Will Personal Cyber Insurance Cover Phishing, Hacking And Stalking?
About 19 crore individuals, or two of every five Indians using the internet, have been victims of cybercrime in 2017, according to the Norton Cyber Security Insights Report released in July this year. That’s 24 percent more than individuals in the U.S. who faced similar threats.
And yet, India’s total cyber liability insurance premium size is just 1.6 percent of America’s, at $30 million. And within that, cyber insurance for individuals accounts for almost nothing. “Personal cyber insurance is less than 1 percent of the overall cyber liability insurance market in India,” Kapil Mehta, co-founder, and chief executive officer of insurance broking firm SecureNow, told BloombergQuint. “But that ratio would go up as awareness about personal cyber insurance increases.”
The problem is not just the demand; the supply is limited as well. Indians lost $18.5 billion to cyber crime in 2017, according to the Norton report, compared with $19 billion lost by U.S. citizens. And yet only two insurance companies—Bajaj Allianz General Insurance and HDFC ERGO General Insurance—offer personal cyber risk covers in the country.
The personal cyber insurance policies available in India mainly cover,
- Financial losses due to extortion, phishing/e-mail spoofing and unauthorised online transactions.
- Litigation costs (defence/prosecution) against a third party
While HDFC ERGO’s policy is priced between Rs 1,410 and Rs 14,273 based on the sum assured, the Bajaj Allianz policy could cost anywhere between Rs 662 and Rs 8,933.
The insurance process, for specified events listed under these policies, kicks in once the cyber crime is reported to the police. Under the terms of HDFC ERGO, the complaint must be filed with 72 hours of detection of the crime. Bajaj does not specify a time frame but requires that a First Information Report be filed for the claim to proceed.
Also, no cyber crimes or connected pending legal proceedings before the policy comes into effect are covered. At a time, only one specified event with the highest sub-limit is covered. Identity theft and reputation damage on a non-digital medium (in print, television or radio) or caused by a journalist, are also not covered under these policies.
In computing legal costs, HDFC ERGO doesn't include incidentals such as transportation to court. Bajaj does.
Here are a few instances of claims that can be made under such policies...
Illustration 1: X discovers her private photographs and information are leaked on the internet. X lodges an FIR with police soon after. From there, X goes on to file the insurance claim.
- If the insurer is HDFC ERGO, up to 25 percent of X’s total cost—for appointing an IT expert to remove or suppress the content and for counselling sessions with a psychiatrist, will be insured. If X decides to file a court case, all the legal expenses—for advice and proceedings—will also be fully covered.
- This instance is not covered by Bajaj Allianz General Insurance.
Illustration 2: X has a Facebook account that is hacked by an impersonator who then puts up objectionable posts using X’s account. The impostor may also message X’s friends and make inappropriate comments on their posts.
- If X is covered by HDFC ERGO, up to 25 percent of the total liability for hiring an IT expert to remove the posts or the account, along with the counselling sessions (up to 10 percent within the 25 percent sub-limit) will be covered. Also, if a third party files a case against X for posting inappropriate content, all legal defence costs to fight the case or to challenge a wrongly entered civil or criminal judgment, will be paid for.
- If Bajaj Allianz General is X’s insurer, up to 10 percent of the total cost—legal expenses for prosecution/defence, transportation for court summons, photocopying of documents, and counselling, will be covered. Hiring an IT expert is covered separately for up to a fixed amount based on the sum assured.
Illustration 3: X’s data is stored by a company on certain agreed conditions. The data, however is sold/leaked to another company without X’s knowledge.
- HDFC ERGO doesn't cover such privacy/data breach incidents.
- If X is insured by Bajaj Allianz, once the company publicly owns up to the data breach, up to 10 percent of all legal expenses, transportation costs for court summons, photocopying of documents and counselling, will be covered. Hiring an IT expert is covered separately for up to a fixed amount based on the sum assured.
Illustration 4: X gets a message about online purchases made from her debit/credit card. X blocks the debit/credit card but the amount is not reversed to the bank account.
- If X is insured with HDFC ERGO, the financial loss stands covered if the bank doesn’t reverse the transaction. The policy also covers all legal expenses, costs to resolve the breach and for any unpaid leaves taken from work to rectify the transaction records. For cases of malware attacks, up to 10 percent of the data restoration costs are insured as an add-on cover, along with full legal expenses and financial losses.
- Bajaj Allianz also covers up to 25 percent of the financial losses, legal and financial costs incurred due to the illegal transaction. The insurer also covers unauthorised access/malware attacks on X’s personal computer that result in deletion or alteration of his/her data. In case of data loss due to illegal access, data restoration costs are covered as part of the policy.
Illustration 5: X receives an email offering her a job. The email asks for her personal information and credit card details. X finds out after sending the details that the email was fraudulent. This is an instance of phishing.
In another instance, X gets a fraudulent email, in which the sender address is forged to make it seem like it’s from a legitimate source. This is a case of e-mail spoofing.
- The HDFC ERGO policy, in both instances, would cover the legal and financial cost for up to 15 percent due to phishing and 25 percent cost due to e-mail spoofing.
- Bajaj Allianz would also cover the legal and financial expenses for up to 15 percent for phishing and 25 percent for e-mail spoofing. Even transportation costs for court summons, photocopying of documents and counselling, will be insured. Hiring an IT expert is covered separately for up to a fixed amount based on the sum assured.
Illustration 6: In May 2017, Wannacry ransomware infected about 2 lakh computers in 150 countries by encrypting data and demanding ransom payments. That is online extortion.
X posts a video of him eating beef, and gets trolled online. X also gets threatening messages from right-wing organisations. That is cyber-bullying/harassment.
X repeatedly gets threatening messages from an individual/organisation—that is cyber stalking.
- Apart from full legal costs, HDFC ERGO covers up to 25 percent of the expenses to engage IT security consultants for investigation, removal of ransomware and data recovery. In case, data recovery is not possible, the insurer would cover 25 percent of the ransom amount with prior consent. For cyber bullying/harassment, 10 percent of the counselling costs are covered, along with full legal expenses. All the cyber bullying and extortion policies by HDFC ERGO have a cooling period of 45 days from when the policy starts, which means no claim could be made during that period.
- Bajaj Allianz covers 10 percent of the legal and counselling costs, along with any financial losses for cyber stalking and cyber extortion.
“Even though retail cyber risk cover is a futuristic product, the existing policies in the market need to be simpler and marketed better,” Sanjay Kedia, country head and chief executive officer of Marsh India Insurance Brokers Pvt. Ltd., a top broking firm in the country, said. People are still unclear about policy inclusions, exclusions, sub-limits under the policy and the claim process, he pointed out.
Nevertheless, Marsh India expects cyber insurance purchase to grow at 30-40 percent annually over the next three-five years.