IRDAI panel proposes norms for rising ‘silent cyber risks’

Working Group on Cyber Security formed by IRDAI, has proposed detailed recommendations.

“Insurers may place this matter (silent cyber issue) high on the agenda and address this problem sooner than later,” the committee said in its report. In simple words, silent cyber is the unknown exposure in an insurer’s portfolio created by a cyber peril, which has not been explicitly excluded or included. This is also known as “unintended” or “non-affirmative” cyber coverage.

“Cyber exposure is a concern for all underwriters. Cyber affirmative and silent covers are scattered in many different products beyond standalone ones. Cyber risk permeates all classes of insurance without boundaries of industries,” it said. With technology improving and digital business expanding, silent cyber risks, especially in the banking sector, have also increased.

A cyber event can trigger losses across various lines of insurance – property damage and business interruption, resulting from computer systems failure or virus under property insurance, siphoning money through phishing under crime insurance, product liability or recalls from security vulnerabilities under product liability/ recall insurance, breach of contract or negligence claims under E&O (technology errors and omissions) insurance and for managerial negligence under D&O (directors and officers) insurance. Cyber risks, involving unknown developments through the debit and credit cards, mobile phones and online deals, have raised concerns for insurers and the insured.

Further, the working group said many property and liability insurance policies were designed when cyber wasn’t perceived as a major risk. These policies often did not explicitly mention cyber coverage. While the insurance fraternity debated this issue as part of regular review of operations, albeit at a low volume, the devastating NotPetya attack and other high-profile cyber security events, in the recent past, have placed the issue high on the agenda for the insurance industry.

“Having recognized the need to avoid assumption of unintended exposures or losses, insurance regulators have also expressed concerns about lack of certainty in policy coverage and inadequate risk assessment, in response market has engaged a clarification process,” it said.

The working group said it is neither desirable nor possible to standardise the cover at this juncture. “Nevertheless, insurers can build in certain minimum covers as a part of individual cyber insurance. The attached model policy wording can be considered by the insurance industry as a reference point to provide minimum basic coverage,” it said.