laws
  • False advertising

Cyber Insurance addresses covers the following broad categories of losses and expenses likely to be suffered after a cyber attack.

First party losses Regulatory actions Crisis management costs Liability claims
  • Damage to property
  • Data restoration costs
  • Forensic costs
  • Business interruption losses
  • Costs to investigate, defend, and settle awards including *fines and penalties that may be imposed by a regulator


(* allowed depending upon admissibility of the same in various jurisdictions)

  • Investigation
  • Public relations
  • Customer notification
  • Credit Monitoring
  • Extortion rewards and payments


  • Defence  costs
  • Awards
  • Out of court settlements

While liability from cyber risks may arise from various sources/ legislations, in the Indian context the Information Technology (IT) Act 2000  Information Technology (IT) Act 2000 and Information Technology Amendment Act 2008 and Personal data protection legislation(  The Personal data protection bill, 2018 is yet to be passed by Rajya Sabha) merit attention.

As in the case of other insurance policies, this Cyber insurance  policy also has extensions and exclusions which need to be clearly understood before the commencement of cover so as to avoid contract unpredictability.

(The information contained and ideas expressed herein represent only a general overview of subject covered. It is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Insurance buyers should consult their insurance and legal advisers regarding specific coverage and/or legal issues)