India Update: IRDAI’s guidance document on cyber insurance policies – an analysis

On account of an unprecedented increase in cybercrimes since the advent of the Covid-19 pandemic, the Insurance Regulatory and Development Authority of India (the “IRDAI”) has recently released a guidance document on the product structure for cyber insurance policies (the “Guidelines”), focusing on cyber insurance products targeting individuals.

Cyber insurance in India

Cyber insurance is an insurance policy to protect policyholders from cybercrimes and is primarily targeted towards individuals (as opposed to organisations).   Cyber insurance is offered in India, both as a standalone product and an add-on coverage to traditional policies, such as insurance covers for property.  It can include coverage for first-party liabilities (i.e., liabilities borne as a direct result of the incident) as well as third-party liabilities (i.e., liabilities incurred as a result of litigation by alleged injured parties).

The salient features of an individual cyber insurance policy include protection against theft of funds, identity theft cover, social media cover, cyberstalking/bullying, malware cover/data restoration cost, phishing cover, unauthorized online transaction, e-mail spoofing, media liability claims cover, cyber extortion cover and data breach cover.

Recommendations to improve the currently offered cyber insurance product

The IRDAI has provided the following recommendations to address gaps in cyber insurance products currently offered by insurers:

• In respect of small claims up to INR5,000 (approx. US$68), insurers may ask for e-complaints lodged at the National Cyber Crime Reporting Portal, instead of asking policyholders to file a first information report (FIR) with the police.

• The policy can extend coverage for instances which are usually excluded, such as unsolicited communications, damaged computer hardware (known as bricking), sim-jacking, card cloning and skimming.

• Insurers can offer options for worldwide territory (with the jurisdiction for claim settlement being in India), to tackle syndicated frauds originating outside India.

• Insurers can offer limited coverage for online shopping frauds. The Guidelines clarify that the non-delivery of goods ordered online from merchants or non-receipt of payments when goods are sold by individuals online are prime facie business risks and cannot be classified under cyber coverages unless resulting directly from cyber-related events.

• A cyber-attack usually targets multiple web users/content users. However, the cyber insurance policies usually define cyber-attack/cybercrime as “targeted intrusion into the individual’s system,” leaving the individual uninsured due to this restricted definition.  The IRDAI has suggested the use of wider language such as “unauthorised access,” which would indicate that the intrusion may or may not be targeted towards an individual’s system.

• Claims are usually only admissible when the insured beneficiary is completely innocent.  Typically, gross negligence is excluded from coverage, and individuals are expected to take due diligence, care, and reasonable precautions to protect their identity and personal details on the internet.  In this regard, the IRDAI has suggested using more explicit language, which excludes claims on account of “deliberate, criminal, fraudulent, dishonest or malicious act or omission of insured beneficiary.”  Further, the exclusion should be triggered only when the negligence has directly caused the loss.

Other suggestions by the IRDAI

In order to popularize cyber insurance policies, the IRDAI has made the following suggestions to insurers:

• launch awareness campaigns to educate consumers;

• use simple wording for policy drafting and ensure that the claim process is easy to understand and implement;

• disseminate information about claim settlements without breaching confidentiality requirements;

• offer group policies, including affinity policies (where, insurance is targeted to a particular community, niche market or class, representing a group of similar needs or risks that require products designed and priced for those risks);

• offer cyber insurance as a part of a package policy with other components; and

• offer a base version of the policy at an affordable premium and then give the customer an option to choose additional covers.

Additionally, the Guidelines also prescribe practical Dos and Don’ts for policy buyers to safeguard themselves from cyber-security breaches, such as installing anti-virus, using virtual private networks, and not clicking on links from unknown sources.

Lastly, the Guidelines provide for a model insurance policy.  However, given the evolving nature of cyber threats, the IRDAI has recognised that the standardisation of a cyber insurance policy is not desirable. 

Our comments

With the rapid advancement of technology, cyber threats have increased manifold and in innovative ways as well.  Given this, in our view, the IRDAI has correctly assessed that a “one size fits all” approach cannot be taken for cyber insurance products, and insurers have to tailor their policies on the basis of the need of the hour.  The Guidelines are a good starting point and will provide guidance to insurers to improve their products for the enhanced benefit of policyholders.

By Amrit Mehta, Majmudar & Partners, India, a Transatlantic Law International Affiliated Firm.

For further information or for any assistance please contact india@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.