Cyber insurance a must for businesses: How to choose right policy

Look for policies that will cover third-party liabilities, costs arising after a hacking incident

Small businesses are, finally, waking up to the threat posed by cyber attacks. After the WannaCry ransomware incident, they are turning to cyber liability insurance to safeguard themselves against this risk.

Earlier, these businesses only insured hard assets. But now they are realising the worth of their data, an intangible yet perhaps the most crucial asset.  If data gets stolen or destroyed in a cyber attack, it can cause great harm, both to the business and to its customers. The latter could even sue the firm for the damage they have suffered. “A cyber liability policy protects the policyholder against any liability it may face from a third party,” says Sushant Sarin, senior vice-president-commercial lines, Tata AIG General Insurance. This cover is especially important for firms dealing with critical or sensitive data.

So, when does a cyber liability cover get triggered? For one, if there is a data breach: If the network is hacked and data stolen, if a negligent employee puts private data out into the public domain, or if a disgruntled employee does the same deliberately. It also gets triggered if the network is hacked and data corrupted, or if ransom ware is introduced and the hacker threatens to corrupt the data unless you pay up. Finally, it is triggered if attackers swamp a company’s website (say, that of an e-commerce firm), making it impossible for customers to transact on it. 

The policy makes a payout in a variety of circumstances. One is if there is a third-party liability. When such attacks happen, the policyholder may also want to plug the vulnerabilities within his system, for which he may want to consult a cyber expert. The policy will bear the consultancy fee. The policyholder may also have to notify customers that their data has been stolen and hence they should change their passwords. The cost of notifying is borne by the policy. Whenever there is a data breach, the policyholder’s reputation suffers. The company may have to hire a public relations firm to help it mend its reputation. The fee for this is also borne by the policy. Finally, the policy also pays for any fine imposed by a regulator for negligence on the policyholder’s part that led to the data breach.

The premium depends on a number of factors. “It depends on the nature of the sector in which the company operates and the sensitivity of data handled, territory of operations, risk mitigation steps already taken by the client, and so on,” says Rahul Mohata, chief operating officer, 121policy.com. Thus, a company dealing in financial data of clients may have to pay more. Where the company’s customers reside is also significant. “If the company has customers abroad, liabilities can arise in foreign jurisdictions, which could be more expensive to deal with,” says Arvind Laddha, deputy chief executive officer, JLT Independent Insurance Brokers. Experts say that the premium cost ranges from 0.50-1.50 per cent of the sum assured. Each customer gets a customised quote depending on the specific terms of the policy offered. 

Before buying, ensure that the policy offers wide coverage. Sarin suggests choosing an insurer that has cyber experts empanelled with it, and whose services it can offer to you so that in case of a crisis you don’t have to go hunting for one yourself.