Fintech

Considering FinTech Services? Don’t sleep on Cyber Insurance

As enterprises are shifting their databases and information to the cloud, the risk to tangible assets get smaller, and IT system and other related tech threats increase massively. The rising number of cyber frauds over the past few years in India is the biggest threat to most of the business entities, specifically to financial institutions, which includes banks and NBFCs (Non-Banking Financial Institutions). Banks/Financial Institutions have been building a robust cyber mechanism to detect and thwart cyber attacks. However, with all these checks and balances, they still can only minimize and not avoid financial losses. As no defense mechanism is full proof, it becomes necessary to transfer the risk through Cyber Liability Insurance or commonly known as Cyber Insurance Policy.

Growing reliance on Financial Technology (FinTech)

Financial technology or fintech is relatively a new industry in India, and the term was initially applied to the technology employed at the back-end systems of established financial institutions. ​It has however since then grown exponentially and shifted to more consumer-oriented services. Fintech now includes different sectors and industries such as education, retail banking, fundraising and nonprofit, investment management and especially Non-Banking Financial Companies (NBFCs).

Since financial technology companies (Fintech Companies) provides financial services to other companies on digital platforms with the help of various cutting edge technologies and software support, there is a lot of sensitive data stored digitally.

Considering the direct involvement of general public transacting with Banks/NBFCs, it is their responsibility to prevent loss of personally identifying information (PII), transactional information of its customers, and company’s private sensitive data. It is essential to have an efficient and effective response in case of such losses.

What is Cyber Insurance, aka Cyber Liability Insurance?

General Insurance policies, in their traditional form, tend to cover only “tangible” assets. While growing exposure has shown how electronic data does not always fall under the definition of tangible assets, leaving a lot of companies valuable information unprotected and unguarded. It is here that cyber insurance comes in to fill the gap. 

A Cyber Insurance Policy, also referred to as Cyber Risk Insurance or Cyber Liability Insurance Coverage (CLIC) helps an organization/company to mitigate the risk of loss should a significant security breach occur. The objective of cyber insurance, as any other form of insurance, is to minimize the risk and simultaneously provide some redressal to the aggrieved party.

Who should buy Cyber Insurance?

What is the scope of Cyber Insurance?

Cyber Insurance in India usually offers comprehensive cover related to third party claims, such as liability for losses caused due to errors and omissions, failure to safeguard data or defamation; as well as first-party expenses in case of data destruction, extortion, theft, hacking and denial of service attacks.

First-party Coverage

First-party coverage protects the insured company in any kind of loss whether caused by it or someone else. Following events/occurrences can be said to fall under first-party coverage of cyber policy:

• Cost of notifying customers that the information is compromised and changing such records.
• Credit monitoring services for customers affected by such data breach.
• Cyber extortion when the extortionist holds data hostage or threatens an attack. A recent example being ‘Ransom-ware’.
• Business interruption loss, i.e. loss of business profit due to unavailability of services arising out of unauthorized access or cyber attack
• Professional Fees for advice and support from a public relations consultant/crisis management consultants, to mitigate or prevent damage to the bank’s reputation as well individuals, e.g. Bank’s Chairman, Directors and employees due to a cyber-attack or data breach.
• Professional Fees of forensic cyber risk specialists to investigate the causes of breach; understand its impact and deploying measures to prevent a similar lapse in the future.

Third-party Coverage

Third-party coverage provides protection to the bank against the claims of the third party in the following instances:

• Infringement of intellectual property rights by the company.
• System security failures resulting in harm to third-party systems.
• System security failure resulting in system/services being unavailable to customers.
• Defamation, disparagement of products or services and invasion of privacy.
• Settlements made, damages paid and penalties deposited due to any breach.

Apart from these, the insurance policy also covers:

• Regulatory fines and penalties including Payment Card Industry fines.
• Defense costs incurred in defending any claim brought by a third party including – government agency or licensing or regulatory organization.
• Unauthorized access to personal data or corporate information or dissemination of such information on the internet without the consent of the owner.

What is not covered under Cyber Insurance Policy?

While considering a Cyber Insurance Policy, the company should keep in mind the scope of the specific policy being offered by the insurance company and what all will be covered under it. However, there are certain standard major exclusions in every policy such as:

Benefits of Cyber Insurance

Risk Assessment by insurance companies when offering cyber insurance

The insurance companies providing cyber insurance decide on the premium after doing a risk assessment of the company/organization willing to buy such a policy. This assessment can also be used by the company itself to evaluate the need for Cyber Insurance. A few such factors considered during the said assessment are:

• How robust is the organizations’ defense and controls to fend off cyberattacks after due diligence of its vulnerability to such cyber threats?
• Track records of incidents and previous claims 
• The type, context, and volume of data/information handled by the company/organization.
• Training and oversight of employees and their education in the form of security awareness, especially for phishing and social engineering.

• The measures are taken to secure electronic devices that carry sensitive data. And the level of encryption of sensitive data stored.
• Costs of computer forensic investigation based on the company size and sector.
• Cost of civil litigations and criminal investigation considering the jurisdiction in case of a dispute.
• Crisis management and customer notification expenses based on the reach and goodwill of the company in the market.

Conclusion

Cyber risks change frequently, and organizations tend to underplay the full impact of a breach to avoid negative publicity and erosion of consumers’ trust in the company. In this light, the cyber insurance market is still evolving. However, any organization that stores and maintains customer information or collects online payment information, or is cloud dependant, should consider adding cyber insurance to its budget. It is essential to consider the edge of cyber insurance cover over general liability insurance covers which usually don’t cover ‘data’ under the material, bodily or property damage or theft. Cyber insurance can fill many of the gaps in traditional insurance, as well as provide substantial first and third-party covers relating to the cyber breach.

Also Read: Steps Taken by RBI to Develop Fintech