India's Cyber Risks on the Rise: How to Pick the Ideal Insurance to Stay Protected

Everyone, from large enterprises to small businesses and even individuals, is vulnerable to cyberattacks, data breaches, and other forms of online threats. A robust cyber insurance policy can help mitigate the financial losses associated with such risks. However, with several insurance providers offering varied plans, choosing the right cyber insurance policy in India can take time and effort.

According to a Deloitte report, India's cyber insurance market is currently worth around $50-60 million and is expected to skyrocket, with a compound annual growth rate (CAGR) of 27-30% over the next 3-5 years. On a global scale, the cost of cybercrime is projected to jump from $9.22 trillion in 2024 to a massive $13.82 trillion by 2028, as per Statista. This rapid growth highlights just how critical cyber insurance is becoming in today's digital world.

However, with each new tech breakthrough comes a fresh wave of challenges. As the industry evolves, so do the risks, making it harder for insurance companies and regulators to keep up with the ever-growing threat of cyberattacks. While technology is driving the industry forward, the risks that come with it can’t be ignored.

‍

Benefits of Cyber Insurance

• ‍Covers Costs: It helps pay for expenses related to cyberattacks, like fixing damaged systems, recovering lost data, and paying fines or legal fees.‍
• Helps Your Business Keep Running: If a cyberattack disrupts your operations, cyber insurance can cover the loss of income and help your business get back on its feet faster.‍
• Protects Your Reputation: After a cyberattack, it can pay for services to manage public relations and help rebuild trust with your customers.‍
• Helps with Legal Issues: If someone sues your company because of a data breach, cyber insurance can help pay for your legal defense and any settlements.‍
• Guides on Better Security: Many insurers provide advice and services to help you improve your cybersecurity and prevent future attacks.‍
• Pays Others Affected by a Breach: If a cyber breach affects other people or businesses, your insurance can help pay for their losses.‍
• Quick Expert Help: If you have a cyber incident, the insurance can quickly bring in experts to help manage the situation and limit damage.

How Do You Pick The Right Cyber Insurance Policy?

Let’s break it down and make the process as straightforward—and data-backed—as possible.

Know Your Cyber Risk Profile:

Before diving into the insurance hunt, you need to know what is a cyber risk profile. A cyber risk profile is like your digital fingerprint—it's a snapshot of how vulnerable you or your business are to online threats. It takes into account factors like the type of data you handle, the software and systems you use, and how much of your operations are online. Think of it as your personalized “risk score” that helps you understand where cyberattacks might hit and how severe the impact could be. 

For individuals, the risks range from online banking fraud to identity theft. So, whether you’re a business or an individual, assessing your digital footprint is the first crucial step.

Scrutinize the Coverage:

Cyber insurance isn’t a one-size-fits-all product. The scope of coverage varies significantly from one policy to another. But here’s what you should ensure your policy covers:

• First-Party Losses: This refers to the direct financial losses you incur. For businesses, this could mean costs associated with data recovery, business interruption due to system downtimes, or even ransomware payouts. According to a report by Check Point, ransomware attacks surged by 93% in India during the past year. So, make sure your policy includes coverage for cyber extortion.
• Third-Party Liabilities: A key area of protection, especially for businesses, is liability for third-party claims. If a cyber incident results in a customer’s or partner’s data being compromised, legal suits could follow. 

Don’t Overlook Exclusions:

Every policy has exclusions, and ignoring these could leave you vulnerable. Before signing anything, go over these exclusions carefully. A study says that 24% to 27% of cyber insurance claims in 2023-2024 were either partially paid or denied due to exclusions in the policy. Common reasons for claim rejections include:

• Policy Exclusions: Specific risks not covered by the policy can block payouts.
• Failure to Meet Conditions: Businesses may fail to comply with requirements like timely incident reporting or security protocols.
• Unapproved Vendors: Using vendors not approved by the insurer can invalidate claims.
• Late Notice: Delayed reporting of incidents may lead to denial of coverage.
• Event Pre-dating Policy: If the cyber event occurred before the policy period, the claim could be rejected.

Check the Coverage Limits:

Another crucial factor is how much protection you’re buying. The coverage limit is the maximum amount the insurer will pay for a claim. For small businesses, a lower coverage limit may suffice, but larger companies handling vast amounts of sensitive data might need something more robust. Don’t forget to check if the policy has sub-limits—specific caps for areas like legal costs or data recovery. This is especially important if you operate in sectors like healthcare or finance, where data breaches can lead to costly lawsuits and regulatory fines.

Deductibles: How Much Are You Willing to Pay?

A deductible is the amount you’ll have to pay out-of-pocket before the insurance kicks in. It’s tempting to go for a higher deductible to lower your premium, but tread carefully. Ask yourself: how much can your business (or personal finances) absorb before you expect help from the insurer? Lower deductibles mean less financial strain during an incident but higher premiums, while higher deductibles could make the policy more affordable but leave you vulnerable when it matters most.

‍

For example, if a ransomware attack disrupts your operations for a week, and your deductible is too high, you could end up paying out-of-pocket for significant downtime and data restoration expenses before your insurance steps in.

Research the Insurer’s Claim Settlement History:

No matter how great a policy looks on paper, it’s only as good as the company behind it. Claim settlement ratio—the percentage of claims settled versus the total claims filed—is a critical indicator of an insurer’s reliability. A higher ratio means the company is more likely to approve claims. Check online reviews and customer feedback to see how quickly they process claims and if their customer service is up to par.

Explore Add-Ons for Specialized Protection:

Many insurers offer add-ons that provide specialized coverage for specific risks. Some common and useful add-ons include:

• Regulatory Fines: Given that India's Data Protection Bill is on the horizon, having coverage for penalties is becoming increasingly important.
• Reputational Damage Control: Cyberattacks can severely damage your brand image. This add-on could cover the cost of PR services to manage public perception and rebuild trust.
• Cybercrime: Coverage against losses from fraud or online theft, which can be especially useful for businesses operating e-commerce platforms.

Balance Premiums with Coverage:

It’s tempting to focus solely on the premium when selecting a policy. However, it’s important to weigh the cost against the coverage you’re getting. A lower premium might seem attractive, but if the policy leaves you underinsured, you could end up paying much more when disaster strikes.

Consult a Cyber Insurance Expert:

Finally, don’t hesitate to consult an expert. Cyber insurance policies can be complex, and navigating the fine print is easier with a professional who understands the nuances of the industry. They can guide you to the best policies for your specific needs and ensure you don’t miss any critical areas of coverage.

5 Common Reasons for Cyber Insurance Claim Rejections:

Insufficient Documentation: Many claims fail due to lack of proper documentation. Insurers require detailed proof of the incident, steps taken, and associated costs. Without timely, thorough records, your claim is at risk. However, the Insurance Regulatory and Development Authority of India (Irdai) has come up with a new circular in June 2024. According to the circular, no claim shall be denied on the grounds of insufficient documentation. It states that necessary documents must be requested during the underwriting process of the proposal. Customers may only be required to submit documents that are essential for the settlement of their claims, particularly if cashless options are not available.

Lax Cybersecurity Practices: If your organization doesn’t follow basic cybersecurity measures, insurers may deny your claim, citing negligence. Ensure you meet security standards by implementing robust controls and keeping your systems up to date.

Undisclosed Vulnerabilities: Claims can be rejected if the insurer discovers pre-existing security gaps that weren't disclosed during the policy purchase. Be transparent about your cybersecurity posture to avoid this pitfall.

Overlooked Policy Exclusions: Certain risks, like nation-state attacks, may not be covered. It's essential to review your policy thoroughly and understand what’s excluded so you don’t face any surprises when filing a claim.

Fraudulent Claims: Attempting to exaggerate or fabricate a cyber incident can lead to immediate claim denial—and even legal consequences. Always stay honest and accurate in your claims.

Top 14 Exclusions in Cyber Insurance Policy:

• Known Matters: Any event or situation you were aware of before your policy started? Not covered!
• Deliberate or Reckless Conduct: Losses from dishonest or reckless actions by key personnel are off the table. This doesn't apply to defense costs unless wrongdoing is proven.
• Contributed Loss: If you ignore reasonable recommendations from your response teams, you can kiss that claim goodbye!
• Inadequate System Security: Failing to promptly address known vulnerabilities or not backing up your data could lead to denied claims. Keep those systems secure!
• System Enhancement: Enhancing your systems beyond their state before the attack? Not covered, unless the hardware or software is unavailable.
• Infrastructure Failure: Failures in electrical or mechanical systems are generally not covered unless they directly affect your outsourced systems or power supply.

• Compliance Gaps: Missing compliance measures for data protection? Your policy won't cover the costs—except for specific notification or monitoring expenses.
• Contractual Liability: Liabilities taken on contractually that exceed your standard obligations won’t be covered, except for specific PCI penalties.
• Insolvency: If your business or a service provider goes bankrupt, don’t expect coverage for that.
• Inadequate Services: Claims related to poor professional services or product quality won't be covered unless tied to a data breach.
• Bodily Injury and Physical Damage: Cyber insurance doesn’t cover any bodily injury or physical damage claims.
• Government or Regulator Action: Claims from government actions that disrupt your operations are excluded—unless they result from a cyberattack against you.
• War and Terrorism: Acts of war or terrorism are not covered, so be aware!‍
• Related Parties: Claims brought by related parties, like shareholders or subsidiaries, are not covered under your policy.

Conclusion

In an age where many Indian businesses have experienced at least one cyberattack, cyber insurance is no longer a luxury—it's a necessity. By understanding your risk profile, assessing the scope of coverage, evaluating deductibles, and carefully researching insurers, you can select a cyber insurance policy that offers strong financial protection against the escalating threat of cybercrime.

Don’t wait until it’s too late. A solid cyber insurance policy can be the safety net you need in a world where data is the new currency, and protecting it is more important than ever.