scorecardresearch
Follow Us:
Tuesday, March 02, 2021

Irdai panel proposes norms for rising ‘silent cyber risks’

Cyber insurance product is in a development phase, and standardisation of the cyber policy wordings for individuals may hamper the developments of this product in Indian market.

Written by George Mathew | Mumbai |
January 27, 2021 3:00:09 am
Working group says no to standardised cover for now.

With unknown cyber risks on the rise, the Working Group, set up by the Insurance Regulatory and Development Authority of India (Irdai), has proposed detailed regulations to address the issue.

“Insurers may place this matter (silent cyber issue) high on the agenda and address this problem sooner than later,” the committee said in its report. In simple words, silent cyber is the unknown exposure in an insurer’s portfolio created by a cyber peril, which has not been explicitly excluded or included. This is also known as “unintended” or “non-affirmative” cyber coverage.

“Cyber exposure is a concern for all underwriters. Cyber affirmative and silent covers are scattered in many different products beyond standalone ones. Cyber risk permeates all classes of insurance without boundaries of industries,” it said. With technology improving and digital business expanding, silent cyber risks, especially in the banking sector, have also increased.

A cyber event can trigger losses across various lines of insurance — property damage and business interruption, resulting from computer systems failure or virus under property insurance, siphoning money through phishing under crime insurance, product liability or recalls from security vulnerabilities under product liability/ recall insurance, breach of contract or negligence claims under E&O (technology errors and omissions) insurance and for managerial negligence under D&O (directors and officers) insurance. Cyber risks, involving unknown developments through the debit and credit cards, mobile phones and online deals, have raised concerns for insurers and the insured.

Further, the working group said many property and liability insurance policies were designed when cyber wasn’t perceived as a major risk. These policies often did not explicitly mention cyber coverage. While the insurance fraternity debated this issue as part of regular review of operations, albeit at a low volume, the devastating NotPetya attack and other high-profile cyber security events, in the recent past, have placed the issue high on the agenda for the insurance industry.

Explained

What is this risk?

silent cyber is the unknown exposure in an insurer’s portfolio created by a cyber peril, which has not been explicitly excluded or included. This is also known as “unintended” or “non-affirmative” cyber coverage. A cyber event can trigger losses across various lines of insurance.

“Having recognized the need to avoid assumption of unintended exposures or losses, insurance regulators have also expressed concerns about lack of certainty in policy coverage and inadequate risk assessment, in response market has engaged a clarification process,” it said.

The working group said it is neither desirable nor possible to standardise the cover at this juncture. “Nevertheless, insurers can build in certain minimum covers as a part of individual cyber insurance. The attached model policy wording can be considered by the insurance industry as a reference point to provide minimum basic coverage,” it said.

Cyber insurance product is in a development phase, and standardisation of the cyber policy wordings for individuals may hamper the developments of this product in Indian market. It is important now to focus on popularising the cyber insurance product, make it easier for insurer to adapt the product as per the customer requirements and continue to enrich customer’s experience and protection, the panel said.

It said some of the ways financial fraud can be perpetrated is through phishing or spoofing attacks, malware or spyware, SIM swap (original SIM gets cloned and becomes invalid, and the duplicate SIM can be misused to access the user’s online bank account to transfer funds), credential stuffing (compromising devices and stealing data), man-in-the-middle attacks during online payments or transactions, identity theft, card cloners or readers at ATM machines and as simple as imposters calling up unsuspecting individuals and asking their personal banking details, it said.

The safety of bank accounts and debit and credit card lies with the customer as well as the concerned bank. Taking the cognizance of the complaints related to unauthorised transactions, in July 2017, the RBI reviewed the criteria for determining customer liability in such cases and issued some directions. The RBI has also set forth the situations to establish liability of a customer.

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest Business News, download Indian Express App.

Advertisement
Advertisement
Advertisement
Advertisement