Upload
dangque
View
212
Download
0
Embed Size (px)
Citation preview
CYBER
INSURANCE
Institute for Development and Research inBanking Technology(Established by Reserve Bank of India)
A Reference Guide
© An IDRBT Publication, . All Rights Reserved.November 2017
For restricted circulation in the Indian Banking Sector.
CONTENTS
Foreword
Introduction
Scope of the Policy
Policy Process
Claims Process
Annexure 1: Cyber Insurance Proposal Form
01
02
05
08
21
25
CYBER INSURANCE: A REFERENCE GUIDE 01
FOREWORD
DURING the course of its business, a bank is
likely to incur financial losses due to
unexpected events. The causes behind some of
the events may be within the purview of the
bank, in which case, the bank can take measures
to avoid such events. But there may be events
beyond their control and hence, unavoidable.
Fire, earthquakes, floods and similar natural
disasters come under the unavoidable events.
Though not natural, thefts and robberies are also
considered unavoidable. Banks find ways of
transferring the risk of loss due to such
unavoidable events through insurance. Over a
period of time, the insurance sector has matured
and developed suitable products to meet
different requirements of banks and other
financial institutions.
Cyber frauds is a fast emerging threat to most of
the business entities and more so to financial
institutions, including banks. Banks have been
building suitable cyber defence systems to
detect and thwart cyber attacks and minimize, if
not avoid, financial losses. As no defence
solution can give total protection and hence full
assurance, it may become necessary to transfer
the risk through cyber insurance.
Cyber insurance is an evolving ecosystem. Banks
and other entities wishing to cover their risk
through insurance have to understand the need
for insurance,quantum to be insured,premium that
can be paid, clauses that need to be introduced and
the overall scope of such cyber insurance.
Simultaneously, the insuring companies need to
understand the requirements of banks and offer
appropriate insurance products.
It is in this context that the present guide on
cyber insurance, prepared with inputs from
academicians, banks and insurance companies,
is being brought out by IDRBT, as a reference
book to both banks and insurance companies.
We are sure, the document will help all the
stakeholders in understanding cyber insurance
and help banks in managing their cyber risk
through appropriate products and agreements.
All the contributors to the reference guide
deserve appreciation for their inputs and
commitment.
(Dr. A. S. Ramasastri)Director, IDRBT
CYBER INSURANCE: WHAT, WHY, WHEN AND HOW
Date: November 24, 2017
Place: Hyderabad
02
INTRODUCTION
Chapter - 1
THE aim of this chapter is to explain what
Cyber Insurance is and highlights the
potential issues that may arise if we rely upon
traditional insurance products to address the
evolving threats of cyber liability.
Technology has transformed the way banking is
conducted – from providing services online to
customers, to storing data in the 'cloud' while
accessing information from tablets and
smartphones.
With millions of consumers transacting with
banks online every year, it is a bank's obligation
to put mechanisms in place to stop the loss of
personally identifying information (PII) ,
transactional data of its customers, and bank's
internal sensitive information. It is also the bank's
responsibility to respond in an efficient and
effective manner in case of such losses.
What is Cyber Insurance?
Traditional business insurance policies have
tended to only cover “tangible” assets such as
PCs, laptops and other mobile devices.
Developing exposures have highlighted that
electronic data is not always considered to fall
under the definition of tangible assets and is just
one area where cyber insurance is designed to fill
a gap.
The number of exposures, which a bank faces,
continues to increase as bank becomes more
globally networked and complex and with
increasing commercialized cyber-crimes,
insurance policies need to adapt to the changing
environment. The intention of cyber insurance as
any other form of insurance is to simultaneously
mitigate the risk as well as provide the aggrieved
party with some form of redressal.
Cyber insurance is a tailor-made insurance
offering comprehensive cover for third party
liability and first party expenses a bank may incur
arising out of unauthorised access or use of its
physical and electronic data or software. Cyber
insurance policies can also provide coverage for
liability, costs and expenses arising from network
outages, the spreading of a virus or malicious
code, computer theft or extortion.
Cyber insurance also provides cover for business
interruption and the cost of notifying customers
and regulatory investigations or actions in case
of a breach, without the requirement for physical
damage that is a standard trigger under property
policies. When looking at policy options, banks
should consider coverage, which addresses
these issues.
Insurance Benefits & Considerations
Cyber insurance policies are designed to address
many variables within the online realm and can
include:
� The liability of the bank arising from data
protection laws
� The management of personal data and the
consequences of losing personal identifying
information
� Repair of banks’ reputation
� Notification and monitoring costs
� Cyber extortion and network interruption.
CYBER INSURANCE: A REFERENCE GUIDE
A cyber insurance policy should cover immediate
expenses such as crisis management, hiring a
public relations firm to manage a data breach
incident, forensic analysis, repairing and
restoring computer systems and the loss of profit
out of business interruption.
When evaluating the need for cyber insurance, a
bank should consider the following factors in
assessing the risks:
� The type and context of information
transacted and retained
� The risks of hazard to the affected individual
� The education, training and oversight of
employees
� The level of security of mobile devices that
carry sensitive data
� The level of encryption of sensitive data at
rest and in motion
� Interruption to business as usual operations
� Costs of computer forensic investigation
� Cost of civil litigations and criminal
investigation
� Cr i s i s management and cus tomer
notification expenses.
The banking organisations need to make
informed decisions, while understanding what
their assets are and how the organisation would
survive without them.
Comparison between Cyber and OtherLiability Policies
Given that the traditional policies pre-date the
internet, it is not surprising they have not been
responsive to cyber exposures. An illustrative list
is as below:
� Fire insurance covers specific listed causes,
leading to material damage. Would damage
to data, and its resulting consequences
qualify as covered losses under this policy?
� Commercial General Liability (CGL) policies
respond to claims for bodily injury and
property damage. If sensitive data, which is
in bank’s custody, published online
unauthorizedly, would the bank’s CGL
construe it as property damage?
� C r i m e p o l i c i e s c o v e r l o s s o f t h e
organisation, arising out of employee or
third-party fraudulent acts. Would theft of
data or information qualify as loss under the
crime policy?
� Professional indemnity policies cover legal
liability for act, error, and omission by
employees. Would liability arising out of
intentional acts of rogue employees be
covered?
� Cyber insurance can fill many of the gaps in
traditional insurance, as well as provide
substantial first and third-party covers
relating to the cyber breach.
03CYBER INSURANCE: A REFERENCE GUIDE
04
A comparison between covers offered by cyber and other policies are hereunder:
Cyber InsuringClause
Cyber CGL PI K&R D&O Crime
Individual Privacy
and Security LiabilityYes
Check for electronic
data exclusion
As an
endorsementNo Only for D&O No
Corporate Liability YesCheck for electronic
data exclusion
As an
endorsementNo Only for D&O No
Multimedia Liability Yes
P&A Injury (check
for intentional acts
exclusion)
Yes No Only for D&O No
Credit Monitoring
CostsYes No
As an
endorsementNo No No
Crisis Management
Costs
Yes No As an
endorsement
No Only for D&O No
Cyber Extortion Costs Yes No As an
endorsement
Yes No Yes
Data Restoration
Costs
For 3rd
party
data only
No As an
endorsement
No No Yes
Forensic Costs Yes NoAs an
endorsementNo No
For 1st
party loss
only
Legal Representation
CostsYes No
As an
endorsementNo Only for D&O No
Privacy Notification
CostsYes No
As an
endorsementNo No No
Regulatory Fines and
PenaltiesYes No
As an
endorsementNo Only for D&O No
Business Interruption
LossYes No
As an
endorsementNo No No
*CGL Commercial General Liability; *PI Professional Indemnity; *D&O Directors' and Officers'→ → →
Liability; *K&R Kidnap & Ransom→
CYBER INSURANCE: A REFERENCE GUIDE
05
SCOPE OF THE POLICY
Chapter - 2
THE aim of this chapter is to explain the broad
ambit of the scope of the policy and the
standard coverages and exclusions to lay the
premise of the risk mitigation aspect.
Scope of the Policy
Cyber Insurance is a comprehensive insurance
solution for banks covering first-party costs and
third-party liability risks arising from a cyber
event. It will broadly provide protection to bank
for following exposures:
� Virus/Malware attack, introduction of
malicious code or unauthori ed accesss
leading to data breach
� Cost of rebuilding data in the event of acts
of vandalism
� Fraudulent transactions undertaken due to
security breach arising out of cyber attack
including social engineering
� Cyber extortion or threat leading to ransom
payment
� Loss arising from unauthori ed datas
alternation or stealing of data (including
social engineering attacks)
� Loss arising from insertion of any malicious
code or virus/malware
� Loss of profit due to network security or
business interruption
� Cost of notification to customers post a
cyber breach and credit monitoring costs
� Forensic costs and investigation costs
� Cost of appointing public relations
consultants to control reputational damage
� Liability arising out of breach of personal
and corporate data
� Liability arising out of outsourced activities
� Liability arising out of disparagement of
products and services, defamation and
infringement of intellectual property rights
� Defence cost for l it igations and in
connection with proceedings brought
about by regulators
� Coverage for PCI DSS and other regulatory
fines and penalties.
First-party Coverage
First-party covers provide protection to the bank
in the event of a loss whether caused by itself or
someone else. When a bank experiences a cyber
attack or a data breach, the following
events/occurrences can be covered under
insurance:
� Cost of notifying customers that the
information is compromised and changing
such records
� Credit monitoring services for customers
affected by such data breach
� Cyber extortion when the extortionist holds
data hostage or threatens an attack, if
money is not paid to them. The cover
includes the cost of a professional
negotiator and any payment made or any
fund or property surrender intended as an
extortion payment
� Loss to the bank in terms of cost of blank
CYBER INSURANCE: A REFERENCE GUIDE
06
media and labor cost of reproducing data
due to the acts of vandalism including
deletion, destruction, alteration of data
� Business interruption loss i.e. loss of
business profit due to unavailability of
services arising out of unauthorised access
or cyber attack
� Professional Fees for advice and support
from a public relations consultant/crisis
management consultants, in order to
mitigate or prevent damage to bank’s
reputation as well individuals, e.g. Bank’s
Chairman, Directors and employees due to
a cyber attack or data breach. This would
i n c l u d e d e s i g n i n g a n d m a n a g i n g
communication strategy
� Professional Fees of forensic cyber risk
specialists for the purpose of substantiating
whether a cyber attack or data breach has
occurred/is occurring and identifying its
cause
� Cost of regulatory investigations for data
breach (defence costs, fees as well as fines).
Third-party Coverage
Third-party coverages provide protection to the
bank against the claims of third party. When a-
bank experiences a cyber attack or a data breach,
the following events/occurrences can be
covered under insurance:
� Liability on the bank due to the following:
� U snauthori ed access to personal data or
corporate information or dissemination
of information on the nternet includingi
the cost of re-issuing plastic cards
� Infringementof intellectualpropertyrights
� System security failures that result in harm
to third-party systems
� Defamation, disparagement of products
or services and invasion of privacy
� System security failure resulting in
systems being unavailable to customers
� Un sauthori ed access to a system owned
by an outsourced organi ation that iss
authori ed by the bank to store data.s
� Defense costs incurred in defending any
claim brought by a third party including-
government agency or licensing or
regulatory organi ations
� Settlements, damages and judgments
related to the breach
� Regulatory fines and penalties including
Payment Card Industry fines.
Some Additional Features
� Worldwide Coverage – It applies to claims
made or events occurring anywhere in the
world
� Claims made policy form with retroactivedate coverage – The policy triggers when a
claim is first made against the bank during
the policy period, for a covered act
occurring after the retroactive date.
(Retroactive date refers to the date after
which cyber incident might have been
initiated, but the effect is discovered during
the policy period, and will be covered under
the policy. Therefore, depending upon the
risk appetite, bank may decide the
retroactive date while taking cyber
insurance policy.)
CYBER INSURANCE: A REFERENCE GUIDE
07
Some Optional Extensions
� Reward expenses – To be paid to an
informant for information not otherwise
available which leads to the arrest and
conviction of persons responsible for a
cyber attack
� E-theft loss whereby the first party loss is-
covered due to fraudulent transactions
undertaken due to security breach
� E-communication loss whereby the first-
party loss is covered due to a customer
having transferred funds or property or
given any value on the faith of any
fraudulent communication for which loss
you are held legally liable
� Coverage extended to claims seeking –
non-monetary relief and arbitration,
mediation or similar alternative dispute
resolution proceedings
� Definition of damages amended to include
non-compensatory damages, including
punitive, multiple, exemplary or liquidated
damages where insurable by law
� Cyber terrorism cover [War will be excluded]
� In case of third party coverage, if the policy-
is either terminated, not renewed or
replaced, then extended reporting period
can be made available for reporting claims
that are first made during the policy period
or such extended reporting period
� Advancement of defence costs – Defence
costs in advance of the final disposition of
any cyber liability claim and within a
mutually agreed stipulated period of receipt
of invoice for such costs.
Major Exclusions
� Prior claims or circumstances of claims – As
on inception date of the policy, any
circumstance that may reasonably have
been expected to give rise to a claim, or any
claim made or circumstance notified prior
to or pending at the inception date of this
policy
� Bodily injury and Property damage – Bodily
injury, sickness, disease, death of any person
or damage to any tangible property
� Criminal, dishonest and fraudulent acts –
Fraudulent act or willful violation of law or
any regulation by the bank. Any act, error or
omission which a court, tribunal, arbitrator
or regulatory body finds, or which the bank
admits to be a criminal, dishonest or
fraudulent act
� Intellectual Property – Any actual or alleged
infringement, misuse or abuse of patent,
trade name, trademark and trade secrets
(with a carve back for third-party data)
� Gradual deterioration, electric disturbance,
media failure or breakdown or any
malfunction
� Unlawful/Unauthorised collection of data
� Infrastructurefailure–Anytelecommunications,
electrical or mechanical failure unless it is
under bank’s operational control
� Licensing fees – Any actual or alleged
obligation to make licensing fee or royalty
payments, including but not limited to the
amount or timeliness of such payments
� Trading losses – all kinds of trading losses
and debts incurred.
CYBER INSURANCE: A REFERENCE GUIDE
08
POLICY PROCESS
Chapter - 3
THIS part of the document seeks to state the
prerequisites for the procurement process for
cyber insurance, the actual process and the
underwriting considerations for the policy.
Despite the large number of developments that
have taken place over the last few years, the
cyber insurance market is yet to receive the
anticipated adoption rate. While some regions
have made progress on the basis of supportive
legislation, it is found that in comparison with
other insurance sectors, the state of cyber
insurance is at a less mature stage. As cyber
risks grow, the senior management and boards
of directors of companies have increasingly
focused on a holistic response to cyber threats
that includes risk mitigation, risk transfer and
response/recovery. This holistic approach
necessarily includes insurance.
The cyber risk insurance policy placement and
procurement process has multiple iterations being
followed internationally due to high variance in the
manner which the risk is gauged and the sheerin
quantum andcomplexityof the risk.
The policy placement process in India at present
is the most pragmatic and practical method i.e. of
having a preliminary look at standard IT security
risk vide consideration of standard IT security
compliances and certifications followed
internationally. This is in addition to taking into
cognizance outsourcer operational involvement
and internal backup/crisis policies.
One needs to understand that the overall risk is
still being considered in its totality to be an
amalgamation of operational, transactional and
human risk with the ante being raised vide
reliance of critical infrastructure on technology
of banks. It is important to take cognizance of the
fact that the accountability, the costs of forensics,
the overall damage resulting from a cyber-attack
are poised to increase, which may lead to a
change in the overall risk analysis process from
an underwriting perspective and maybe in the
pricing as well.
There needs to be a veritable circle of trust
among the banks, insurers and insurance
intermediaries as it is the key to healthy cyber
insurance markets and beneficial for all
stakeholders involved.
Prerequisites
The benefit of going through the process of
arranging your cyber liability insurance policy is
that it encourages you to address your cyber
security and risk management processes, and
identify existing vulnerabilities which you may
not have done otherwise. The following are
certain prerequisites of having a robust cyber
insurance market:
Risk Exposure
For any insurance product to be in place, the risk
should be prevalent and with regards to overall
cyber risk, the insurance seeks to cover the
aspects that are consequences of a cyber event.
The outcome of cyber risk have matured going
beyond operational risk; liability risk being clear
and apparent. With the practical need being the
protection of the balance sheet through first-
party loss covers, the deliberate imposition of
CYBER INSURANCE: A REFERENCE GUIDE
09
privacy accountability is a reasonable outcome
of the overall risk.
It is important for the product to be developed
considering the peculiar risks that financial banks
may face due to their geographical presence and
overall frameworks. At present, juxtaposing the
same with international practices does provide
some form of baseline. Cyber risk is continuously
evolving and the insurance service providers
need considerable amount of cyber risk
reporting in an effective manner to transform the
overall product to suit the exposure.
In the absence of reporting or notification and
basing practices on international exposure
points, insurers can provide standardized
wordings with certain variance and improvements
contingent to the regulatory practices of the
geography and the rules that dictate the overall
insurability of liabilities that are fiduciary in
nature. At present, considerably broad wordings
are issued in India on the lines of international
practices with the nascent nature of the product
and the afore-stated absence of claims or
notification data in the country allowing for a
relative generalization in coverage.
Mandatory Information Security Practices
Regulatory mandated practices, policies and
notification practices are key to the growth of
cyber insurance. The trend has been noticed at
an international level with an increase in the
regulatory purview and requirements of cyber
incident reporting: (i) whether it be the local
regulator imposing notification requirements
and strict mention of the steps taken to advance
the same in annual reports; (ii) multi-nation
policy-making bodies mandating a standardized
information security practice; (iii) or local
demographic groups forming committees to
mandate a required compliance with regards to
the overall cyber risk.
All of the aforesaid have been the major drivers
of cyber insurance in the various geographies of
their prevalence. The compulsory post-cyber
instance practice has led to the insurers taking
cognizance of important first party costs covers-
such as those of notification and regulatory
response costs. Overall, it has led to a more
robust product in comparison to the initial
origins of mere data liability products. In that
regard, the RBI framework and guidelines are an
effective baseline for the insurers to understand
the industry-specific risk, however as per the
same, if the adherence reports can be shared
during the policy procurement process, from an
insurance perspective, the same would prove to
be an effective baseline for local financial bank
practice and adherence to best risk practices as
advocated within the framework. A mandatory
insurance cover would allow at the very least for
lots of customers to get covered in the case of a
major cyber event and make good the loss with
the jurisprudential premise like that of injury and
public liability.
Risk Mitigation
It needs to be understood that insurance should
be an additional risk mitigation tool in addition
to controls, teams and overall tools used to
detect, deter and destroy sources of risk. The
primary role of cyber insurance comes from a
liability perspective in defending and making
good the loss post a cyber event taking place. In
the case of costs that are incurred by the bank in
order to support or to implement various
controls to play a reimbursement role in certain
CYBER INSURANCE: A REFERENCE GUIDE
10
situations, it is expected that the bank is required
to effectively combat the risk from escalation.
The prerequisite, therefore, is for basic risk
mitigation practices to be prevalent. If the bank is
able to showcase the same, the insurance will be
able to play its role efficiently and effectively.
If one is to consider the cyber kill chain matrix
( .) developed by Lockheed Martin, one canFig 1understand that the overall risk mitigation
practice that a bank follows which is often the
baseline gauged during the underwriting
process, the insurance will play the role of:
� Gauging the effectiveness of the “pre
compromise-incident prevention” aspect of
the cyber risk kill chain through the
underwriting process and accordingly
provide support to existing and additional
controls and mitigation devices in the
containment and detection aspect of the
compromise stage
� P -roviding first party costs coverage during
the “post compromise-incident response
stage”.
It is imperative to note that both the presence
and effectiveness of risk mitigation practices in a
bank are important for the insurance to play its
due role. In isolation, it would be a relatively
redundant tool to have as the overall risk cannot
be combated by cyber insurance only.
Reconnaissance
Weaponization
Delivery
Exploitation
Comm
and&
Control
Installation
Actions
on
Intent
Incident Prevention Incident Detection Incident Response
Cyb
er K
ill
Ch
ain
Increasing Risk & Cost to Contain & Remediate
Phase 1: Pre-Compromise Phase 2: Compromise Phase 3: Post-Compromise
AttackerResearch
ID Vulnerability/Create Malware
Launch Attack Malware ExploitsVulnerabilities
Target System/Data
Attacker Controlof System/Data
Movement andExfiltration
Fig. 1: Cyber Insurance Kill Chain Developed by Lockheed Martin
CYBER INSURANCE: A REFERENCE GUIDE
11
Existing Insurance Policies
There have been a multitude of deliberations and
resultant lawsuits due to ambiguity in coverage
under standard liability policies (recent ones
being the PF Chang and Sony Lawsuits), where
the ambiguity leading to the banks taking their
risk on their balance sheets is prevalent. Often,
property, commercial general liability and
professional indemnity policies have been used
by clients to cover the risk, with a comparatively
lesser effectiveness than that of standalone
cyber policies. While the CGL policies as an
international practice come with a clear data
exclusion, the other policies can be used
sometimes to cover specific risks. Like in the case
of the WannaCry ransomware attack, the insurers
around the world themselves advocated the use
of idnap and ransom policies to combat thek
ransomware risk in the absence of cyber
insurance.
It is also important to take into consideration that
standard Bankers Blanket Bond policies which is
used to cover fraud risk is very limiting when it
comes to cyber coverage. The electronic crime
and impersonation covers require proof of
fraudulent intent which could prove to be
cumbersome and are therefore limiting. Modern
cyber insurance policies have now evolved to
even include the risks of fraud carried out
through technology and impersonation risk.
Table below ( ) is often used byFig. 2intermediaries and insurers to showcase as to
why a standalone cyber insurance product is key
to an effective cyber risk mitigation in
comparison to other insurances:
Property GeneralLiability
Crime/Bond K&R E&O Cyber
1st Party Privacy / Network Risks
Physical Damage to Data Only
Virus/Hacker Damage to Data Only
Denial of Service Attack
B. I. Loss from Security Event
Extortion/Threat
Employee Sabotage of Data Only
3rd Party Privacy / Network Risks
Theft/Disclosure of Private Info.
Confidential Corporate Info. Breach
Technology E&O
Media Liability (Electronic Content)
Privacy Breach Expense /Notification
Damage to 3rd Party’s Data Only
Regulatory Privacy Defense/Fines
Virus/Malicious Code Transmission
Coverage Provided? * For reference and discussion only; policy language and facts of claim
will require further analysisCoverage Possible?
No Coverage?
Fig. 2: Cyber Risk vis-à-vis Insurance Policy Coverages
CYBER INSURANCE: A REFERENCE GUIDE
It is therefore important to discuss with the
mandated insurance service provider as to the
effectiveness of prevalent coverage not only to
gauge the current insurances' efficacy, but to
avoid overlapping of coverages and ambiguity in
claim events. The very presence of a standalone
cyber insurance product is a testament to the
need for one in addition to existing policiesthe
and therefore is an essential tool in the modern
risk manager's repertoire.
Policy Process
The policy process can be broadly divided into
the following seven stages for efficient execution
and understanding:
1. Commence
2. Analyze
3. Review
4. Discuss
5. Underwrite
6. Submit & Service
7. alRenew .
1. Commence
� Before the bank sets out to purchase a
policy, it is necessary that the bank has an
understanding of the quantum of risk it
intends to mitigate through the insurance.
This understanding would help the bank
decide on the quantum and types of
coverage to be obtained from the policy
� The understanding of the risk can be
obtained through sources like internal
incident repository, media information on
cyber events and its outcomes (fines
imposed, costs incurred by that bank, etc.),
12
audits and reviews of the Info Sec/IT
infrastructure of the bank
� Regulatory and legal requirements for the
geography (ies) in which the bank operates
would also determine the risk exposure
� Considering the specialized and evolving
nature of the risk and the cyber insurance
market, banks may consider the services of
insurance intermediaries who would be
better placed to structure a suitable cover
for the bank
� Once the above information is obtained and
suitably analysed, banks would have a
better starting point to discuss coverage,
quantum of coverage, and terms and
conditions with the insurers
� The next steps are to identify the insurers
and/or insurance intermediaries to begin
the process of policy coverage
� The process is commenced by a dialogue
between bank and insurance service
provider where the overall risk and the
offerings vis-à-vis the risk are discussed
between the parties
� Normally, a proposal form is requested
along with documents as are mentioned in
the sections that follow which are expected
of any bank
� Internationally, the practice is to request the
banks to submit comprehensive self-
assessment documents vis-à-vis the risk
framework
� Following this application process, it is
common for insurers to conduct a full
physical and technical analysis of the
applicant's IT infrastructure. This process
CYBER INSURANCE: A REFERENCE GUIDE
13
begins with information requested for
b u i l d i n g a n d p h y s i c a l s e c u r i t y
arrangements, network diagrams and a
detailed description of network activities
� Aside from this questionnaire, applicants
are required to submit a range of formal
documentation during the application
process. This can include:
� Written policy on IT Security
� Policy for the deletion of data
� Appraisal of IT Security controls
� Resumes of senior officers
� Audited Financial Statements.
Note: As with any insurance policy, the proposal
form and supporting documents shared with the
insurance company form the basis of the
insurance contract. Hence, it would be useful to
have detailed internal reviews of the proposal
form by senior bank officials (IT, Information
Security, Legal, Risk Management and Business
Verticals) to ensure that language does not
become an issue for the bank when it intends to
enforce the insurance contract.
2. Analyze
� The insurance service provider may analyze
internal assessment reports of the bank
� The insurance service provider may arrange
for a variety of external assessments to be
conducted.
3. Review
� The underwriter proceeds to review the risk
taking into consideration the details,
reports provided, the internal policies
shared, current demographic-centric
practices and risk and developments with
respect to the bank and its peers in the
industry
� The insurance service providers sometimes
arrange calls with consultants and the banks
to discuss the report findings and analy es
the vulnerabilities or best practices that the
bank may have.
4. Discuss
� The insurance service provider will have a
detailed discussion with the bank based on
its findings and in an ideal information
showcase how certain bespoke coverage
may be needed to address the special risk
that the bank may face and thereby initiate a
dialogue to understand in detail vis-à-vis
the banks' concerns as well from a practical
exposure side
� If the bank needs assistance with regards to
the limits, benchmarks are shared by the
insurance service provider for the bank
representatives' perusal and limits are
finali ed upon as well.s
5. Underwrite
� Tak ing the a fo resa id fac to r s in to
consideration, the underwriter then proceeds
to structure the policy requirements based on
the limits as finali ed in the “discuss” processs
and taking into cognizance the findings of
the “review” part of the process
� The process allows the underwriter to
structure the policy with its bespoke
iteration for the bank at hand with its special
cove rage and endorsements , and
contingent to the risk with certain additional
exclusions as well
CYBER INSURANCE: A REFERENCE GUIDE
� Having done the same, based on internal
actuarial calculations, insurer mandated
rules, risk appetite and market practices, the
premium is finali ed.s
6. Submit & Service
� The policy wordings are handed over to the
designated authorities contingent to
subjectivities being met and the premium
payment
� The insurance service provider services the
banks in a variety of ways including – having
“know your policy” sessions, sending a
variety of reports and discussing the latest
risk exposures, recent claims and providing
overall assistance through the policy period.
7. Renewal
� After one year, as with annual liability
policies, the renewal process is commenced
in which new risks , developments ,
acquisitions etc., are discussed
� The policy is reviewed comprehensively
during the renewal stage
� On renewal, premium will depend on the
absence of claims or circumstances, risk
exposure, limits opted for.
Underwriting Considerations
In an ideal risk mitigation practice with regards to
cyber security, banks can shore up their
information security policies and practices to
increase the availability of coverage and reduce
its the cost.
Even before seeking cyber coverage and
engaging in the underwrit ing process,
businesses should work to get their data house in
order, take cognizance of the overall information
security and cyber risk in order to truly leverage
the best practices being followed (if) and close
gaps.
During the process, underwriters will ask for
information related to the cyber security
maturity/fortifications of a business.
The overall level of comfort, the business can
provide, will greatly affect the amount of
coverage available and the terms and cost of the
coverage.
On a broader note, there are certain practices
that indicate readiness towards cyber risk and
overall practice of the bank leading to a
consideration by insurance service providers
with regards to the intent of the organi ation tos
mitigate its exposure to cyber risk.
Firstly, understanding critical assets and primary
exposure points is key, the source of primary risk.
An underwriter would most definitely take into
consideration the scale of the network, type of
data, the overall touchpoints that the bank would
have with the customers and thereby gauge the
current capabilities with the banks capabilities
and control.
Secondly, ensuring some form of policy,
preparedness and prevalent backup plan, is the
key. Awareness of key stakeholders due to the
much-discussed human nature of the risk, the
overall resource preparedness towards a cyber
risk event can be merely showcased by the
organi ations intent through its various policies.s
Incident response plans and back-up plans
would showcase an immediate practical
approach to mitigate the risk head-on and the
aim of the bank is not to let the cyber risk wreak
14 CYBER INSURANCE: A REFERENCE GUIDE
15
havoc that would consequently lead to
considerable losses.
Thirdly, some form of dedicated team with an
intent to monitor the banks vast network of
devices, its external touchpoints and an overall
intent to implement and deliver upon the
aforementioned policies.
Fourthly, it is a good practice for the bank to
maintain some sort of codified record of cyber
events that the organi ation may have had in thes
pastand that its peerbanks havebeenexposed to.
The overall practice of disclosure leads to a
healthier and more robust risk mitigation
practice and effectively forms a net of security.
Therefore, board oversight is crucial at the
insurance stage as well as to ensure proper
disclosure.
Key Underwriting Considerations
General Risk Exposure of the Industry andBusiness Activities
The sector, activities, services are key for the
underwriter to gain an insight from a cursory
standpoint as stated in the section titled “Risk
Exposure”.
General Risk Exposure and the Size of theBank
The size, operations and revenue of the bank
teamed with the generic exposure points lay the
ground for the reasonably expected risk due to the
standardi ed exposures. Further, the number ofs
years in business showcases the exposure to past
global attacks, the iterations of frameworks and
practice and provides the underwriter with a
generalistic ideaof thepossible scalingofgrowth.
Enumeration and Geographical Spread ofBusiness
Various international jurisdictions have
mandated standards, best practices, notification
rules and the like with regards to the banks’
storing data and non-compliance would expose
the bank to consider regulatory risk. The
underwriters would adequately consider the
overall risk that the bank assumes by conducting
the operations or having clientele in certain
geographies.
Data Sensitivity (e.g. personal data, health,intellectual property, machine generated)
The data liability coverage forms a core
component of the cyber insurance policy and the
underwriter needs to take complete cognizance
of the variety of data being processed and stored
in the bank's systems; how the same is being
managed, vetted and encrypted and which
stakeholders have ownership and access to the
data.
Corporate Presence Online (Website, socialmedia, mobile application presence andusage of marketing tools)
Considering the Indian geography, the same is a
highly prevalent risk since for the past decade.
There has been frequent defacement of major
government and corporate sites and the same
proves to be the source for a certain amount of
the reputational risk that the policy combats vide
the PR costs and the multimedia expenses cover.
Social media and mobile applications are the
most used platforms for customer interactions,
especially mobile applications allow for significant
client triggered transactions and can therefore be
a major source of risk. An underwriter would often
CYBER INSURANCE: A REFERENCE GUIDE
16
conduct a tabletop check of the same to gauge the
overall riskandexposurepoints.
Requested Policy Limit
This is one of the most imperative considerations
in the overall policy placement as this allows for
the insurance service providers and the
prospective bank to place a cap on the overall
risk for an annual period and plays a significant
role in allocating a monetary value. It is
important that the same decision is made in
consideration of purchasing power, peer
benchmark and local practices.
Loss History
Underwriters during the underwriting process
will also inquire as to the extent of prior
computer attacks. As with any insurance practice,
substantial prior losses will result in an increased
intensity of questioning on what steps the bank
has taken to reduce such losses in the future. Any
failure to respond adequately to these questions
would result in lack of insurability with the insurer
recommending the adoption of certain actions
or recommending a third party to conduct a-
formal assessment before any underwriting
decision can be made.
Incident Response Planning
The underwriters will want to know if the bank
has a formal incident response plan in place and
will also inquire regarding regular testing
through tabletops or simulation exercises.
Alternatively, backup and business continuity
plans are equally important as it showcases a
deep-rooted strategy to avoid the loss from
reaching catastrophic levels.
A designated Incident Response Program clearly
would iterate the processes and resources that a
bank would engage in order to address any
Information Security incidents. Insurance service
providers would validate the existence of a
potential banks' Incident Response Program in a
formal form, and evaluate their tolerance level
towards withstanding several incidents.
Financial Condition
An underwriter will also review a bank's financial
condition (balance sheet, income statement, cash
flow statement). The same helps underwriters
understand the overall risk the bank can bear in a
major crisis situation, its budgeting considerations
and revenue at risk in a network interruption
instance. It is an essential component in the overall
underwriting process and forms a major basis of
thecalculations of limits.
Dedicated Information Security Resources
Underwriters would usually check whether the
bank has a Chief Information Security Officer
(CISO). They are typically interested in the
amount of resources a bank spends on
information security and the number of
employees dedicated to information security.
From an expenditure basis, the underwriters will
usually juxtapose the expenditure vis-à-vis the
gaps that such “resources” would fill and the
track records of such resources in terms of
effective execution of policies. This is clearly
apparent to a comprehensive information
security team with clearly defined roles and to
representatives from departments where a
certain amount of exposure may be prevalent.
Some underwr i te r s a l so cons ider the
qualifications of the team managing the
information security. This shows an active
CYBER INSURANCE: A REFERENCE GUIDE
interest and investment to the underwriter as
well as the prioritization of the risk from both a
budgeting as well as strategic perspective.
Most underwriters have a preference of
interacting with the C-suite information security
personnel in order to understand the practices
that the bank follows and the overall controls
that are in place for the C-suite cyber security
stakeholder to execute the standardi ed planss
that are in place.
In the situation, the aforementioned team is
composed of an expert team of information
security providers, as is often the case. The
underwr i te r s wou ld usua l l y take in to
consideration the type and number of projects
that such team members are working on, the
controls that are in place in order to maintain
their fidelity, the alignment of their practices with
corporate strategy and adherence to the budget.
To summarize, the presence of a dedicated team,
whether internal or external, their management
and the rules and profiles not only present to the
insurer an idea of the prioritization of said risk,
but also the competency to deal with overall
claim circumstances.
General Security Measures
Underwriters also conduct a due diligence of
data retention, network segmentation, data
classification, log monitoring, penetration
testing, port management, patch management
and business interruption planning.
The underwriters also want to know whether the
business has an encryption strategy and the
technologies used to encrypt or otherwise
protect sensitive data, comparing them to
international standards and practices.
Employee Awareness Practices
Employees are a vulnerable source of risk with
regards to their overall unpredictability and
susceptibility to be a source of a cyber-attack
unknowingly. With the slow yet steady increase
in targeted phishing campaigns to the scale of
social engineering attacks and user error
resulting in security breaches, underwriters are
looking to insurance applicants to provide
security awareness programmes for employees
and may specifically ask whether the bank
conducts regular phishing tests on employees
and what the consequences are to employees
who repeatedly fail the tests.
The awareness policy may be analyzed by the
underwriter with regards to frequency and
outreach and certain banks have even opted for
conducting a phishing check on high risk
employees to check the efficacy of controls and
awareness as a good practice. Therefore,
employee awareness programmes are significant
in the overall understanding of the underwriter
with respect to thebank.
Extent of Use of Outsourced Network SecurityServices/Vendor Management
Many recent data breaches have occurred
through third-party relationships due to the
vendor's vulnerability or by vendor credentials
being impersonated. Hence, underwriters are
c o n c e r n e d w i t h t h i r d - p a r t y v e n d o r
management and scrutiny.
It would be key to take into consideration whether
the bank has a formal third-party management
and selection process, due diligence and ongoing
oversight tracking, scrutiny and routine
compliance checks performed on third-party
17CYBER INSURANCE: A REFERENCE GUIDE
18
vendors, and the contractual obligations required
of third-party vendors. Though the policy coverage
does provide a cover for outsourcer error or breach-
centric liability, there is a reasonably expected due
cognizance of the legal relationships with the
vendorsandthesharingof liability.
Underwriters also recognize outsourcing of cyber
security services. Outsourcing can raise or lower a
bank's premium. Underwriters will look at the
country where the outsourced services are too
since certain countries pose greater risk than
others.
Dependency on Third Party Networks
Underwriters inquire into what due diligence a
bank has made into the quality of the networks of
its partners/distributors/etc., systems. Bank who
have successfully made such assessments may
enjoy lower premiums.
Board Oversight
The awareness of the board of directors
concerning key information security issues is an
essential step for addressing risk.
IT Audit
While a considerable majority of the insurers
does not have any auditing requirement, they do
consider it a relatively good practice with regards
to high risk banks. If the insurer-driven risk
assessment exposes gaps, then an audit can
follow up, but the risk would be still considered
as is upon the closure of the insurance and/or
whatever has been accepted post any
assessment of findings as the overall risk.
Key Stakeholders
The below diagram ( ) showcases the overallFig. 3stakeholders in the policy procurement and
performance process.
Fig. 3: Key takeholders in the Cyber InsuranceS
CYBER INSURANCE: A REFERENCE GUIDE
The board members, CISO, CIO, CRO, CTO and
CFO are the core decision makers as the policy
caters to multiple aspects that fall under the
purview of each of the aforementioned and each
has a vested interest (and therefore duty) in the
overall cyber risk. The designated insurance
p u r c h a s e d e p a r t m e n t ( o f t e n t h a t o f
procurement) often plays a role as well. However,
it is advised the stakeholders haveto to
knowledge of the risk and the controls present to
combat such risk be the final decision makers
and even the overall risk stakeholders on behalf
of the bank. These very members often form the
groundwork for the control group in charge of
claims management and notification.
The CISO, CEO, and CFO in particular are the
primary stakeholders with respect to the risk that
is imposed upon the bank as a whole and form a
trifecta of information security management,
executive decision maker and controller of
overall spend in a crisis situation respectively and
it is they who shall form the core of the decision-
making representatives of the bank. Given their
position, they are also susceptible to being
sources of risk for social engineering attacks or
any form of impersonation frauds or the like.
Especially in the extremely rare scenario, if the
CISOs systems are rendered vulnerable, the
hackers can proceed to wreak havoc armed with
the controls and access the CISO/CIO has in
place.
The employees, vendors, customers (both
current and prospective) form the supply chain
with respect to financial banks and are a major
source of risk due to the systems, both internal
and external being either exposed or managed
by them. The customers (both corporate and
individuals) can be the primary source for
imposition of data liability under the policy and
are additional sources of risk in that regard as
well.
The major sources of risk or the attackers are of
multiple types as iterated in above andFig 3.each of these sources of risk has a different
intention. The insurance policy broadly does not
consider the source of attacks, but considers the
trigger that said sources effectuate by means of
their actions.
The regulatory body as discussed throughout
the document plays an important role of setting
mandatory notification rules, core information
security framework and internationally for
certain industries has even proved to provide the
stop/loss measure when an accumulation of risk
takes place. Further, the regulatory body often
proves to be the repository for industry-specific
breach information and in the scenario, that
there is some mechanism to share with the
underwriters said details, it lays the overall
actuarial groundwork for the development and
alteration of the product to better suit the banks'
needs.
The insurers play an equally critical role in the
overall process and are the overall repositories of
the risk. With the additional support of IT service
providers – ranging from cybersecurity
consultants to bank cyber risk rating companies,
awareness tool providers and forensic service
providers – form the core service proposition of
the cyber insurance process. There are various
permutations and combinations of the same. The
insurer often deducts the pre-placement cyber
security services from the premium itself, while in
claims situation (at the option of the bank), a
dedicated list of service providers from which the
19CYBER INSURANCE: A REFERENCE GUIDE
20
bank can choose or at their choice, the bank can
proceed with whichever service provider that is
mandated by the internal decision makers.
The insurance intermediaries internationally are
structuring some of the largest and most
comprehensive programmes for some of the
most complex risks. They bring to the table the
best intensive negotiation, a technical approach
and the option of leveraging the banks'
p u r c h a s i n g p o w e r t o g e t t h e m o s t
comprehensive covers at a cost-effective price.
They often act as the buffer during claims –
circumstances playing the role of a “translator”
advocating on behalf of the bank in order to get
the overall risk adequately covered.
The bank always has a choice with regards to
using an intermediary. There is a relative value
addition of adding a middleman with adequate
expertise as the same allows the bank to gain the
most advantageous cover with regards to the
overall process. The intermediaries also have
numerous t ie-ups with cyber secur i ty
consultants and the like for pre- and post-
placements and in certain cases even have
dedicated experts as a part of their internal team.
If the risk is considerable and the limit requires
either some form of coinsurance or reinsurance
to be put into place, the intermediary or the
insurer can proceed to structure a programme in
that regard, the reinsurers also often bring
significant expertise and claim experience to the
table.
CYBER INSURANCE: A REFERENCE GUIDE
21
CLAIMS PROCESS
Chapter - 4
THE aim of this chapter is to elucidate the
claims process and practical dos and don'ts
during the claims process.
Claims Process
Considering the variety of claims that are
covered within the ambit of coverage of the
policy, there needs to be a relatively robust policy
in place for the policy cover to have its intended
effect.
Also, while the subject matter of the policy is IT &
Info Security, it also involves legal, regulatory and
public relations aspects. Hence, an insured bank
should have an inter-functional team comprising
Info Sec, Legal, Media Management and
Insurance Procurement team to decide on
various aspects related to claims (notifying,
providing information, etc.).
Considering that an event may not immediately
lead to a claim but could subsequently result in a
situation which gives rise to a claim, the cross-
functional team (preferably assisted by insurance
intermediaries) could decide on when to notify
theinsurersandthecontentofthecommunication.
An example could be a data breach which is
detected. While it may be rectified immediately
once detected, the actual situation for a claim
would arise when a regulatory penalty is
imposed on the bank for its failure to ensure safe
keeping of data. However, since it is an event
which may lead to a claim against the insured
bank, the notification requirement would usually
arise when the insured bank is aware of the
breach.
The insurers generally have clauses in the
contract which require the insured to inform the
claim or claim-like situation as soon as it is known
to the insured. Hence, it is critical for the bank to
have a mechanism to decide on notification and
circumstances which require a notification.
The insured bank may request for a specific
notification clause which would require the bank
to notify the insurer only when certain
designated officials of the insured bank have
knowledge of a claim or claim-like situation. This
would provide time to the insured bank to
analy e the event or circumstance and decide ons
necessity of notifying the insurer. These
designated officials could usually be the CISO,
CRO, Head – Legal, etc.
The following decision-making process would
prove to be extremely effective during a cyber
claim process:
Step 1: Is the scenario of a claim or an event ora set of events, which can eventually lead to aclaim, under the policy?
The following scenarios would be deemed to be
a :yes
� If the bank has received an enforcement
notice (i.e. a notice from a regulator
requir ing the company to: confirm
compliance with the applicable Data
Protection Law; take specific measures to
comply with the applicable Data Protection
Law; or refrain from processing any
specified Personal Information or Third-
Party Data)
CYBER INSURANCE: A REFERENCE GUIDE
22
� If it is a demand seeking a legal remedy from
an aggrieved person or bank, for all
purposes and practices, these would
include official notices through all types of
media demanding a legal remedy
� If it is a demand or notification or notification
of civil, regulatory, administrative or criminal
proceedings seeking legal remedy,
compliance or other sanction in a manner
similar to the prior scenario
� If it is a written demand legal remedy.
If one is to take cognizance of this first question
and application of policy wordings to deem the
circumstance a claim, it is clear and apparent that
this first question has a lot to do with the data
liability cover of the policy and triggering the
requisite covers with regard to legal liability
primarily.
If any of the scenarios has taken place, the next
question to be asked to satisfy would be –
whether it has been received or served by the
insured ( nsured primarily includes the bank, thei
employees of the bank, any director or officer of
the bank and any legal heirs and spouses of the
aforementioned.
If the answers to both of the above is yes, thenyou could proceed to step 4 directly.
If the answer is , then proceed to .no step 2
Step 2: Whether it is a qualifying event?
These are specific triggers for certain covers
under the policy that must be triggered and any
one of these said “qualifying” events would
trigger the coverage. The following scenarios
would be deemed to be a :yes
� Is it a qualifying breach of data security (i.e.
the unauthori ed access by a third-party tos
the Company's Computer System or use or
access of the Company's Computer System
outside of the scope of the authority
granted by the Company)?
� Is it a breach of Data Protection Law (All
central, state, regulatory laws or general
i n d u s t r y c o m p l i a n c e , e s p e c i a l l y
international data notification laws)?
� Is it a newsworthy event (i.e. the actual or
threatened public communication or
reporting in any media related to the
aforesaid triggers that could tarnish the
goodwill and reputation of the bank.)?
� Is it an Extortion Event?
� Is it a material interruption (as defined in the
policy) of the computers systems due to a
security failure?
If the answers to the above is yes, then youcould proceed to step 4 directly.
If the answer is , then proceed tono step 3.
Note:
Step 3: If the answers to steps 1 and 2 are no,then can the scenario lead to triggering aclaim?
The CISO is the custodian of the policy and it is
important that the CISO takes cognizance of the
fact that the policy is an effective tool for risk
mitigation where it would aid in providing certain
covers where all insurance stakeholders are
convinced of the said event leading to either a
claim or a qualifying event. Especially, as in the
nature of qualifying event, certain aspects
CYBER INSURANCE: A REFERENCE GUIDE
23
establishing a qualifying breach of data would
require a reactionary aspect for deduction.
If the answer to the above is yes, then youcould proceed to step 4 directly.
Step 4: Whether the event is occurring duringthe policy period?
It is important that the said claim is received or
such qualifying event takes place during the
policy period and only if the same is deemed to
be correct would the claims process continue
upon its standard part as such is the nature of
liability insurance policy.
If the answer to the above is yes then youcould proceed to step 5 directly.
Step 5: Claim Notification Process
The following are the ideal steps for a claim
notification process:
� Immediately inform the concerned central
team about the circumstances via mail
intimation, and such notification should
include:
a. Dates
b. Acts and/or Circumstances
c. Persons involved
d. Mitigating practices implemented, if any.
� Key points to remember through the
process:
a. Insured should not admit liability to, or
enter into any settlement with a third-
party without the consent of the insurers.
It is important, therefore, to avoid being
involved in discussions with any third-
party claimant – or potential third-party
claimant about the merits of a claim
b. Any formal letters of demand should be
merely acknowledged, with a statement
that the matter will be investigated and
that a further response will follow. Any
correspondence between insured and the
(potential) claimant should be given to
the insurer when notifying a claim or
circumstance
c. Ensure that any representative of the
bank does not admit or assume any
liability, enter into any settlement
agreement, stipulate to any judgment, or
incur any defense costs without prior
consent of the insurer.
� Concerned control group to prepare a
detailed Incident Report and record the
sequence of events chronologically for
future use
� Preserve all records and forensic data,
inform all stakeholders about proper
process
� Simultaneously prepare a compilation of all
relevant documents both hard and soft
copies, screenshots of findings, forensic
reports and send that across to the
insurance stakeholders once prepared. This
includes any demands, notices, summons
or legal papers received in connection with
the claim or a suit
� Continuously intimate the central control
group and insurance stakeholders about
a n y f u r t h e r d e v e l o p m e n t s a n d
communications with third parties with
respect to the claim.
CYBER INSURANCE: A REFERENCE GUIDE
� Internal Control group shall liaise with
broker and insurer to take claims forward
through entire process and providethe
updates accordingly.
Claims Practices (Dos and Don'ts)
� Immed ia te l y not i f y the insurance
stakeholders of the claim with as many
details as possible, including proposed
forensic action and internal process
commencement
� Send screenshots if possible, internal e-
mails if the same has been notified through
whistleblower/concerned employee and
maintain/preserve evidence of every action
taken or vulnerability discovered
� Post forensic service send purchase orders
and scope of work documents along with
forensic report to the insurance stakeholders
so that they can take cognizance of the same
and proceed with the requisite process
� Do not withhold key information especially
any mitigation and containment expenses
incurred and in the manner similar to the
forensic company ensure that all relevant
copies are kept. Do not incur such expenses
without informing the insurance stakeholders
ofthesame
� If containment costs are to be incurred,
develop a SOP to showcase need for
mitigation for overall risk
� Notify any and every development in
association of the claim as well and discuss
every step of the claims process sowith usthat there is no discrepancy in the overall
process
� Do not proceed with any payment or
acceptance of payment for any cyber
expertise without informing the insurance
stakeholders so that they can remain
informed about the same
� Notify customers to avoid trickle down
liability and execute a backup/emergency
strategy, if you have any.
24 CYBER INSURANCE: A REFERENCE GUIDE
25
Cyber Insurance Proposal FormAnnexure 1
1. This is a proposal for a contract of insurance, in which 'proposer' or 'you/your' means the
bank proposing cover.
2. This proposal must be completed, signed and dated. All questions must be answered to
enable a quotation to be given, but completion does not bind you or the insurer to enter
into any contract of insurance. If space is insufficient to answer any questions fully,
please attach a signed continuation sheet.
3. All facts/ material to the proposed insurance must be disclosed, fully and truthfully to
the best of your knowledge and belief. Failure to do so may make the contract of
insurance voidable or severely prejudice your rights in the event of a claim. A material
fact is one likely to influence the insurer's assessment or acceptance of the proposal.
Bank Information
Name of Bank (Insured):___________________________________________________________________________
Principal address:__________________________________________________________________________________
Date of establishment:_____________________________________________________________________________
Locations of overseas offices (please list countries):________________________________________________
Business Information
Please provide a clear description of the business activities
____________________________________________________________________________________________________
____________________________________________________________________________________________________
Please provide the following information of your bank
INDIA USA EU¹ ROW²
Employee Numbers
Turnover
Turnover from Web based trading
Estimate of customer numbers
Total Assets
CYBER INSURANCE: A REFERENCE GUIDE
CYBER INSURANCE: A REFERENCE GUIDE26
Insurance Programme
1. Please provide the following information:
LimitRequested
DeductibleRequested
CurrentInsurer
CurrentPremium
CurrentRetention
Standard Cyber Covers
Business Interruption
2. Discovery Period Opted: 60 Days / 90 Days / 120 Days / 180 Days / 365 Days
3. Waiting Period Under Business Interruption Loss: 6 / 12 / 18 / 24 / 36 Hours
4. Retroactive Date:
Policies nd Proceduresa
1. Do the employees/IT staff have restricted access to sensitive data (including physical records)?
2. Do you have a process to delete system access within 48 hours after employee termination?
3. Perform background checks on all employees and contractors whose work involves critical IT
infrastructure.
4. Has any of the IT staff members been terminated in the last 12 months? If yes, were any of these
decisions made as a result of malicious or dishonest actions?
5. Has data security and information technology risk in general been added to your bank risk
register?
6. Do you have a written data protection/information security policy?
7. Does the policy (or in the absence of a policy do you) provide guidance on the following:
Yes No Comments
Responsibilities of the Information Security
Officer or equivalent
Network security (access rights, passwords,
encryption, etc.)
Mobile device security (inc. laptops, smart
phones and memory de-vices)
Use and storage of personally identifiable
information and notification in case of a
breach
Yes No Comments
Employee's use of social networking websites
Use of unsecured Wi-Fi networks
Data backup procedures (please comment on
how often backup takes place
and whether this is offsite)
27CYBER INSURANCE: A REFERENCE GUIDE
Data and Network
� Do you hold or process any of the following types of sensitive CONSUMER data?
If so, approx. number of records including:
(a) Financial information (including credit/debit card records)
(b) ID, bank information
© Names, addresses, contact numbers
� Do you utilise encryption in the following scenarios?
(a) Sensitive data is encrypted at rest within your network? Yes/No
(b) Sensitive data is encrypted on backup tapes? Yes/No
(c) Sensitive data is encrypted when transmitted outside of your network? Yes/ No
(d) Sensitive data is encrypted when transferred to portable media devices, USBs, Laptops,
etc.? Yes/No
oIf N to any of the above, please provide mitigating comments.
� Do you monitor, restrict or block employees' ability to remove data via network end-points such
as USB drives? Yes/No
� Can you confirm if you comply with the following minimum security standards?
(a) You use anti-virus, anti-spyware and anti-malware software and it is updated regularly.
Yes/No
(b) You use firewalls and other security appliances between the internet and sensitive data.
Yes/No
(c) You use intrusion detection or intrusion prevention systems (IDS/IPS) and these are
monitored. Yes/ No
(d) You perform regular backups and periodically monitor the quality of the backups.
Yes/No
oIf answer is N to any of the above, please detail below along with mitigating comments:
CYBER INSURANCE: A REFERENCE GUIDE28
� Do you allow remote access to your network?
(a) No
(b) Yes, to employees only
c) Yes, to employees and other third parties
If YES, what security measures are utilised to keep such remote access secure?
Payment Card Information
a) Do you collect credit/debit or any other type of payment information? Yes / No
If “YES”, please provide details:
b) Do you process payments on behalf of any other individual or organisation? Yes / No
If “YES”, please provide details:
c) Are you fully compliant with the applicable Payment Card Industry Data Security
Standards (PCI DSS)? Yes/No
d) Is compliance self-certified? Yes/No
If NO, who carries out the certification?
Out ourcing/ hird Party Service ProvidersS T
� Please provide details of the vendors for the following services or mention “In-House” if it is
managed and operated in-house
(a) Internet service provider
(b) Cloud/Hosting/Data centre provider
(c) Payment processing
(d) Data or information processing (such as marketing or payroll)
(e) Offsite archiving, backup and storage
� Does the bank require the banks' providing data collection or data processing functions
(outsourcers) to maintain their own data protection liability insurance? Yes/ No
� Does the bank require indemnification from outsourcers for any liability attributable to them?
Yes/ No
� How does the bank select and manage outsourcers?
Website
� Please list your website addresses and estimated current monthly unique visitors:
(a) Website address
(b) Estimated current monthly unique visitors
29CYBER INSURANCE: A REFERENCE GUIDE
� Please detail your website functionality: Tick if applicable
(a) Basic brochure website
(b) Third-party advertising on your website
(c) User content allowed (chat rooms, bulletin boards, discussion forums, etc.)
(d) Large content volumes published
(e) Large media download/streaming volumes
(f) Client log-in area
(g) Transactional, accepting payment cards.
� Do you publish third-party content on your website? Yes/No
If YES, do you have procedures in place, in respect of securing rights for using such content.
Yes/No
� Does your website allow third parties to post comments or content directly to your website?
Yes/No\
If YES, do you offer a mechanism for website viewers to flag content they are unhappy with?
Yes/No
Describe how you manage such issues when brought to your attention:
� What percentage of your turnover emanates from online or e-commerce activities?
� Typically, how often is your website changed in terms of content or functionality? Are changes
checked by a second person before it is “put live”?
Claims nd Insurance Historya
� Have you previously been insured for cyber risks? Yes/No
If YES, please provide the following:
Limit of indemnity: Insurer:
Excess: Period of Insurance:
� Regarding all the types of insurance covers to which this proposal form relates, are you or any of
the partners, principals, or directors, after having made full enquiries, including all staff, aware of
any of the following matters? If YES to any of the below, please provide full details:
(a) Any claims (successful or otherwise) or cease and desist orders been made against the
bank, its predecessor, or present or past partners, principals, or directors. Yes / No
(b) Any circumstances which may give rise to a claim against the bank, its predecessor or
any past or present partner, director, principal or employee. Yes/No
(c) Any loss or damage that has occurred to the bank or its predecessor. Yes/No
(d) Any privacy breach, virus, DDoS, or hacking incident which has, or could, adversely
impact your business. Yes/No
(e) Any evidence of network intrusion or vulnerabilities highlighted in an IT Security Audit
or penetration test which have not yet been resolved. Yes/No
(f) Any unforeseen down time to your website or IT network of more than three hours.
Yes/No
Declaration
I, the undersigned hereby confirm that I am duly authorised and do give consent to the use of
information as set out above.
I also hereby declare that I am authorised to complete this proposal on behalf of the proposer. I
undertake to inform the insurer of any material alteration or addition to these statements or
particulars which occurs before the commencement of the period of insurance. It is hereby
acknowledged and agreed that the terms, conditions, limitations and exclusions of the policy may be
subject to alteration at any time prior to the commencement of the period of insurance should any
such material alterations or additions arise. Signing of this proposal does not bind the insurer to offer
or the applicant to accept insurance.
Signed* Date:
Name and Designation:
(*The signatory should be a Director or Senior Officer of the Bank.)
CYBER INSURANCE: A REFERENCE GUIDE30
31CYBER INSURANCE: A REFERENCE GUIDE
CONTRIBUTORS
DR. A.S. RAMASASTRI, Director, IDRBT
MentorMentor
K. Mahipal Reddy, Deputy General Manager I, IRDA
Rashmi Iyer, Executive Director & Principal Officer Global Insurance Brokers Pvt. Ltd.,
AS Manoj, Senior Vice President & Head – Liability, Global Insurance Brokers Pvt. Ltd.
, Assistant Manager – Liability,Akshay Verma Global Insurance Brokers Pvt. Ltd.
. Ltd.Vaishali Vora, Assistant Vice President - Liability Underwriting, HDFC Ergo General Insurance Co
, Senior Manager,A Sreenivasa Rao Bajaj Allianz General Insurance
,Lakshmi Subramanian Chief Manager, United India Insurance Co. Ltd.
Sayed Avez, CISO, ICICI Lombard General Insurance
,Seema Gaur Deputy Manager, United India Insurance Co. Ltd.
Sarvesh Gupta, Deputy General Manager & CISO, Bank of Baroda
,Vallabh Kolhatkar Deputy General Manager and CISO, Bank of Maharashtra
,Rajesh Thapar President & CISO, Yes Bank
, Assistant General Manager, CISO, Andhra BankV. Murali Krishna Rao
,Prem Nath Pandey Chief Manager, State Bank of India
,P. Parthasarathi Chief Technology Officer, IDRBT
, Professor, IDRBTDr. B. M. Mehtre
Dr. Rajarshi Pal, Assistant Professor, IDRBT
MembersMembers
Latest Publications from IDRBTLatest Publications from IDRBT
IDRBT Staff Paper Series
Vol. 2 No. 2 January 2017
Cloud Computing
- Dr. G. R. Gangadharan, Associate Professor
Shri S. Lalit Mohan, Senior Domain Expert
- Dr. , ProfessorV. Ravi
- Dr. V. N. Sastry, Professor
- Dr. P. Syam Kumar, Assistant Professor
Cloud Computing Adoption in
Indian Banks - A Survey
Analytics in Cloud
Mobile Cloud Computing
Cloud Computing Security
03
35
58
90
Vol. 3 No. 1 October 2017
Biometrics
- Dr. Rajarshi Pal istant, Ass Professor
A Survey on Biometrics
01
- , ProfessorDr. V. N. Sastry
Voice based Authentication
54
- , ProfessorDr. M. V. N. K. Prasad Associate
Biometric Template Protection for Banking
102
- ,Dr. S. Ananth Adjunct Faculty
Biometrics and Its Impact in India
119
IDRBT Journal of Banking Technology
Latest Frameworks from IDRBT
All these Publications can be accessed from www.idrbt.ac.in
Institute for Development and Research in Banking Technology(Established by Reserve Bank of India)
Castle Hills, Road No. 1, Masab Tank, Hyderabad - 500 057, India.
+91 - 40 - 2329 4999, +91 - 40 - 23535157EPABX : Fax :
www.idrbt.ac.in [email protected] : E-mail :