With online frauds on the rise, the Insurance Regulatory and Development Authority of India (Irdai) has advised insurance firms to expand the coverage of individual cyber cover by including card cloning, skimming, small claims without FIR (first information report), worldwide jurisdiction, online shopping frauds and a host of other issues.
“Insurers may offer options for worldwide territory. Jurisdiction for claims settlement should be India,” Irdai said in the guidance document on product structure for cyber insurance. Territory and jurisdiction is currently restricted to India only in most of the policies. “A number of syndicated frauds originate from outside India — phishing, ransomware and malware attack — and cyber insurance clauses may or may not be clear on the coverage in this regard,” it said.
According to the Irdai document, FIR is a critical requirement to assess claims and hence can’t be fully dispensed with. However, for small claims up to Rs 5,000, insurers may ask for an e-complaint lodged at the National Cyber Crime Reporting Portal.
It said unsolicited communications which are also excluded from the scope of cover in many insurance policies can be included. This is one of the major reasons for cyber-related losses, leaving the individual uninsured, Irdai said.
“Sim-jacking, card cloning, skimming coverage is not available currently in the market while the same is a major reason for loss in India. Insurers could offer coverage for such losses,” the Irdai document said.
Online shopping frauds, like when the item that individual has bought but not received the goods or sold something that has left their custody but the payment is not received, is not covered or only a very small coverage for the same is available, the Irdai said, adding, “insurers could offer limited coverage for such losses.” However, for example, non-delivery of goods ordered from merchant or non-receipt of premium while goods are delivered are prima facie business risks and cannot be classified under cyber coverages unless resulting directly from cyber-related events.
Cyber insurance policies generally exclude coverage for damaged computer hardware.
“While malicious software may be removed, hardware may also require replacement. Here, coverage provides for the cost to replace such affected hardware. Insurers could offer coverage for such losses,” it said.
“General insurers who have already developed some cyber insurance products with exclusive coverage for individuals to protect against cyber perils and currently offering the products that mainly focussed on commercial business, may review the product structure based on the coverages advocated in the document,” Irdai said. The Irdai Working Group, after conducting wide consultations with various stakeholders and after internal deliberations, concluded that standardisation of policy wording is not desirable at this juncture.
This is because of the evolving nature of legislative frameworks in dealing with cyber risk, fast growing digital ecosystem, increasing interconnectedness globally and complexity of IT systems and emergence of new risks, the document said.
According to Irdai, the legal framework for cyber liability is also evolving. Every person, be it an individual or an entity, is expected to exercise a duty of care to secure the data that he comes to possess, and to ensure that access to such data is not gained by unauthorised users. “Should there be a breach in this duty, a cyber liability could arise. Regardless of whether the breach resulted in a financial loss to the person whose data is compromised, a breach of duty in cyber could result in grave legal and financial consequences,” it said.
As per Swiss Re’s global survey, the top four cyber risk scenarios that people worry about most are: illicit access of financial credentials; identity theft; data loss due to a technical issue; and illicit publication of personal data.
Some of the ways financial fraud can be perpetrated is through phishing or spoofing attacks, malware or spyware, SIM swap (original SIM gets cloned and becomes invalid, and the duplicate SIM can be misused to access the user’s online bank account to transfer funds), credential stuffing (compromising devices and stealing data), man-in-the-middle attacks during online payments or transactions, identity theft, card cloners or readers at ATM machines and as simple as imposters calling up unsuspecting individuals and asking their personal banking details, Irdai said.