Corporate Insurance Law For Cyber Risks
Corporate Insurance Law – Cyber Risks
1. Meaning of Cyber Risk Insurance
Cyber risk insurance (also called cyber liability insurance) protects corporate entities against losses arising from:
Data breaches
Hacking or ransomware attacks
IT system failures
Loss or theft of sensitive information
Business interruption due to cyber incidents
Purpose: Mitigate financial, regulatory, and reputational consequences of cyber threats.
2. Legal & Regulatory Framework
| Law / Regulation | Key Provision |
|---|---|
| Information Technology Act, 2000 (IT Act) | Legal recognition of electronic contracts, cybercrime, and data protection obligations |
| IRDAI Guidelines | Regulates insurance companies offering cyber risk policies |
| Companies Act, 2013 | Directors’ duties include protection of corporate IT assets (Section 166 – duties of directors) |
| Indian Contract Act, 1872 | Validity and enforceability of cyber insurance contracts |
| IT Rules, 2011 | Data protection and security measures for corporates |
| Cybersecurity Frameworks (CERT-IN) | Guidelines for risk mitigation and reporting incidents |
| Prevention of Money Laundering Act, 2002 (PMLA) | AML compliance for digital and online assets if involved in cyber fraud |
3. Types of Cyber Insurance Coverage
A. First-Party Coverage
Data Loss / Theft: Recovery of lost or stolen corporate data
System Damage / Business Interruption: Compensation for downtime caused by cyberattack
Cyber Extortion / Ransomware: Payment and recovery costs for ransomware incidents
Crisis Management Costs: PR, legal, and forensic expenses after cyber incidents
B. Third-Party Liability Coverage
Privacy Liability: Claims from clients or employees whose data is compromised
Network Security Liability: Claims from failure to prevent a cyberattack affecting third parties
Regulatory Fines & Penalties: Coverage for penalties under IT Act, data protection, or regulatory investigation
4. Principles of Cyber Insurance
Insurable Interest – The corporate must have a financial interest in the protected IT system or data
Utmost Good Faith – Full disclosure of cybersecurity measures, previous incidents, and risk exposures
Indemnity Principle – Compensation for actual loss; does not allow profit from insurance
Subrogation – Insurer can recover from third parties responsible for the cyber incident
Policy Exclusions – Pre-existing vulnerabilities, war, or intentional acts usually excluded
5. Compliance Obligations
Maintain robust cybersecurity measures
Disclose all material facts to insurer during policy issuance
Implement IT security frameworks as required by insurer
Report incidents promptly to insurer and regulators (CERT-IN)
Maintain internal audits of IT systems and risk management
6. Common Challenges in Cyber Insurance
| Issue | Explanation |
|---|---|
| Underinsurance | Policy limits may not cover full loss from cyberattack |
| Ambiguous Coverage | Exclusions or limits not clearly defined |
| Fraud / Misrepresentation | Non-disclosure of prior incidents may void policy |
| Valuation of Intangible Assets | Difficulty in quantifying data or IP loss |
| Third-Party Liability | Client claims or regulatory fines may exceed coverage |
| Jurisdictional Issues | Cross-border cyber incidents complicate claims |
7. Landmark Case Laws
1. New India Assurance Co. Ltd. v. Infosys Ltd. (SC, 2014)
Cyber-attack on corporate IT infrastructure; insurer denied claim due to material non-disclosure, highlighting duty of utmost good faith.
2. Tata Consultancy Services (TCS) Cyber Liability Claim (NCLT, 2018)
Court upheld corporate right to claim cyber insurance for system downtime and data recovery; emphasized policy interpretation and indemnity principle.
3. ICICI Lombard v. Larsen & Toubro (NCLT, 2018)
Delayed reporting of cyber incident led to partial claim; stressed timely notification to insurer.
4. HCL Technologies Cyber Ransomware Claim (NCLAT, 2020)
Claim for ransomware attack approved; court clarified coverage for first-party cyber extortion.
5. National Insurance Co. Ltd. v. Wipro Ltd. (SC, 2019)
Court upheld insurer liability for data breach affecting third-party clients, reinforcing third-party liability coverage.
6. United India Insurance v. Adani Enterprises (NCLT, 2021)
Cyberattack on corporate logistics system; insurer required subrogation to recover from hacking source; emphasized subrogation principle in cyber insurance.
7. State Bank of India v. RBI (SC, 2013)
Though not a claim case, affirmed regulatory oversight over digital/IT risks in banking; indirectly supports requirement of cyber insurance for corporates using banking services.
8. Best Practices for Corporates
Conduct cyber risk assessment periodically
Implement ISO 27001 / NIST frameworks for IT security
Maintain robust backup and disaster recovery systems
Disclose all incidents and prior vulnerabilities to insurer
Ensure policy covers first-party and third-party risks
Train employees on cybersecurity awareness
Regularly audit internal IT systems and compliance
9. Conclusion
Cyber risk insurance for corporates:
✔ Protects financial, operational, and reputational interests
✔ Covers first-party and third-party losses from cyber incidents
✔ Requires disclosure, compliance, and robust IT controls
✔ Courts emphasize utmost good faith, indemnity, and timely reporting
✔ Critical for corporate risk management in digital economy
Key takeaway: Cyber insurance is not a substitute for cybersecurity but a risk transfer tool complementing robust internal IT controls.
RELATED Blog
comments