CERTIFICATE

1
 ACKNOWLEDGE
MENT
I would like to take the opportunity to express my sincere gratitude to
all those who have contributed greatly towards the successful
completion of this dissertation.

I would especially like to thank kanwar Vikram Singh Rana my

mentor for his encouragement and guidance. I owe much credit, for
the successful completion of this project, to him.

I would also like to thank the entire faculty of Reliance Life

Insurance for their continued encouragement and guidance.

Last but not least I would like to thank my friends for listening to me
and encouraging me all through the dissertation.

(Jashan Jot Lekh)

2
 EXECUTIVE SUMMARY

The Internet is changing the way that companies conduct their

business, bringing greater opportunities to cut costs and win new
revenue. Indeed, most companies today have a web presence, and are
either transacting e-business or seeking to develop an e-commerce
strategy.

However, this new business medium also brings a significant increase

in risk not only for those companies that have a world wide web
presence, but also for those that use the internet, electronic mail, an
intranet or extranet. More and more sensitive and valuable data is
being stored on corporate networks. Corporations have a responsibility
for protecting this data.

As society changes, so do the crimes that people commit. And as the

internet takes on an ever more important role, computer crime is
emerging as the misdemeanor of choice. Computer networks, Internet,
e-mail, websites are exposed to damage, liabilities from unexpected
sources like defamation, hacking, fraud or virus attack. These risks can
leave corporations with huge legal liabilities and serious loss to its own
assets.

Traditional insurance products do not address Internet exposures and

the risks involved in Internet business have blossomed with the Net
itself. That is there is need for Cyber Insurance.

Cyber Insurance addresses the first- and third-party risks associated

with e-business, the Internet, networks and informational assets. Cyber
Insurance coverage offers cutting edge protection for exposures
arising out of Internet communications. The risk category includes
privacy issues, the infringement of intellectual property, virus
transmission, or any other serious trouble that may be passed from
first to third parties via the Web.

The need of cyber insurance is increasingly being felt by industries all

over the world but still it is picking up very slowly because of the
various nuances involved with it.

The legal structure required for dealing with cyber crime and cyber
insurance is non existent or poorly defined. Traditional legal systems
have had great difficulty in keeping pace with the rapid growth of the
Internet and its impact throughout the world. While some laws and
objectives have been enacted and a few cases have been decided that
affects the Internet, they leave most of the difficult legal issues to the

3
future. In India, cyber laws are contained in the Information
Technology, Act 2000. In May 2000, both the houses of Indian
Parliament passed the Information Technology Bill. The Bill received
the assent of the President of India in August 2000 (IT Act 2000). The
IT Act 2000 aims to provide the legal infrastructure for e-commerce in
India. At this juncture, it is relevant to understand what the IT Act,
2000 offers and its various perspectives for understanding its
implication on cyber insurance.

There are few insurance providers for cyber risks and the pricing is on
the higher side. There is no past actuarial data to find any kind of
pattern and price products accordingly.

Despite the challenges that come with every new insurance line, cyber
insurance is slowly growing in demand. As companies become more
acclimated to the e-business arena and as their exposure increases,
"cyber insurance will finally make it to the boardroom level of
discussion”.

4
 METHODOLOGY
CYBERINSURANCE IN IT SECURITY MANAGEMENT

APPROACH

Data is collected in 2 ways:

 Primary data sources
 Secondary data sources

DATA COLLECTION
Data is collected from various IT companies, banks, insurance
companies etc
Some are given below:-
• MICROSOFT
• AVIVA LIFE INSUARNCE
• RELIANCE MONEY
• ICICI PRUDENTIAL LIFE INSURSNCE
• INTERGLOBE TECHNOLOGIES

5
DATA SOURCES
Primary data sources
The data was collected in the following ways:

• Meeting the concerned Managers of Reliance Life Insurance.

• By mailing the survey forms to the concerned persons.
• Making cold calls on their toll–free lines (as customers)

Secondary data sources

The secondary source of data was collected through the Internet,
books, magazines and newspapers. It is compiled in the form of
literature review, findings, and articles on the security measures
adopted by the companies.

After collecting the data, it was analyzed in order to arrive at an

informative conclusion. Statistical techniques were used to analyze
data and the results are shown by pie charts according to the response
of survey forms.

6
 INTRODUCTION
Institutions today operate in a global, networked economy. Networked
computing is now firmly embedded in virtually every business process.
Providing a secure and trusted platform for conducting transactions
and exchanging information is basic to the value proposition of every
institution. The platform, however, is only partly based at the
institutions’ physical locations. It has expanded to include a distributed
computing system that enables e-commerce with customers, suppliers
and partners, which, more and more, is standard operating procedure.
Physical limitations have been largely removed by the Internet and by
the ability of institutions to connect their own electronic platforms to
the Internet’s vast public structure, allowing information to flow easily
among internal and remote users.

The Information Technology revolution that started in the later years of

last century fueled an accelerated growth in network technologies and
the Internet. This phenomenon, especially in the later part of 1990s
has had significant impact on the way we work today. There has been
an irreversible change in the way people conduct businesses,
communicate with each other, share knowledge, trade information and
even socialize. We have become more information driven and
geographies are shirking and communities are migrating to the
“cyberspace”, which means that accessing and sharing information
have become the very necessities of our lives today.

Most of the outcomes of this information revolution have been very

positive, however, it comes with its own set of challenges and issues.
One of the biggest challenges in this global networked community is
providing safety and security such that all participating entities can
interact, communicate and transact their business with utmost
confidence. In the real world we have systems, policies and procedures
in place to ensure safety and security to people, businesses and
communities. In cyberspace, however, extending the same policies and
processes does not work. Security threats keep growing, making it
difficult for companies to keep pace with the ever-increasing risks.
While these companies might prefer to avoid IT security and privacy
risks altogether, that’s extremely difficult. Therefore, having effective
risk management strategies in place—including insurance risk transfer
—is an important step toward managing the exposures associated with
doing business in today’s networked world.

7
 CYBER RISK
The increasing dependence on electronic processes and network-based
technology has brought about new challenges for companies of all
shapes and sizes. The major challenge is how to manage cyber risk—
the risks, liabilities and solutions associated with electronic processes
and interactions arising from conducting business activities through
computer networks and internet.

Cyber risk exposure impacts virtually every aspect of an organization—

assets, operations, finances, human resources and brand equity etc.
Cyber risk runs deep into the organization and includes risk to both
physical and non-physical assets. The hardware is the easy part of this
equation; what matters is the data and the availability of the network.
Unfortunately, many companies still think cyber risks are involved with
physical assets. Whereas, emphasis should be on the importance of
data, which is representative of all the intellectual property of the firm
and it represents everything of value that is store in electronic form.

The consequences of a security breach can be financially catastrophic

to any organization—including not only loss arising from litigation
expenses and fines—but a security breach can also wreak havoc on a
company’s operations and cause an interruption of business and loss
of income. Since most company operations are now dependent on the
availability of electronic data and computer network resources, a
failure of security can inhibit the company’s ability to conduct business
altogether .

Perhaps most importantly, a security attack or breach can ruin a

company’s reputation causing it to lose customer trust. "The brand
equity of the firm is not insurable". "So as companies evolve into using
Internet and network-based technology they have their reputation,
image, customer trust and good will on the line." These are important
to any business, particularly in the financial services industry. No one
wants to deal with a firm that has serious problems securing its
customers’ privacy.

Financial Consequences

The financial costs associated with unauthorized access and use of a

computer network has been enormous. However, obtaining statistics
on the cost of information security breaches is difficult. Why? Because
companies are reluctant to publicly disclose these occurrences. The
data that is available about security and privacy reaches the tip of the
iceberg of what really happens.

8
There is very little credible reporting of unauthorized network access
and whether it is law enforcement related or not, it does not provide a
clear picture of the total harm associated with these kinds of
exposures. However, the Computer Security Institute (CSI) and the San
Francisco Federal Bureau of Investigation’s Computer Intrusion Squad
conduct a survey every year allowing the respondents to participate
under complete anonymity. This CSI/FBI Computer Crime and Security
Survey, discloses the scope of what approximately 700 large
corporations and public entities think about this risk. It shows that
there is a tremendous amount of unauthorized computer use, theft of
proprietary information and denial of service attacks that are
continuing to be a big problem with financial companies. According to
the 2006 CSI/FBI Survey, 56 percent of companies reported some form
of unauthorized computer use. Theft of proprietary information caused
the greatest financial loss, with the average reported loss being
approximately $3.7 million.

Technology Limitations

Contrary to what some might believe, technology cannot eliminate

security risk alone. Securing information is not as simple as buying a
security software program. There are still people at the board level of
organizations that think that if they buy something, whatever it is, it is
the cure. This is a technology, people and processing issue all wrapped
up into one.

Buying a technology solution isn’t the magic cure .It doesn’t mean that
companies should put security as a low priority in their IT budget. It is
alarming how little companies actually spend of their IT budget on
security. In some cases spending is even less than 10%. There is a
huge problem in determining how much money is spent on this kind of
risk in the organization.

Application Development

Another issue is how applications are developed. Not all applications

have the risk management of IT security and privacy built into them
and in some cases they are baked in after the fact. There have been
applications that have been launched that did what they were
supposed to do, but when they did what they are supposed to do
customers were looking at social security numbers or credit card
numbers of other customers. In other words, no one had really done
the kind of beta testing that they needed to do on this issue; or built
into the business requirements to look at IT security and privacy as

9
part of the business case and the business requirements. Applications
have been launched without the best care and standards of testing
built in. Of course once something goes wrong then the application is
pulled back and then looked back what was wrong with this application
but it is not the right way to learn about security problems, particularly
if organization is involved in financial services.

Managing Cyber Risk

There are several things that can help a company manage network
security risk. Any risk management plan first has to be supported by
senior management. Then secondly there is a need of team approach.
Having a team approach is important because everyone has a stake in
this security and privacy risk like operations, IT, finance, internal audit,
the lawyers, etc, all have a vested interest. There isn’t one aspect of
this risk that can be operated without the others.

There is a great need of communication between the people working

for organization. Unfortunately, in certain companies there is a lack of
communication between the department like finance, legal staff and
the technology etc. This absence of contact can cause the technology
department to believe that they are solely responsible for managing
this risk, which as IT staff they may have neither the background nor
expertise to handle security and privacy issues.

Companies should spend capital wisely on managing risk. “You could

spend a lot of money on things that don’t make you any safer". Also,
applications evaluations should be done regularly. There are
companies that actually go through an analysis of risks as part of their
business case for new applications. They go through and put risks up
along with the rewards and then talk about building certain safeguards
in them. The application itself does not go live until the risk committee
of their organization says it can go live.

The following list of risk management activities can help a company

begin developing a solid risk management plan:
• Outline the existing and emerging applications and activities.
• Review the company’s perspective of risks and controls across
business units.
• Identify key/priority risks.
• Assess security and privacy risk controls with security specialists.
• Review disaster recovery/continuity planning for networks.
• Evaluate present insurance relative to the risk.
• Consider insurance products that are available for network
security risks from a first and third party perspective.

10
11
 WHAT IS CYBER INSURANCE
Cyber insurance is an insurance scheme for the entities operating in
cyberspace.

Cyberspace has cyber crimes and to deal with them we need a new
way of thinking and in addition to the technological solutions, one of
the proposed mechanisms to address this very challenge is Cyber
Insurance.

Traditional insurance products do not address Internet exposures and

the risks involved in Internet business have blossomed with the Net
itself. That is there is need for Cyber Insurance.

These days almost all the companies are some how connected to
internet through E-Business and this intensive use of internet all over
the world has significantly increased the vulnerability of organizations
to cyber crimes, thereby making the corporate executives focus on
information security issues.

There are some questions in the mind of executives like

• How can a company protect itself from the vulnerability of
economic loss because of the increased attacks through the
internet?

• How can an organization protect itself from E-Theft, E-Vandalism,

Denial-of-Service attacks, and manage itself from security risk?

Traditional Insurance companies cover more for physical types of risks

and exposures. They do not cover issues of cyber terrorism, cyber risk,
hacking and that is where Cyber Insurance comes in. It covers denial-
of-service (DoS) attacks that bring down e-commerce sites, electronic
theft of sensitive information, virus-related damage, losses associated
with internal networks crippled by hackers or rogue employees,
privacy-related suits, and legal issues associated with websites, such
as copyright and trademark violations.

Most crime insurance has nothing to do with stealing information. It

only has to do with stealing things—money, securities and tangible
property. Most traditional insurance policies do not cover information
theft.

12
Cyber insurance can even take some security decisions out of IT
control and place them in the hands of insurance adjusters and
actuarial tables damages caused due to cyber-risk i.e. hacking, DoS
attacks. Cyber insurance comes into the role when it comes to risk with
cyber-space.

Like its real world equivalents, a cyber insurance company provides

with both, the insurance and risk management services against various
types of cyber risks. From a process point of view the first thing that an
insurance company does before quoting a policy to a client is that it
tries to assess the client by asking them to answer few pages of
questionnaires. And this self-assessed questionnaire is sent to the risk
analysis department for analysis. After this analysis, the risk analysis
department comes up with a solution for the existing security model of
that client. At this juncture the insurance company makes a package
for its client and quotes the price for that policy.

There are plentiful cyber insurance policies already being entertained

in the market by companies like Lloyd's e-comprehensive, Chubb's
cyber security, AIG's Net Advantage Security, Hiscox's hackers
insurance, Legion Indemnity's INSURE trust, Marsh's Net Secure and St.
Paul's Cyber tech. These companies basically cover First and Third
party policies. These Insurance companies have policies that can
provide coverage for First-party business interruption, First-party
electronic data damage, First-party extortion, Third-party network
security liability, Third-party (downstream) network liability, Third-party
media liability, professional errors & omissions, coverage for financial
loss resulting from data damage, destruction, corruption and loss of
income from network security apart from the coverage, some insurers
provide free or discounted risk management services including online
and onsite security assessment.

Evolution, trends, and current status

Before the late 1990s, little commercial demand existed for property or
liability insurance specifically covering losses from network security
breaches or other IT-related problems. However, the rapid growth of e-
commerce, followed by distributed denial-of-service (DDoS) attacks
that took down several leading commercial Web sites in February
2000, kindled significant interest in such coverage. The Y2K computer
problem, although ultimately resulting in little direct damage or loss,
brought further attention to cyber risk issues and pointed out the
limitations of existing insurance coverage for IT failures.

Potential liability from IT security breaches has increased as a result of

such federal legislation as the Health Insurance Portability and

13
Accountability Act and the Graham-Leach-Bliley Act, which mandate
protection of sensitive personal medical and financial records.
California also passed a Se c urity Bre a c h Inform a tion Ac t
requiring prompt public disclosure of any breach that might have
compromised computer-based personal information about a California
resident. This California law, which went into effect in July 2003,
essentially sets a national requirement for any business or other
organization that maintains a database with identifiable individual
records.

Starting around 1998, a few insurance companies developed

specialized policies covering losses from computer viruses or other
malicious code, destruction or theft of data, business interruption,
denial of service, and/or liability resulting from e-commerce or other
networked IT failures. Coverage was spotty and limited, but premiums
were high. Moreover, numerous legal disputes arose over whether
such losses could come under general commercial property or liability
policies that were written to cover direct physical damage to tangible
assets.

By 2002, in response to the legal uncertainties, insurers had written

specific exclusionary language into their commercial property and
liability policies to exclude coverage of “electronic data,” “computer
code,” and similar terms as tangible property. The Computer code is
deemed to be intangible Property and casualty policies were never
written to assess these exposures and were never priced to include
them.

As a consequence, businesses now generally buy stand-alone,

specialized policies to cover cyber risks. According to Betterley Risk
Consultants surveys, the annual gross premium revenue for
cyberinsurance policies has grown from less than US$100 million in
2002 to US$300 to 350 million by mid 2006 . These estimates, which
are based on confidential survey responses from companies offering
cyberinsurance, are nearly an order of magnitude below earlier
projections made by market researchers and industry groups such as
the Insurance Information Institute. cyberinsurance will be one of the
fastest growing segments of the property and casualty market over the
next several years. With only 29 % of respondents to the most recent
CSI/FBI Computer Crime and Security survey reporting that, their
organizations use external insurance to help manage cyber security
the market has plenty of room for growth.

14
Benefits of cyberinsurance
In other areas, such as fire protection, insurance has helped align
private incentives with the overall public good. A building owner must
have fire insurance to obtain a mortgage or a commercial business
license. Obtaining insurance requires that the building meet local fire
codes and underwriting standards, which can involve visits from local
government and insurance company inspectors. Insurance
investigators also follow up on serious incidents and claims, both to
learn what went wrong and to guard against possible insurance abuses
such as fraud. Insurance companies often sponsor research, offer
training, and develop best-practice standards for fire prevention and
mitigation. Most important, insurers offer lower premiums to building
owners who keep their facilities clean, install sprinklers, test their
control systems regularly, and take other protective measures. Fire
insurance markets thus involve not only underwriters, agents, and
clients, but also code writers, inspectors, and vendors of products and
services for fire prevention and protection. Although government
remains involved, well-functioning markets for fire insurance keep the
responsibility for and cost of preventive and protective measures
largely within the private sector.

As with fire insurance, the prospective benefits of well-functioning

markets for cyberinsurance can accrue to stakeholders both
individually and collectively. They include

• A focus on market-based risk management for information

security, with a mechanism for spreading risk among
participating stakeholders.
• Greater incentives for private investments in information security
that reduce risk not only for the investing organization but also
for the network as a whole.
• Better alignment of private and public benefits from security
investments.
• Better quantitative tools and metrics for assessing security.

15
 • Data aggregation and promulgation of best practices.
• Development of a robust institutional infrastructure that supports
information security management.
• Thus cyberinsurance can, in principle, be an important risk-
management tool for strengthening IT security and reliability,
both for individual stakeholders and for society at large.

NATURE OF CYBER INSURANCE

The Insurance Industry can play a pivotal role in securing cyberspace
by creating risk transfer mechanisms, working with government to
increase corporate awareness of cyber risks and collaborating with
leaders in the technology industry to promote best practices for
network security.

The insurance industry is attempting to understand the nature of cyber

crime issues and how to more accurately design insurance policies for
the future. In an effort to protect against unlawful electronic or
physical activity, organizations are now taking a closer look at how
their implementations are performing and what is needed to protect
confidential assets. The ill effects have proven costly to the insurance
industry. Due to globalization, organizations are facing greater
challenges to ensure protection of critical information against
unauthorized breaches.

Insurance companies are realizing the need to implement greater

assessment capabilities to determine the state of an organizations
security infrastructure when the organizations request for coverage.

In case of cyber insurance, Historical data is very less. Estimations of

damage due to virus attacks is very difficult. The perceptions of
possible future risks are equally volatile. Companies and the insurers
have no real answers.

Cyber insurance is very much different from the “property insurance”.

This coverage is designed for the purposes of business interruption,
where an organization incurs a direct loss. It also covers losses against
physical assets and physical peril, not for information assets and
electronic risk.

Insured’s Issues

In recent years, organizations have recognized the level of importance

associated with the risk of doing business electronically and the

16
security requirements required to establish a safe and competitive
presence. Recent regulations and standards have also forced many
organizations to rethink they way they do business. They appreciate
that there are threats that could disable their ability to continue
participating as an electronic business. Organizations are able to
acquire coverage even if they have merely met the minimum
standards established by the insurance industry. Electronic users are
beginning to realize that their information is important to them.

It is necessary to identify the two inter-related aspects of computer

incidents, that is, accidental and intentional. Computer-related
activities such as loss of data from power blackouts may be
characterized as accidental. The other form is intentional, for example,
an attacker breaches a network’s defenses and infiltrates internal
servers and networking devices. The latter of these could also affect
critical infrastructures that support general populations, potentially
catastrophic situation. Due to the improvement in the technology
processing speed of data increases. Therefore it is necessary for
organizations ensure that they are keeping pace with technology and
continue to be vigilant with updating procedures, training, and
maintaining an awareness of the perils of the Internet.

17
Insurance Policy Coverage
Earlier, insurance had been restricted to medical, life and protection
against damages to assets. But due to globalization, technology
improvement, internet, and the rapid growth of e-commerce scenario
is completely changed.

Internet and e-commerce has helped companies to expand their reach

among large population and explore alternate business opportunities,
Most of the outcomes internet and e-commerce are very positive,
however, it also comes with its own set of challenges and issues.
Companies have threats ranging from cyber extortion, e-business
interruption, denial of service attacks to programming errors, incorrect
recommendations and even inappropriate installation and training.
Many companies have faced ransom demands from cyber squatters
who occupy domain names on the Internet that should rightfully
belong to the company.

Starting around 1998, a few insurance companies developed

specialized policies covering losses from computer viruses or other
malicious code, destruction or theft of data, business interruption,
denial of service, and/or liability resulting from e-commerce or other
networked IT failures. Coverage was spotty and limited, but premiums
were high.

Now Insurance companies offer numerous variations of coverages

which is according to the organizations need i.e. level of protection
required to protect against losses required by the company. The
insurer may not necessarily request a security assessment report, but
it may need to see some proof of infrastructure preparation before the
application is processed. For example, if an organization provides
website services and purports to have a firewall which protects all
clients’ information, and monitoring the technology. Part of the
assessment exercise is to determine whether the organization has
adequate controls and procedures in place to maintain a constant
vigilance within the environment. Otherwise, if damage is incurred, the
organization may not have the ability to recover or protect itself from
technical damage and potential litigation.

18
19
The table below lists policy structures that are typical of cyber
associated insurance coverage available on the market today.

Insurance Policy Coverage Options

(These policy descriptions will vary – these are not exhaustive)
Option Description
General Internet Crime Addresses the first- and third-party risks
Liability associated with e-business, the Internet,
networks and informational assets. Limitations
exist with this level of coverage. It is key to
review your business activities to ensure
appropriate coverage.
Property Protection against damage to hard assets
caused via the internet, machinery taken
down, or equipment programmed to operate
erratically. Typically, this policy does not
acknowledge “data” as property.
Error and Omission E&O liability protects your organization from
claims if your client holds you responsible for
programming errors, software performance, or
the failure of your work to perform as
promised in your contract.
Professional Liability Provides protection against claims that the
policyholder becomes legally obligated to pay
as a result of an error or omission in his/her
professional work. Also known as Errors and
Omissions insurance, this type of professional
liability insurance is critical to your business.
E&O insurance responds to claims of
professional liability in the delivery of your
technical services.
Directors and Officers Required by a board of directors to protect
Liability them in the event they are sued in conjunction
with their duties.
Business interruption Physical damage is not the only consideration
when determining potential disaster scenarios.
An organization should also include death,
disability or kidnapping of key personnel;
Defection of key personnel to a competitor;
Theft of Trade Secrets; Image Management
(public perception).
Group personal Coverage for key personnel, managers, and
Liability employees.
Key Person Life This coverage is designed to protect your

20
Coverage business upon the loss of a key employee. The
tax-free proceeds from this policy can be used
to find, hire and train a replacement,
compensate for lost business during the
transition, or finance any number of timely
business transactions.

Media Liability Protects you against claims arising out of the

Coverage gathering and communication of information.
Media Liability Insurance provides very
valuable coverage against defamation and
invasion of privacy claims as well as copyright
and/or Trademark infringement. (Investigate
and clarify the level of privacy coverage
before acquisition).
Network security Protects you from losses associated with
coverage unauthorized access to or theft of your data or
e-business activities, computer viruses, denial
of service attacks, as well as alleged
unauthorized e-commerce transactions.
Fidelity or Crime Protects organizations from loss of money,
Liability securities, or inventory resulting from crime.
Intellectual Property Protects companies for copyright, trademark
or patent infringement claims arising out of
the company's operation. Items such as all
working papers, records, data, methodologies,
drawings, software, documents or other
writings created, developed or acquired the
company. This includes any documents,
records, trade secrets, data, drawings,
software or other writings created by or
supplied to or made available the company.
Patent Coverage A policy which reimburses the insured for
defense expenses and damages paid by the
insured resulting from allegations that the
insured has infringed on a patent, copyright or
trademark of a third party.

21
 EVOLUTION OF CYBER INSURANCE
As organizations become more dependent on their networked
computer assets, Technology, internet. There is new attention on the
preservation of information and electronic assets deemed to be critical
to the business. Companies are become more vulnerable due to the
increasing frequent and damaging attacks. Protection from harm on
any networked computer system will never be 100%. In the past
decade, protection techniques have continually improved and but
Internet attacks continue to increase. While some Internet security
vendors are selling solutions in the form of hardware and software but
Internet security protection is a continual process involving people that
cannot be solved entirely with products. Most relevantly, while most
organizations have focused on preventing cyber attacks solely by
technical means, this is only part of an overall solution.

Individuals, businesses, and other organizations routinely use

insurance to help manage risks. They buy insurance policies to cover
potential losses from property damage, theft, and liability etc.

IT security has traditionally referred to technical protective measures

such as firewalls, authentication systems, and antivirus software to
counter such attacks, and mitigation measures such as backup
hardware and software systems to reduce losses should a security
breach occur.

Cyber-properties do not necessarily have a physical form; attacks on

them may not result in any physical damage. There are many disputes
have arisen between insurers and firms as to what constitutes
“tangible” property and “physical” damage.

A small group of interdisciplinary thinkers has proposed using

cyberinsurance as part of the overall solution to Internet security. The
earliest work describing a distributed systems application of insurance
to the Internet dates back to 1994. Dan Geer has been a prophet for
the use of risk management, including insurance for the Internet. He
was the first to state the relevance of risk management as commonly
used in other fields especially the financial sector. Another IT specialist
Bruce Schneier brought cyberinsurance into academic discussion and
gave his views on the role of cyberinsurance. According to him
Cyberinsurance increases Internet safety because the insured
increases self-protection as a rational response to the reduction of
premium. Cyberinsurance also facilitates standards of liability.

21
Business Perspectives of Cyberinsurance

There are two business perspectives of cyberinsurance:

(1) The insurer who seeks to capture profit from premiums exceeding
losses over time by spreading the risk of uncertain loss events across
many independent clients

(2) The individual or organization who seeks to maximize their

utility/profit by managing the risk of uncertain loss events.

From the insurer perspective, cyberinsurance represents a growth

opportunity since there is a growing need to protect core assets such
as network infrastructure, data, and reputation. If an insurance firm
can more accurately quantify the cyber-risks into attractive premiums,
this opportunity may translate into a profit windfall. If premiums are
priced too high then other insurers will reap the windfalls. However, if
an insurance firm is inaccurate in quantifying the cyber-risks in
premiums that are priced too low, then large losses may result.

Quantifying cyber-risks for the optimal premium price point is a

difficult task since the assets to be protected are largely intangible,
risk changes occur quickly and evaluating the insurability of potential
clients while re-evaluating risks with current clients can be resource
intensive. However, balancing cost and risks is something the
insurance industry has been doing for centuries

Beyond determining the premium price point for different

cyberinsurance policies, insurers are also faced with the critical
challenge of spreading risk across many clients. Unfortunately, for
cyberinsurance many of the recent Internet worm and virus attacks
have had worldwide effects such that it is difficult to find clients whose
risks are not dependent. An insurer may seek to spread risk over
different hardware and software platforms, large and small
organizations, etc.

From the individual or organization’s perspective, the uncertainty of

cyber-risks represents real risk for damages. There are four options for
managing these risks:
1) Avoiding the risk
2) Retaining the risk
3) Mitigating the risk
4) Transferring the risk for a fee.

22
The first option is to avoid being exposed to cyber-risks by not having
any dependence on computers, networked machines, or any Internet
website presence. For some people/organizations this is feasible, but
for most commercial organizations this is not economically possible.

The second option is to retain the risk based on a conscious decision

that it is more cost effective to absorb any loss internally or other risk
management options are unaffordable. A person or organization may
place this bet based on informed judgment or risk-seeking behavior.
Unfortunately, retaining the risk is sometimes the only choice due to
lack of financial resources.

The third option is to mitigate risk using managerial and technical

processes. This involves investment in people and devices to identify
threats and prepare counter-measures with continually improving
security processes. While this option has been the exclusive focus of
computer security professionals for decades

The fourth option is to transfer risk to a third party in which case this
third party must be an insurance company for performing this function.
Insurance allows an organization to smooth payouts for uncertain
events into predictable periodic costs.

One common risk management approach is to retain most of the risks

while transferring the some risk to a third party due to the superior
expertise and cost efficiencies of the third party.

Generally organization employs a combination of these risk

management options simultaneously i.e. retaining some of the risk,
mitigating some of the risk, and insuring the rest of the risk.

Combining the two perspectives of insurers and organizations

together, the primary business logic of cyberinsurance is as follows:

• As Internet connectivity increases the vulnerability of

organizations to damages, organizations seek to manage this
risk using cyberinsurance as one option in concert with other risk
management options.

• Cyber insurers recognize the opportunity to profit from the

cyberinsurance risk management option and offer policies while
simultaneously developing standards for insurability. Insurers are
driven to find the best metrics in order to define profitable price
ranges for different coverages given supply and demand.

23
 • The end result is a market-solution with aligned economic
incentives between cyber insurers and organizations. Cyber
insurers seek profit opportunities from accurately pricing
cyberinsurance and organizations seek to hedge potential losses.

The Advent of Early Hacker Insurance Policies

Although specialized coverage against computer crime first appeared

in the late 1970s, these policies were an extension of the traditional
crime insurance to electronic banking, and designed mainly to cover
against an outsider gaining physical access to computer systems. It
was not until the late 1990s that hacker insurance policies designed
the Internet first appeared.

The earliest known hacker insurance policies were first introduced in

1998 by technology companies partnering with insurance companies
to offer clients both the technology services and first party insurance
to either back up the technology company’s technology or to provide a
comprehensive total risk management solution to client firms. Being a
new and unexplored area, these companies started out with small
coverage. Thus, the International Computer Security Association
(ICSA), the earliest group offered hacker-related insurance with only
$250,000 maximum coverage per year.

Furthermore, almost all of these early hacker insurance policies

covered only the insured firm’s own (first party) loss.

24
Table below illustrates how early hacker insurance started from simple
and small amount coverage from losses against hacker attacks, to
more differentiated and wide coverage products.

Early Hacker Insurance Products

Year Company Description Coverage

1998 ICSA TruSecure product warranty 1st party
coverage:
max $20K per
incident; max
$250K per year
1998 Cigna Corp/ partnership of 1st party
Cisco Systems/ insurance/benefits (hacker damage
NetSolve company with & business
technology firms; interruption);
client $10M
must buy security
assessment and
monitoring
services
1998 J.S. Wurzler insurance broker 1st party
Underwriting
1998 IBM/Sedgwick partnership
between
technology $5-15M
company and
insurance firm
2000 Counterpane/ partnership of 1st party; $1-
Lloyd’s of security company 10M
London with Lloyd’s
insurance
2001 Marsh clients who 1st party
McLennan/AT&T purchase from
AT&T
Internet data
center receive a
discount
from insurer
2000 AIG start of more 1st & 3rd party
comprehensive (infringement,
and libel, slander,
sophisticated privacy,invasion
forms of insurance ,

25
 errors &
omissions);
$25M

Causal Events: Increasing Risks and Legislation

Compliance

Perception of risk changed dramatically after September 11th, 2001.

There had been many Internet security events prior to 9/11 but
afterward risks have been considered differently. Three of the most
serious Internet worm attacks took place during a three month period
around 9/11 – Code Red in July 2001, Nimda in September 2001, and
Klez in October 2001. The Slammer Internet worm appeared in January
2003. Prior to 9/11 in February 2000, a series of coordinated denial-of-
service (DoS) attacks were launched against major US corporations.
These attacks prevent 8 of the 10 most popular Internet websites from
serving its customers and also the attacks slowed down the entire
Internet.

In addition to these attacks, hackers have also engaged in attacking

authentication systems, computer intrusions, web defacements,
phishing, and identity theft. Surveys reveal that 90% of businesses and
government agencies have detected security breaches, 75% of these
businesses suffered a resulting financial loss, 34% of organizations
admit of less-than-adequate ability to identify if their systems have
been compromised, and 33% admit lack of ability to respond. In fact,
crackers have intruded into not only businesses but even key
government agencies such as the U.S. Senate, Federal Bureau of
Investigation (FBI), the National Aeronautics and Space Administration
(NASA). The Love Bug virus (2000) affected 20 countries and 45 million
users caused an estimated $8.75 billion in lost productivity and
software damage.

Clearly, Internet risks have increased during 2000-2003 resulting in a

need for individuals and organizations to manage this increased risk.
Simultaneous with the increasing risk from Internet attacks has been
regulation about the legal use and retention of electronic information.

Sarbanes-Oxley Act, HIPAA, Gramm-Leach-Bliley Act and others

mandate that financial information, patient records, and other client-
related information must be handled in a secure manner. Penalties
include corporate, civil, and criminal sanctions. To meet these
responsibilities, risk management in the form of both mitigation and
insurance is required. Firms affected by these laws are held to a higher

26
standard. Other firms not specifically covered by the regulations may
have a general common law duty to protect the information under their
control.

There are legislation and their descriptions are given below:

Insurance products specifically designed for the Internet are converted

into more sophisticated cyberinsurance products after the 9/11.
Although there is always need of adding components to the insurance
product. The increasing risks and compliance requirements are the
primary causal factors affecting this change in the development of
cyberinsurance.

27
More Sophisticated Cyberinsurance Policies

Some examples of the new cyberinsurance products include American

International Group (AIG) Inc.’s NetAdvantage, Lloyds of London’s e-
Comprehensive, and products InsureTrust.com, J.H. Marsh &
McLennan, Sherwood, CNA, and Zurich North America Premiums can
range from $5,000 to $60,000 per $1 million of coverage depending on
the type of business and the extent of insurance coverage.

The recent cyberinsurance products have become more sophisticated

compared to the early hacker insurance products. Unlike the first
hacker insurance products which focused on first-party losses, recent
cyberinsurance products cover both first party and third party
insurance, and offer higher coverage. First party coverage typically
cover destruction or loss of information assets, internet business
interruption, cyber extortion, loss due to DOS attacks, reimbursement
for public relation expenses, and even fraudulent electronic fund
transfers. Third party coverage typically cover claims arising from
Internet content, Internet security, technology errors and omissions
and defense costs.

Summary Table of Recent Cyberinsurance Policies

28
Another noticeable feature of recent cyberinsurance products is that
they have narrow coverages designed to target different kinds of
consumers. One reason for this practice is that insurers are able to
exclude coverage of unforeseeable events by narrowly defining the
insurance coverage. Another rationale is that by defining coverage
more specifically, cyber insurers are able to engage in product
differentiation and thus offer their products to specific markets. For
example, cyber insurers have created products that are specifically
meant to target firms concerned about damage to their own systems,
products designed for firms who only want third party liability
coverages, or products designed to cover media liability.

Table below provides an example of how cyber insurers engage in

product differentiation to capture different segments of the market.
AIG has offered different types of cyberinsurance products to capture
different segments of the market with varying insurance needs.

Firms having cyberinsurance products have following

advantages:

(a) The ability to transfer risk to an insurer so they feel sheltered.

(b) The capability to take fast action against a threat.
(c) Continuous monitoring by experts.
(d) Expediency, since traditional insurance does not provide adequate
protection against e-risks.

Current industry estimates reveal a growing demand for

cyberinsurance products, According to Betterley Risk Consultants
surveys, the annual gross premium revenue for cyberinsurance policies
has grown from less than US$100 million in 2002 to US 350 million by
end of 2006.

29
Issues in Developing Coverage

In developing cyberinsurance from the traditional insurance products

to the early hacker insurance policies to where it is now, cyber insurers
had several important implementation issues to address. These
implementation issues and the mechanisms cyber insurers are using to
deal with them are:

Adverse Selection

In an ideal world, parties to a contract have perfect information

relevant to the decision. However, in many circumstances, one party
may possess less than full information on the nature of the product
being contracted.

In insurance settings, these problems arise when insurers are unaware

of whether an applicant is high-risk or low-risk. Since the applicant
knows whether he/she is high-risk or low-risk while the insurer does
not, there is an information asymmetry between them that leads to the
adverse selection

When these situations arise, insurers would offer two types of

contract:

1) A low premium, low coverage contract designed to cover the low

risk firms.

2) A high premium, high coverage contract to target the high-risk

ones.

In equilibrium, the high risk firms choose a contract that has full
insurance coverage, while the low risk ones chose a contract that has
only partial coverage. That is, the low risk firms suffer, because while
the high risk firms get full coverage, low risk firms do not.

To address the adverse selection problem, cyber insurers require

applicants to undergo thorough, detailed, and extensive risk
assessments. As a condition to developing coverage, cyber insurers
evaluate the applicant’s security through a myriad of offsite and on-
site activities with a view of reviewing the applicant’s vulnerabilities.
The risk assessment is done by applicant filling in an application form

30
with the detailed security questionnaire, some consisting of about 250
queries, to assess security risks and cyber protections.

This is the mechanism cyber insurers use to work around the adverse
selection problem. The rigorous security assessment allowed insurers
to distinguish between high and low risk applicants. By employing a
clever mechanism of checking the applicants’ security, insurers are
able to avert a market failure that results from adverse selection and
thus prevents the company from the losses.

Moral Hazard

The second major problem that insurers need to address in developing

cyberinsurance coverage is the “moral hazard” problem. The problem
is when firms are covered by insurance they may either intentionally
cause the loss or take fewer measures to prevent the loss from
occurring. For example, firm is covered by insurance. Thus, it may
either not invest in security infrastructure or it may not have incentive
to maintain or upgrade their existing level of security.

The difference between the moral hazard problem and the adverse
selection problem are

(1) Costs
(2) The incentive structure.

Addressing the adverse selection requires a sunk cost investment in

decision support infrastructure to determine risk classification of
potential applicants that may not need to be revised very often.

In contrast, the moral hazard problem requires investment in

infrastructure to observe applicants that may need to be revised
continuously. While the adverse selection problem deals with the
insured to hide information about its risk type to the insurer where the
moral hazard problem deals with the incentive of the insured to slack
in its action. In insurance the device to work around the moral hazard
problem is for insurers to observe the level of care that the insured
takes to prevent the loss and tie the insurance premium to that
amount of self-protection care. This way, the presence of insurance
can in fact increase the level of self-protection that the insured takes
rather than decrease it.

The presence of cyberinsurance increases the amount spent on self

protection by the insured firms as an economically rational response to
the reduction of insurance premium, and thus results in higher levels

31
of IT security in society. Thus, the detailed risk assessment conducted
by insurers in developing cyberinsurance coverage works both to
identify the risk type of the insured and in so far as tying the risk
classification to premium incentives the insured to adopt a higher level
of security

In examining current industry practice as well as several of the

provisions of the cyberinsurance policies, we find that insurers are able
to address the moral hazard problem by instituting several
mechanisms in the cyberinsurance contract. By requiring applicants to
undergo ex ante security assessment, cyber insurers charge premiums
according to risk classifications. Insurance coverage to firms with less
cyber protections, with a greater percent of its business online, or in a
highly-regulated business subject to high penalties like financial firms,
are considered to be higher risk.

A typical cyber insurer would categorize an applicant firm into one of

several risk classifications and tie the premiums to the level of the
firm’s security, giving discounts to firms that have superior security
processes. For instance, a new dot-com with no credit card
transactions is categorized differently from Amazon.com. Insurers also
utilize monitoring of the firm’s security processes, third-party security
technology partners, rewards for information leading to the
apprehension of hackers, and expense reimbursement for post-
intrusion crisis-management activities.

Ex post, cyber insurers also conduct surveys of insured’s information

infrastructure, either as part of regular annual surveys of the insurers
premises, as part decision to continue and/or modify their coverage, or
in processing of a loss or a claim.

Two provisions incorporated in the standard insurance policies are

designed to address the moral hazard problem.

1) Insurers stipulate in the contract that they are not liable for losses or
claims arising from the insured’s failure to maintain a level of security
equal to or superior to those in place at the inception date of the
policy.

2) Insurer stipulate that insured firms cannot claim payment for loss or
claim associated with failure to take reasonable actions to maintain
and improve their security.

32
33
 CYBER CRIME
Life is about a mix of good and evil. So is the Internet. For all the good
it does us, cyberspace has its dark sides too. Unlike conventional
communities though, there are no policemen patrolling the information
superhighway, leaving it open to everything from Trojan horses and
viruses to cyber stalking, trademark counterfeiting and cyber
terrorism.

United Nations’ Definition of Cyber crime

Cyber crime spans not only state but national boundaries as well. So it
is necessary that an international organization provide a standard
definition of the cyber crime. At the Tenth United Nations seminar a
workshop was conducted on the issues of crimes related to computer
networks.
Cyber crime was broken into two categories and defined as:

a. Cyber crime in a narrow sense (computer crime): Any illegal

behavior directed by means of electronic operations that targets the
security of computer systems and the data processed by them.

b. Cyber crime in a broader sense (computer-related crime): Any

illegal behavior committed by means of, or in relation to, a computer
system or network, including such crimes as illegal possession [and]
offering or distributing information by means of a computer system or
network.
Of course, these definitions are complicated by the fact that an act
may be illegal in one nation but not in another.

A simple definition of cyber crime is “unlawful acts wherein the

computer is either a tool or a target or both. In simple words Any
criminal activity that uses a computer either as an instrumentality,
target or a means for perpetuating further crimes comes under the
preview of cyber crime,"

34
TYPES OF CYBER CRIME

Cyber Crime refers to all activities done with criminal intent in

cyberspace. These fall into three slots.
1• Those against persons.
2• Against Business and Non-business organizations.
3• Crime targeting the government.

There are different forms of cyber crime where computer is either a

tool or target or both.

Financial Claims:

This would include cheating, credit card frauds, money laundering etc.

Cyber Pornography:

This would include pornographic websites; pornographic magazines

produced using computer and the Internet (to down load and transmit
pornographic pictures, photos, writings etc.)

Sale of illegal articles:

This would include sale of narcotics, weapons and wildlife etc., by

posting information on websites, bulletin boards or simply by using e-
mail communications.

Linking:

Process by which a web site user clicks on a “link” (an icon, or

underlined/highlighted text) and is transferred to another web page.

Intellectual Property Crimes:

These include software piracy, copyright infringement, trademarks

violations etc.

E-Mail spoofing:

A spoofed email is one that appears to originate from one source but
actually has been sent from another source. This can also be termed
as E-Mail forging.

Forgery:

35
Counterfeit currency notes, postage and revenue stamps, mark sheets
etc., can be forged using sophisticated computers, printers and
scanners.

Cyber Stalking:

Cyber stalking involves following a person’s movements across the

Internet by posting messages on the bulletin boards frequented by the
victim, entering the chat-rooms frequented by the victim.

Cyber squatting:

Use of trademarks belonging to others in registering a domain name (a

web site’s address on the web).

Unauthorized access to computer system or network:

This activity is commonly referred to as hacking. The Indian Law has

however given a different connotation to the term hacking.

Theft of information contained in electronic from:

This includes information stored in computer hard disks, removable

storage media etc.

E-Mail bombing:

Email bombing refers to sending a large amount of e-mails to the

victim resulting in the victims’ e-mail account or mail servers.

Data diddling:

This kind of an attack involves altering the raw data just before it is
processed by a computer and then changing it back after the
processing is completed.

Salami attacks:

Those attacks are used for the commission of financial crimes. The key
here is to make the alteration so insignificant that in a single case it
would go completely unnoticed e.g. A bank employee inserts a
program into bank’s servers, that deducts a small amount from the
account of every customer.

36
Denial of Service:

This involves flooding computer resources with more requests than it

can handle. This causes the resources to crash thereby denying
authorized users the service offered by the resources.

Virus/worm:

Viruses are programs that attach themselves to a computer or a file

and then circulate themselves to other files and to other computers on
a network. They usually affect the data on a computer, either by
altering or deleting it. Worms, unlike viruses don not need the host to
attach themselves to.

Logic bombs:

These are dependent programs. This implies that these programs are
created to do something only when a certain event occurs, e.g. some
viruses may be termed logic bombs because they lie dormant all
through the year and become active only on a particular date.

Trojan Horse:

A Trojan as this program is aptly called is an unauthorized program

which functions from inside what seems to be an authorized program,
thereby concealing what it is actually doing.

37
Examples
Fraud and Extortion

• Two hackers cracked the computer systems of a major market

research firm and subsequently obtained confidential corporate
records. The stolen files included employee photographs,
network passwords and personal credit card numbers of
numerous senior managers. The hackers threatened to reveal
the security breach to the company's clients unless the Board of
Directors paid them a "consulting fee" of $200,000. Upon
retaining expert cyber-crime investigators, the hackers were
apprehended and prosecuted. The research firm spent
approximately $1,000,000 in investigative and public relations
fees.

Denial-of-Service Attacks, Sabotage and Business

Interruptions

• A hacker overwhelmed several large web sites through multiple

distributed denial of service (DDOS) attacks. The culprit hijacked
various computers throughout the world to bombard target
servers with seemingly legitimate requests for data. It is
estimated that the DDOS attacks, which interrupted the sites;
ability to efficiently conduct their business, caused over $1.2
billion in lost business income.

Viruses

• The Love Bug virus (also known as the "I Love You" virus) spread
rapidly through corporate email systems, infecting networks of
hundreds of companies around the world. This attack was
followed a few days later by as many as 11 copycat versions of
the virus. It is estimated that the series of attacks collectively
cost billions of dollars in lost business income and extra
programming time.

Privacy Violations--Unauthorized Access to Customer

Information

• A bank employee obtained unauthorized access to the computer

system in order to search for potential clients for a friend in the
real estate business. The employee provided confidential
information regarding consumers to the friend. The scheme was

38
 discovered after the confidential information was leaked to
another party and subsequently used as a part of an identity
theft scheme.

Intellectual Property Infringement

• An online service allowed a famous author to advertise a book in

one of its forums. The online service was sued for copyright
infringement by an artist who claimed that the author used
certain artwork on the cover of his book without getting the
artist's permission.

Online Trespass

• An online direct marketing company emailed solicitations on

behalf of its clients to all users of a commercial Internet service
provider (ISP). The ISP sued the marketing company for online
trespassing. The court found that the marketing company was
liable for trespass and damage to the ISP's reputation.

Unauthorized Access

• An employee of a major financial institution obtains account

information and credit card account numbers for 68 accounts
from the bank's computer systems without authorization or in
excess of her authorization. The information is used in a scheme
to defraud the bank, and results in the fraudulent acquisition of
good valued at approximately $100,000.

Hacking/Breach of Network Security and Extortion

• Russian hackers gain unauthorized access to the computer

systems of various financial institutions and others. Using this
unauthorized access, the hackers obtain account information for
over 56,000 credit cards as well as personal financial information
of consumers. The hackers used the information to defraud
Internet payment services as well as to control/manipulate
Internet auctions. In addition, the hackers attempted to extort
money from the victims with threats of exposing information
publicly, or damaging the victim’s computer systems.

39
Identity Theft

• A person was arrested for stealing at least 20 identities, 12 of

which were Boston lawyers, to support a lifestyle of Porsches,
first-class flights and Miami Beach nightlife. The thief spent more
than a year eluding the police.

• Three identity thieves were arrested: a Social Security employee

in Claymont, DE allegedly stole personal information from
agency computers; two other men were accused of stealing
hundreds of identities through their airport cleaning business.
They are charged with 17 counts of identity theft, 51 counts of
theft and forgery, bad-check and computer-fraud offenses.

Unauthorized Access

• An employee detonated a "logic bomb" which erased all of his

company's contracts, including the proprietary software used by
their manufacturing tools. In addition to monetary loss, the
company was forced to lay off 80 employees and lost its
competitive edge in the electronics market space.

• A security breach on its computer system exposed 12,000

subscription orders last year. Personal data, including credit card
numbers, were exposed, and several customers were the victims
of identify theft.

40
Cyber Crime Statistics (India)
As per NCRB records (2006), 453 cyber crimes were registered across
the country including 162 under the IT Act and 291 under IPC .The
report also said a total of 565 people were arrested across the country
in 2006 on charges of cyber crime, which registered a decrease of 28
cases as compared to previous year.

Madhya Pradesh registered the largest number of cyber crimes (131)

in 2006 followed by Andhra Pradesh (116). The largest state of Uttar
Pradesh, which had four cyber cases in 2005, did not register a single
case in the same year. Around 38 cases relate to Obscene Publication /
Transmission in electronic form, normally known as cases of cyber
pornography. 85 persons were arrested for committing such offences
during 2006.

Of the 291 cases registered under IPC, majority of the crimes fall under
3 categories viz. Criminal Breach of Trust or Fraud (156), Forgery (71)
and Counterfeiting (64). Though, these offences fall under the
traditional IPC crimes, the cases had the cyber tones wherein
computer, Internet or its related aspects were present in the crime and
hence they were categorized as Cyber Crimes under IPC.

As per NCRB records (2005), 481 cyber crimes were registered across
the country including 179 under the IT Act and 302 under IPC. Of this,
155 were registered in Gujarat alone including two under IT Act and
153 under IPC. The figures throw up some other interesting aspects.
The highest number of arrests too is from Gujarat. Of the 551 total
arrests including 178 under IT Act and 373 under IPC, 302 are from
Gujarat only.

As per the National Crime Records Bureau statistics, during the year
2005, 179 cases were registered under the IT Act as compared to 68
cases during the previous year, thereby reporting a significant increase
of 163.2% in 2005 over 2004. During 2005, a total of 302 cases were
registered under IPC sections as compared to 279 such cases during
2004, thereby reporting an increase of 8.2% in 2005 over 2004.

In 2007, there is significantly more browser attacks then 2006.

Although NCRB data is yet to come but there is around 10-15%
increase in cyber crime in year 2007.

41
During 2006, number of cases under Cyber Crimes relating to
Counterfeiting of currency/Stamps stood at 53 wherein 118 persons
were arrested during 2006. Of the 47,478 cases reported under
Cheating, the Cyber Forgery (71) accounted for 0.14 per cent. Of the
total Criminal Breach of Trust cases (13,432), the Cyber frauds (156)
accounted for 1.1 %. Of the Counterfeiting offences (2,055), Cyber
Counterfeiting (64) offences accounted for 3.1%

The age-wise profile of the arrested persons showed that 53 % were in

the age-group of 30-45 years, 33% of the offenders were in the age-
group of 45-60 years and 12% offenders were aged 60 years and
above. 2% offenders who were below 18 years of age. Also it is found
that both the youngest (below 18 years) and the oldest (above 60
years) cyber criminals come from Gujarat.

Although shows cyber crime is on decline but the true story is far
different from the Statistics. It is found that in India, cyber crime is not
reported too much. According to the survey conducted on cyber crime
reported. The result shows that only 10% of the cases were reported
and that one percent got registered as FIRs. The reason behind this is
that the victim is either scared of police harassment or wrong media
publicity which could hurt their reputation and standing in society.
Also, it becomes extremely difficult to convince the police to register
any cyber crime, because of lack of orientation and awareness about
cyber crimes and their registration and handling by the police.

The establishment of cyber crime cells in different parts of the country

like Bangalore, New Delhi and Mumbai is expected to boost cyber
crime reporting and prosecution. However, Law enforcement agencies
are not well-equipped and oriented about cyber crime yet. There is an
immense need for training, and more cities need to have such cells.
Government need to create special tribunals headed by trained
individuals to deal solely with cyber crimes, but with powers to levy
heavier penalties in exceptional cases. "Unless there is solid
deterrence, cyber crime will rise steeply." There is also a need for IT-
savvy lawyers and judges, as well as training for government agencies
and professionals in computer forensics. Government need to ensure
that there should be more specialized procedures for prosecution of
cyber crime cases. This is very necessary to win the faith of the people
in the ability of the system to tackle cyber crime.

42
 CYBER LAW
Many countries, until most recently, have only begun to realize the
capability of the Internet, and at the same time they have not
understood the damaging risks resulting in weak laws or a complete
absence of laws regarding cyber crime and electronic commerce. This
causes great obstacles to international cooperation with respect to
jurisdiction and geographies.

Technology suits will be played out in the courts as the legal system
tests the boundaries of new legislations in field of cyber laws. Industry
should expect to experience litigation being initiated by large
corporations to individuals pursuing the need to protect their personal
assets. Small to midsized organizations should not assume that they
are exempt from potential litigation and that this scenario will only
affect large corporations.

United States is reportedly driving organizations in every sector of its

economy to obtain cyber security insurance. In Canada there appears
to be no such public guidance coming from the political powers.
Perhaps in the future cyber insurance will become as common place as
home insurance policies. In terms of cyber law and its treatment within
the courts, the judges who must apply the law to fit legal disputes on
the Internet will have to use preexisting legal foundations in order to
establish precedent. In its current state, legal principles that govern
conduct and ecommerce over the Internet are and will experience
reformation as judgments are disposed.

Privacy-Related Regulations in U.S.A

Regulations are the reason most companies have begun evaluating

cyber risk and spending more on security. Financial services
companies and healthcare institutions are at the top of the list when it
comes to regulatory priority. Because these organizations hold
substantial financial, personal and medical data about their customers,
they face an array of privacy-related regulations, including the Gramm-
Leach-Bliley Act and the Health Insurance Portability and
Accountability Act of 1996 (HIPAA).

43
Gramm-Leach-Bliley

It is particularly important to banks, credit unions and other companies

involved in financial services. As most know, it requires companies to
give consumers privacy notices that explain the institution’s
information-sharing practices. Customers, in turn, have the right to
limit some sharing of their information. It is also being translated in a
state-to-state regulation of insurance companies and brokers. Banking
regulators in the FTC enforces it. It carries with it penalties,
enforcement actions and the state attorney generals also have an
ability to go after this issue. This typically gets companies to take their
network security more seriously.

HIPAA

It is another privacy-related regulation, which is involved with

healthcare. HIPAA is concerned with administration simplification of
transactions in healthcare organizations. It also deals with the privacy
of healthcare information, as well as the security needed to protect it.
A particularly interesting aspect of HIPAA is that it creates concepts to
foreign accountability that will put offenders in jail. Ultimately HIPAA
can contain criminal fines and criminal actions against the board. The
hospitals, managed care institutions and physical groups are going to
be held accountable for the diminishing of the chain of trust. The chain
of trust is the concept that the originators of medical information are
responsible for the people who give it to them, whether it is vendors,
suppliers or other people in the relationship chain.

California Disclosure Law

Security related law that is very interesting is the "California Database

Protection Act of 2003," previously called SB 1386, which became
effective July 1, 2003. This bill was passed without a lot of political
protest in California after several ugly instances involving consumer
data, which showed up later in the hands of perpetrators involved in
identity theft. Ironically, the last instance before the bill was passed
involved the state of California’s own database of employees.

The California Database Protection Act of 2003 requires any business

that stores confidential personal information about California residents
in electronic form to contact residents upon noticing a breach to its
computer systems. The company does not have to be in California, it
only has to deal with a California resident. The incident must be
reported if unencrypted personal information is involved, information
such as name and address associated with a social security number,

44
driver’s license number or other data that could be used for identity
theft purposes.

This California law says “if you suspect that you have a breach
associated with a customer’s electronically stored personal
information, as defined by the statute, then you are required to
provide notice to each customer whose personal information may have
been compromised. A violation of the statute could subject a company
to a private civil action in the state of California brought by an
individual or a group.

45
LEGAL SCENARIO IN INDIA
The Constitution of 1950 does not expressly recognize the right to
privacy. However, the Supreme Court first recognized in 1964 that
there is a right of privacy implicit in the Constitution under Article 21 of
the Constitution, which states, "No person shall be deprived of his life
or personal liberty except according to procedure established by law”.

There is no general data protection law in India. In June 2000 the

National Association of Software and Service Companies (NASSCOM)
urged the government to pass a data protection law to ensure the
privacy of information supplied over computer networks and to meet
European data protection standards. The National Task Force on IT and
Software Development had submitted an "IT Action Plan" to Prime
Minister Vajpayee in July 1998 calling for the creation of a "National
Policy on Information Security, Privacy and Data Protection Act for
handling of computerized data." It examined the United Kingdom Data
Protection Act as a model and recommended several cyber laws
including ones on privacy and encryption. No legislative measures,
however, have been considered to date.
There is also a right of personal privacy in Indian law. Unlawful attacks
on the honor and reputation of a person can invite an action in tort
and/or criminal law. The Public Financial Institutions Act of 1993
codifies India's tradition of maintaining confidentiality in bank
transactions.

In early 2000, the government passed the Information Technology Act,

a set of laws intended to provide a comprehensive regulatory
environment for electronic commerce. The Act has brought radical
change in the position of the virtual electronic medium.

The highlights of the Act are the issues relating to:

1.Digital Signatures
2. E-Governance
3. Justice Delivery System
4. Offences & Penalties
5. Amendments in the various Acts.

In March 2000 the Central Bureau of Investigation set up the Cyber

Crime Investigation Cell (CCIC) to investigate offences under the IT Act
and other high-tech crimes. The CCIC has jurisdiction over all of India
and is a member of the Interpol Working Party on Information
Technology Crime for South East Asia and Australia. Similar cells have

46
been set up at the state and city level, for example in the state of
Karnataka and the city of Mumbai.

In June 2002 the central government authorized the National Police

Academy in Hyderabad to prepare a handbook on procedures to
handle digital evidence in the case of computer and Internet-related
crimes. The government is also considering establishing an Electronic
Research and Development Centre of India to develop new cyber-
forensic tools. India's Intelligence Bureau is reported to have
developed an e-mail interception tool similar to the Federal Bureau of
Investigation's Carnivore system, which it claims to use in anti-terrorist
investigations. In April 2002, India and the United States launched a
cyber-security forum to collaborate on responding to cyber security
threats.

With the boom in the Information Technology Sector and the increasing
protests against off-shoring to India, both in the US and the UK, BPO
companies in India have stepped up security measures for protection
of their data, thereby somewhat contributing to protect privacy. As
India has increasingly become a base for outsourcing operations, in
2004 there have been discussions in government circles that
amendments to the Information Technology Act would have to be
introduced to ensure protection of data and preservation of privacy.

The NAASCOM, India's premier software body, has pushed for some
time for a privacy law that has been stalled within political circles.
However, it is more likely that the law is coming close to being enacted
after NAASCOM made certain suggestions to the government.

India has made strides in the direction of protecting privacy, albeit at a

slow pace. With the BPO boom and other promising economic trends, it
is logical to expect that India would soon be looking at coming up with
further legal provisions aimed at preservation of privacy.

47
Brief Analysis of I.T. Act 2000
“The May of this millennium, India witnessed the enactment of
Information Technology Act. An Act that is a class of legislation of its
own. An act to govern and regulate the high-tech virtual electronic
world.... the cyber world.”

The main objective of the Act is to provide legal recognition for

transactions carried out by means of electronic data interchange and
other means of electronic communication, commonly referred to as e-
commerce, which involve the use of alternatives to paper-based
methods of communication and storage of information to facilitate
electronic filing of documents with the Government agencies.

Digital Signatures

With the passing of the Act, any subscriber (i.e., a person in whose
name the Digital Signature Certificate is issued) may authenticate
electronic record by affixing his Digital Signature. Electronic record
means data record or data generated image or sound, store, received
or send in an electronic form or microfilm or computer generated
microfiche.

Electronic Governance

Where any law provides submission of information in writing or in the

type written or printed form, from now onwards it will be sufficient
compliance of law, if the same is sent in an electronic form. Further, if
any statute provides for affixation of signature in any document, the
same can be done by means of Digital Signature.

Similarly, the filing of any form, application or any other documents

with the Government Authorities and issue or grant of any license,
permit, sanction or approval and any receipt acknowledging payment
can be done by the Government offices by means of electronic form.
From now, onwards retention of documents, records, or information as
provided in any law, can be done by maintaining electronic records.
Any rule, regulation, order, by-law or notification can be published in
the Official Gazette or Electronic Gazette.

The Act, however, provides that no Ministry of Department of Central

Government or the State Government or any Authority established
under any law can insist upon acceptance of document only in the
form of electronic record.

48
Regulation of Certifying Authorities

The Central Government may appoint a Controller of Certifying

Authority who shall exercise supervision over the activities of
Certifying Authorities.

Certifying Authority means a person who has been granted a licence

to issue a Digital Signature Certificate. The Controller of Certifying
Authority shall have powers to lay down rules, regulations, duties,
responsibilities and functions of the Certifying Authority issuing Digital
Signature Certificates. The Certifying Authority empowered to issue a
Digital Signature Certificate shall have to procure a license from the
Controller of Certifying Authority to issue Digital Signature
Certificates. The Controller of Certifying Authority has prescribed
detailed rules and regulations in the Act, as to the application for
license, suspension of license and procedure for grant or rejection of
license.

Digital Signature Certificate

Any person may make an application to the Certifying Authority for

issue of Digital Signature Certificate. The Certifying Authority while
issuing such certificate shall certify that it has complied with the
provisions of the Act.

The Certifying Authority has to ensure that the subscriber (i.e., a

person in whose name the Digital Signature Certificate is issued) holds
the private key corresponding to the public key listed in the Digital
Signature Certificate and such public and private keys constitute a
functioning key pair. The Certifying Authority has the power to
suspend or revoke Digital Signature Certificate.

Penalties and Adjudication

In any person without the permission of the owner, accesses the

owner's computer, computer system or computer net-work or
downloads copies or any extract or introduces any computer virus or
damages computer, computer system or computer net work data etc.
he shall be liable to pay damage by way of compensation not
exceeding Rupees One Crone to the person so effected.

For the purpose of adjudication, the Central Government can appoint

any officer, not below the rank of Director to the Government of India
or any equivalent officer of any State Government, to be an
Adjudicating Officer. A person may suffer the Adjudicating Officer

49
while trying out cases of this nature shall consider the amount of gain
of unfair advantage or the amount of loss that. The aforesaid
provisions were not incorporated in the Information Technology Bill,
1999 and the same were suggested by the Select Committee of
Parliament.

The Cyber Regulations Appellate Tribunal

Under the Act, the Central Government has the power to establish the
Cyber Regulations Appellate Tribunal. The Tribunal shall have the
power to entertain the cases of any person aggrieved by the Order
made by the Controller of Certifying Authority or the Adjudicating
Officer.

Offences

Tampering with computer source documents shall be punishable with

imprisonment up to three years or fine up to Rs. 2 lakhs or with both.
Similarly, hacking with computer system entails punishment with
imprisonment up to three years or with fine upto Rs. 2 lakhs or with
both.

Publishing of information, which is obscene in electronic form, shall be

punishable with imprisonment up to five years or with fine up to Rs. 1
lakh and for second conviction with imprisonment up to ten years and
with fine up to Rs. 2 lakhs.

Offence Section under IT Act

Offence Section under IT

Act
Tampering with Computer source documents Sec.65
Hacking with Computer systems, Data alteration Sec.66
Publishing obscene information Sec.67
Un-authorized access to protected system Sec.70
Breach of Confidentiality and Privacy Sec.72
Publishing false digital signature certificates Sec.73

50
Computer Related Crimes Covered under IPC and
Special Laws

Offence Section under IT

Act
Sending threatening messages by email Sec 503 IPC
Sending defamatory messages by email Sec 499 IPC
Forgery of electronic records Sec 463 IPC
Bogus websites, cyber frauds Sec 420 IPC
Email spoofing Sec Sec 463 IPC
Web-Jacking Sec. Sec 383 IPC
E-Mail Abuse Sec Sec 500 IPC
Online sale of Drugs NDPS Act
Online sale of Arms Arms Act

51
 INDUSTRY THREAT STATISTICS
In 200, the CSI/FBI released its 2006 Computer Crime and Security
Survey referencing respondent’s insights into cyber crime incidents
and the financial effects on their organizations. There were 700
security practitioners who offered their responses from industries such
as, U.S. corporations, government agencies, financial, health, and
educational institutions.

The long-term trends considered in the survey include:

• Unauthorized use of computer systems.

• The number of incidents from outside, as well as inside, an
organization.
• Types of attacks or misuse detected.
• Actions taken in response to computer intrusions.
• How organizations evaluate the performance of their
investments in computer security.
• The security training needs of organizations.
• The level of organizational spending on security investments.
• The impact of outsourcing on computer security activities.
• The role of the Sarbanes-Oxley Act of 2002 on security activities.
• The use of security audits and external insurance.
• The portion of the IT (information technology) budget
organizations devote to computer security.

52
DETAILED FINDINGS OF SOME OF THE
IMPORTANT ISSUES ARE

By the survey it is found that people are still are not very keen to
purchase cyberinsurance.
As the graph shows only 29 % companies are insured by
cyberinsurance products rest are still depends on the traditional
methods like firewall, antivirus, cryptography and other methods but
more companies are insured compare to 2005 where just 25%
companies are insured. Thus the 2006 survey indicates that cyber
insurance is gaining momentum, although many believe that this
situation will improve over time.

53
This question was aimed at determining the typical size of an
organization’s information security budget relative to the
organization’s overall IT budget.
• 32 % of respondents indicated that their organization allocated
between 1 % and 5 %of the total IT budget to security.
• Only 21 % of respondents indicated that security received less
than 1 percent of the IT budget,
• 34 % of respondents indicated that security received more that 5
percent of the budget,
• 12 % of the respondents indicated that the portion was unknown
to them.

54
 • Firms with annual sales under $10 million spent an average of
approximately $1566 per employee ($502 in operating expense ,
$746 in capital expenditures, $318 in awareness training) on
computer security;
• Firms with annual sales between $10 million and $99 million
spent an average of approximately $572 per employee ($241 in
operating expense and $220 in capital expenditures, $111 in
awareness training) on computer security.
• Firms with annual sales between $100 million and $1 billion
spent an average of approximately $148 per employee ($92 in
operating expense and $34 in capital expenditures, $22 in
awareness training) on computer security.
• The largest firms—those with annual sales over $1 billion—spent
an average of about $218 per employee ($142 in operating
expense and $58in capital expenditures, $18 in awareness
training).

Smallest firms report computer security expenditures per employee

substantially higher than all other categories. This finding makes a lot
of economic sense, given that there is initially a large fixed investment
for firms to ante up in terms of security. This fixed investment gets
spread over a much larger number of employees as firms become
larger, thereby reducing the average investment per employee.
However, beyond some point, economies of scale caused by the fixed
portion of computer security expenditures diminish.

55
 • Survey shows that outsourcing of computer security work has not
increased over the past year. 1 % of respondents indicated that
their organizations outsource more 60% to 100% of the security
function.
• 4 % of respondents indicated that their organizations outsource
41 to 60 of the security function.
• 6 % of respondents indicated that their organizations just
outsource 21 % to 40% of the security function.
• 27 % of respondents indicated that their organizations outsource
upto 20% the security function
• 61% of respondents indicated that their organizations do no
outsourcing of the security function.

It is found that largest firms outsource the highest percentage of

their security function.

56
A number of important points may be inferred from figure, some of
which are not readily accessible from inspection of the figure, but
which are worthy of analysis.
• First, the real story of losses is that the total losses reported
declined dramatically. Total losses for 2006 were $52494290 for
the 313 respondents that were willing and able to estimate
losses—down from the $130104542 losses for the 269
respondents that were willing and able to estimate losses in
2005.

• The top three categories of losses—i.e., from viruses,

unauthorized access and mobile/laptop hardware theft—
swamped the losses from all other categories. Theft of
information and the denial of service are fourth and fifth highest
categories of losses.

• As the losses are declined but categories of cyber crime

increases. Earlier categories were just 17 but this time increases
to 19 .This shows that people are searching new ways of
committing cyber crime.

57
KEY FINDINGS
Some of the key findings from the participants in This year’s survey are
summarized below:

 Virus attacks continue to be the source of the greatest financial

losses. Unauthorized access continues to be the second-greatest
source of financial loss. Financial losses related to laptops (or
mobile hardware) and theft of proprietary information (i.e.,
intellectual property) are third and fourth. These four categories
account for more than 74 percent of financial losses.
 Unauthorized use of computer systems slightly decreased this
year, according to respondents.
 The total dollar amount of financial losses resulting from security
breaches had a substantial decrease this year, according to
respondents. Although a large part of this drop was due to a
decrease in the number of respondents able and willing to
provide estimates of losses, the average amount of financial
losses per respondent also decreased substantially this year.
 Despite talk of increasing outsourcing, the survey results related
to outsourcing are similar to those reported in the last two years
and indicate very little outsourcing of information security
activities. In fact, 61 percent of the respondents indicated that
their organizations do not outsource any computer security
functions. Among those organizations that do outsource some
computer security activities, the percentage of security activities
outsourced is rather low.
 Use of cyber insurance remains low, but may be on the rise.
 Over 80 percent of the organizations conduct security audits.
 The impact of the Sarbanes–Oxley Act on information security
continues to be substantial. In fact, in open-ended comments,
respondents noted that regulatory compliance related to
information security is among the most critical security issues
they face.
 Once again, the vast majority of the organizations view security
awareness training as important. In fact, there is a substantial
increase in the respondents’ perception of the importance of
security awareness training. On average, respondents from most
sectors do not believe their organization invests enough in this
area.

58
 RISK EXPOSURE FOR INSTITUTION

Institution 1
• Business Activity - Offering financial services
• Number of Employees – 1 to 101
• Dependence on computers to handle daily business activities.
• Employees have access to the internet through computer system
and use e-mail in regular business communications.
• Critical business data stored electronically.

59
Possible business
exposure
Could incur the cost to
repair or replace your
computer system if it is
damaged by a covered
cause of loss. This loss may
result in a loss of income or
damage to your system,
data, or valuable
documents. during the
period that your computer
system is down.
Because e-mail is the
easiest entry point for
viruses and worms to
invade your system, you
may be susceptible to
attacks, resulting in a
financial loss, if one of your
computers were infected.
An employee’s
inappropriate or malicious
use of e-mail can result in
Employment Practices
claims against your
company, such as sexual
harassment or racial
discrimination.
A hacker introduces a
virus which destroys all of
your electronic data and
files.
You could be sued for
negligence if someone can
prove that you could have
taken reasonable steps to
prevent a serious system
problem for one of your
clients.
A covered cause of loss
forces you to shut down
and you lose significant
income because it takes
time to re-establish your
operations.
Steps to help reduce risk
1. Routinely backup your computers files
and store the backups offsite.
2. Hire an IT professional or consultant to
oversee your computer hardware
protection needs
3. Make sure to store all computers,
especially your server, in a dry, secure
location so that it’s not in direct threat of
water or fire damage.
1. Install anti-virus software on all your
PCs, firewalls, and e-mail servers to block
virus attacks.
2. Develop a procedure and stick to it to
update all anti-virus software with online
software “patches”.
3. Train employees on “safe computing”
which includes not opening e-mail
messages or attachments from a sender
you don’t know
1. Establish and distribute personnel
policies that outline guidelines for
appropriate e-mail and web usage while
at work.
2. Enforce any policies you set up. Take
action if guidelines aren’t followed.
3. Consider installing software which
monitor online activity by employees.
1. Install the latest version of firewalls on
your systems to prevent unauthorized
access to your network.
2. Make sure to use online software
“patches” to update your system so
you’re protected against the latest strain
of viruses.
3. Establish a business continuity plan
which addresses this type of exposure.
1. Utilize software applications that
monitor your network reliability and
performance.
2. Train staff members to use this
software.
3. Designate staff members to receive
automatic pages, e-mails or messages
that alert when something is
malfunctioning.
1. Develop a written business
contingency plan.
2. Outline response plans for virus,
worm, or denial of service attacks, data
recovery alternate power and facilities, 60
networks, equipment and supplies.
3. Communicate the plan to any, and all,
61
 SECURITY ASSESMENT
As a condition to developing coverage, cyber insurers evaluate the
applicant’s security through a myriad of offsite and on-site activities
with a view of reviewing the applicant’s vulnerabilities. Cyber insurers
require applicants to fill in a detailed online questionnaire, some
consisting of about 250 queries, to assess the applicants’ security risks
and cyber protections and well as conduct a top-to bottom physical
and technical analysis of security, networks, and procedures.

The security health check starts with the applicant filling in an

application form with the detailed security questionnaire. General
background questions include information of the applicant .what
Internet sites are proposed for insurance, including number of pages,
customers/users, and page views; the annual sales and revenues,
including revenue generated from Internet activities; IT budget and
percentage of it earmarked for security; and what are specific Internet
activities conducted etc.

More specific underwriting questions include information relating to:

• Content: whether the applicant is monitoring its website’s
content; whether it has qualified intellectual property attorney
and/or a written policy for removing controversial items;
• What professional services are offered: whether the applicant’s
services include systems analysis, publishing, consulting,
technology professional services, data processing,
chartroom/bulletin boards, etc.;
• Whether the applicant sells/licenses software or hardware; and
whether there are hold and harmless clauses with
subcontractors.

Also the applicant have to attach, the firm’s written policy on IT

security, written policy for deleting offensive or infringing items, copy
of appraisal of IT security controls and intrusion test outcomes,
resumes of senior officers including the director of IT, and audited
financial statements.

The baseline risk assessment starts with information requests on:

• Physical security including where equipment is located, single or
multiple occupancy, whether the facility is a multi-story building,
in a corporate campus or city etc.

• Network diagram which shows the locations of operating

systems, remote access devices, placement of routers, firewalls,
web, database and email servers; which of systems reside in

62
 space leased from ISP; where each IP is located and what
machines.
• Description of network activities e.g., list of IP addresses; list of
managed devices like switches, hubs, routers, firewalls,
platforms and OS including proxy servers, security scanners,
anti-virus software, remote computer maintenance, firewall
tunneling, wireless communications etc.

The physical reviews include checks on applicant’s personnel and

hiring procedures, physical security review, review of incident
response, disaster recovery, and security education programs, as well
as technical assessment of the network’s external vulnerability, using
vulnerability scans, digital sweeps, network monitory for internal and
external malicious users, and a review of firewalls, routers, network
configuration. These results are analyzed and a report compiled listing
recommendations for upgrades and fixes in order to ensure a more
secure network.

Insurers also keep monitoring of the firm’s security processes, third-

party security technology partners, rewards for information leading to
the apprehension of hackers, and expense reimbursement for post-
intrusion crisis-management activities.

As part of the application process, the insurer can also hire an

independent security consulting firm who are approved by the insurer
to perform the security risk survey. The risk assessment should be
conducted by a reputable security assessment provider, discuss the
selection process with the insurer before accepting the insurer’s
recommended consulting service provider.

Insurance coverage to firms with less cyber protections, with a greater

percent of its business online, or in a highly-regulated business subject
are considered to be higher risk so insurer check all the aspects of the
company and after all the necessary steps ,take decision whether to
give cover or not.

63
COMPRHEHENSIVE ANALYSIS OF A CYBER
INSURANCE POLICY
A complete cyber insurance policy contains several coverage parts.

These parts are:

A. Internet Media Liability Coverage

B. Internet Professional Services Liability Coverage
C. Security Liability Coverage
D. Cyber- Extortion Coverage
E. Information Asset Coverage
F. Business Interruption Coverage
G. Criminal Reward Fund Coverage
H. Crisis Expense Coverage

Insured means:
(1) The named insured;
(2) Any subsidiary of the named insured, but only with respect to
wrongful acts, extortion claims, failures of security, criminal reward
funds, crisis events or loss that occur while it is a subsidiary and is
otherwise covered by this policy;
(3) Any past, present or future employee of the named insured or
subsidiary thereof, but only while acting within the scope of their
duties as such;
(4) With respect to coverage A and coverage B for Internet media
services only, any agent or independent contractor, including
distributors, licensees and sub-licensees, in their provision of material
for Internet media on behalf or at the direction of the named insured,
but only in the event that a claim has also been brought against an
insured as defined in subparagraphs (1) through (3) above, and only
while such claim is pending against such insured;
(5) Any leased worker; and

As per the insuring Agreement the wordings for the coverage are:

A. Internet Media Liability Coverage

Insurer pays on insured’s behalf those amounts, in excess of the

applicable Retention; insured is legally obligated to pay, including
liability assumed under contract, as damages, resulting from any
claim(s) made against insured for his wrongful act(s) in the display of

64
Internet media. Such wrongful act(s) must occur during the policy
period.

65
Retention means the applicable retention set forth per claim as in
Declarations with respect to each coverage. Insurer will only pay for
loss in excess of any applicable Retention amounts set forth in the
Declarations. On his discretion, insurer may pay all or part of the
applicable Retention in which case insured agree to repay insurer
immediately after notification of the payment. The applicable
Retention shall first be applied to loss covered by the policy that is paid
by insurer or by the insured, with prior written consent of insurer.

With respect to coverages A, B and C, all claims arising from the same
wrongful act(s) or series of continuous, repeated, or related wrongful
acts shall be considered one claim and subject to the single highest
applicable Retention.

Assumed under contract means liability assumed by you in the form

of hold harmless or indemnity agreements executed with any party,
but only for Internet media displayed on your Internet site under
coverage A, or material published or displayed by you in the rendering
of Internet media services under coverage B.

Damages means the amount that insured shall be legally required to

pay because of judgments or arbitration awards rendered against him,
or for negotiated settlements, including without limitation:
(1) Punitive, exemplary and multiple damages (where insurable by
law);
(2) Pre-judgment interest; or
(3) post-judgment interest that accrues after entry of judgment and
before we have paid, offered to pay or deposited in court that part of
the judgment within the policy limit of liability or applicable sublimits of
liability.

Claim means:
(1) A written or oral demand for money, services, non-monetary relief
or injunctive relief;
(2) A suit.

Wrongful act means:

With respect to coverage A, and coverage B when rendering or failing
to render Internet media services, any actual or alleged breach of duty,
neglect, act, error, misstatement, misleading statement, or omission
that results in:

(a) Any form of defamation or other tort related to disparagement or

harm to character, including libel, slander, product disparagement or
trade libel; or the infliction of emotional distress, outrage or
outrageous conduct directly resulting from the foregoing;

66
(b) An infringement of copyright, domain name, title, slogan,
trademark, trade name, trade dress, mark or service name, or any
form of improper deep-linking or framing; plagiarism, or
misappropriation of ideas under implied contract or other
misappropriation of property rights, ideas or information; or

(c) Any form of invasion, infringement or interference with rights of

privacy or publicity, including false light, public disclosure of private
facts, intrusion and commercial appropriation of name, persona or
likeness.

Internet means the worldwide public network of computers commonly

known as the Internet, as it currently exists or may be manifested in
the future.

Internet media means any material, including advertising, on your

Internet site.

Internet media services means: the electronic publishing or display

of material (including advertising) on an Internet site; or providing or
maintaining of: instant messaging, webconferencing, webcasting,
Internet-based electronic mail, online forums, bulletin boards,
listserves or chat rooms.

B. Internet Professional Services Liability Coverage

Insurer pays on insured’s behalf those amounts, in excess of the

applicable Retention, insured is legally obligated to pay, as damages,
resulting from any claim(s) first made against him and reported to
insurer in writing during the policy period or Extended Reporting Period
(if applicable), for insured’s wrongful act(s).
Such wrongful act(s) must occur on or after the Retroactive Date and
be in insured performance of Internet professional services.

Wrongful act with respect to coverage B only is any actual or alleged

breach of duty, neglect, act, error, misstatement, misleading
statement, or omission in the rendering of or failure to render Internet
professional services to others, including any of the foregoing that
results in a computer attack to others.

An internet professional service means any of the following

services selected and checked in the Declarations and defined below,
which insured provide to others:
• Domain name registration services

67
 • E-Commerce transaction services
• Electronic exchange and auction services
• Internet hosting services
• Internet media services
• Internet service provider (ISP services
• Managed and network security services
• Search engine services

C. Security Liability Coverage

Insurer pays on insured’s behalf those amounts, in excess of the

applicable Retention, insured is legally obligated to pay, as damages,
resulting from any claim(s) first made against him and reported to
insurer in writing during the policy period or Extended Reporting Period
(if applicable), for insured’s wrongful act(s).
Such wrongful act(s) must occur on or after the Retroactive Date.

Wrongful act(s) with respect to coverage C only is any actual or

alleged breach of duty, neglect, act, error or omission that results in a
failure of security.

Security means hardware, software or firmware whose function or

purpose is to mitigate loss from or prevent a computer attack. Security
includes, without limitation, firewalls, filters, DMZ’s, computer virus
protection software, intrusion detection, the electronic use of
passwords or similar identification of authorized users. Security also
includes your specific written policies or procedures intended to
directly prevent the theft of a password or access code by non-
electronic means.

Failure(s) of security means:

(1) The actual failure and inability of the security of computer system
to mitigate loss from or prevent a computer attack;

(2) With respect to coverage C only, physical theft of hardware or

firmware controlled by insured (or components thereof) on which
electronic data is stored, by a person other than an insured, from a
premises occupied and controlled by insured .

Failure(s) of security shall also include such actual failure and inability
above, resulting from the theft of a password or access code by non-
electronic means in direct violation of your specific written security
policies or procedures.

68
However, in no event, shall any of the above constitute a failure of
security if resulting from operational errors, unintentional
programming errors, or any failure in project planning.

D. Cyber-Extortion Coverage

Insurer indemnifies insured for those amounts, in excess of the

applicable Retention, he pays as extortion monies resulting from an
extortion claim first made against insured and reported to insurer in
writing during the policy period.

With respect to coverage D, all extortion claims from the same person,
or persons acting in concert, shall be treated as one extortion claim.
Any claim covered under coverages A, B or C that relates to or arises
from an extortion claim shall, together with the extortion claim, be
considered one claim, and subject to the single highest applicable
Retention.

Extortion monies means any monies paid by insured with insurer’s

prior written consent to a person(s) whom is reasonably believed to be
responsible for an extortion claim, solely where such payment is made
to terminate or end such extortion claim; provided, however, that such
monies shall not exceed the amount reasonably believed to be the loss
that would have been covered under this policy had the extortion
monies not been paid.

Extortion claim means any claim in the form of a threat or connected

series of threats to commit an intentional computer attack against
insured for the purpose of demanding extortion monies.

Computer attack means unauthorized access, unauthorized use,

transmission of a malicious code or a denial of service attacks that:
(1) Alters, copies, misappropriates, corrupts, destroys, disrupts,
deletes, damages, or prevents, restricts, or hinders access to, a
computer system;

(2) Results in the disclosure of private or confidential information

stored on your computer system; or

(3) Results in identity theft; whether any of the foregoing is intentional

or unintentional, malicious or accidental, fraudulent or innocent,
specifically targeted at you or generally distributed, and regardless of
whether the perpetrator is motivated for profit.

69
E. Information Asset Coverage

Insurer pays the actual information asset loss, in excess of the

applicable Retention, which insured sustain, resulting directly from
injury to information assets first occurring during the policy period.
Such information asset loss must first occur during the policy period
and result from a failure of security of insured’s computer system that
also first occurs during the policy period.

With respect to coverage E, the Retention applies to each failure of

security or series of continuous, repeated or related failures of
security.

Information assets means the:

(1) Software or electronic data, including without limitation, customer
lists and information, financial, credit card or competitive information,
and confidential or private information, stored electronically on
insured’s computer system, which is subject to regular back-up
procedures; or

(2) Capacity of insured’s computer system, including without limitation,

memory, bandwidth, or processor time, use of communication facilities
and any other computer-connected equipment.

Information asset loss means:

(1) With respect to information assets that are altered, corrupted,
destroyed, disrupted, deleted or damaged, the actual and necessary
costs you incur to restore your information assets, provided

(a) If insured cannot restore such information assets, but can recollect
such information assets, then information asset loss shall mean only
the actual cost he incurs to recollect such information assets.

(b) If you cannot restore or recollect such information assets, then

information asset loss shall mean only the actual cost you incur to
reach this determination.

(2) With respect to information assets that are copied,

misappropriated, or stolen, including without limitation any information
assets that are trade secrets, information asset loss means the stated
value set forth for each scheduled information asset as endorsed to
this policy.

70
F. Business Interruption Coverage

Insurer pays the actual business interruption loss, in excess of the

applicable Retention, which insured sustain during the period of
recovery (or the extended interruption period if applicable), resulting
directly from a material interruption. The failure of security causing the
material interruption and the business interruption loss must each first
occur during the policy period.

Insured is responsible for the Retention whether based on the declared

amount retention or waiting hours retention amount. The declared
amount retention amount applies to each failure of security or series of
continuous, repeated or related failures of security. The waiting period
retention applies to each period of recovery. In the event a failure of
security or series of continuous, repeated or related failures of security
results in more than one period of recovery, waiting hour retention
shall apply to each period of recovery.

Failure(s) of security means with respect to dependent business

interruption only, the actual failure and inability of the security of
dependent business’ computer system to prevent a computer attack.

Period of recovery means the time period that:

(1) Begins on the date and time that a material interruption first
occurs; and
(2) Ends on the date and time that the material interruption ends, or
would have ended if insured had exercised due diligence and dispatch.
Provided, however, the period of recovery shall end no later than thirty
(30) consecutive days after the date and time that the material
interruption first occurred.

Material interruption means the actual and measurable interruption

or suspension of computer system, which is directly caused by a failure
of security.

Business interruption loss means the sum of:

(1) Income loss;
(2) Extra expense;
(3) Dependent business interruption loss; and
(4) Extended business interruption loss, but only in the event the
amount of extra expense and income loss during the period of
recovery together exceeds the applicable Retention.

71
G. Criminal Reward Fund Coverage

Insurer pays on insured behalf, at his sole and absolute discretion, up

to certain amount, in the aggregate, as a criminal reward fund. No
Retention shall apply to this coverage.

Criminal reward fund means any amount offered and paid by insurer
for information that leads to the arrest and conviction of any
individual(s) committing or trying to commit any illegal act related to
any coverage under this policy. Provided, however, insurer shall not
pay any criminal reward fund for, and the policy shall not cover any
amount based upon, any information provided by insured, his auditors,
whether internal or external, any individual hired or retained to
investigate the aforementioned illegal acts, or any other individuals
with responsibilities for the supervision or management of the
aforementioned individuals.

H. Crisis Management Coverage

Insurer pays on insured behalf, at his sole and absolute discretion, up

to certain amount, in the aggregate, in connection with any crisis
event first occurring during the policy period. No Retention shall apply
to this coverage.

Crisis event means any covered claim or failure of security resulting

in covered loss under this policy. Crisis event may also mean, in
insurer sole and absolute discretion, any failure of security that in the
good faith written opinion of insured chief technology, chief
information or chief security officer, is reasonably likely to result in an
otherwise covered claim or loss under this policy.

Crisis expenses means the reasonable and necessary charges and

fees incurred by insured within six months of a covered crisis event
first occurring, for the services of a crisis management firm retained
solely for the purpose of restoring the confidence of customers and
investors in the security of computer system.

Crisis management firm means any public relations firm, crisis

management firm or law firm hired or appointed by insurer, or by
insured with insurer’s prior written consent, in connection with a crisis
event.

72
EXCLUSIONS UNDER POLICY
Common exclusions for all cyber insurance coverages:

A. Any of the following:

(1) Fire, smoke, explosion, lightning, wind, water, flood, earthquake,

volcanic eruption, tidal wave, Landslide, hail, an act of God or any
other physical event, however caused;

(2) Strikes or similar labor action, war, invasion, act of foreign enemy,
hostilities or warlike operations (whether declared or not), civil war,
mutiny, civil commotion assuming the proportions of or amounting to a
popular rising, military rising, insurrection, rebellion, revolution,
military or usurped power, act(s) of terrorism (whether domestic or
foreign), committed by a person or persons whether acting on their
own behalf or on behalf of or in connection with any organization, or
any action taken to hinder or defend against these actions; or

(3) Electrical or mechanical failures, including any electrical power

interruption, surge, brownout or blackout; a failure of telephone lines,
data transmission lines, satellites or other infrastructure comprising or
supporting the Internet, unless such lines or infrastructure were under
insured operational control;

B. Any of the following:

(1) Any presence of pollutants;

(2) Any actual, alleged or threatened discharge, dispersal, release or

escape of pollutants; or

(3) Any direction or request to test for, monitor, clean up, remove,
contain, treat, detoxify or neutralize pollutants, or in any way respond
to or assess the effects of pollutants;

C. Infringement of any patent;

D. Any misappropriation, theft, copying, display or publication of any

trade secret by, or with active cooperation, participation, or assistance
of, any insured, any of former employees, subsidiaries, directors,
officers, partners, trustees, or any of successors or assignees;

73
Under coverages A, B, C, D, G and H only, insurer does not
cover claims, wrongful acts or loss alleging, arising out of or
resulting, directly or indirectly, from:

E. Any claim, demand, suit, arbitration, mediation, litigation, or

administrative, bankruptcy or regulatory proceeding or investigation,
prior to or pending as of the first inception date; or alleging or arising
out of or relating to any fact, circumstance, situation or wrongful act
alleged in such claim, demand, suit, arbitration, mediation, litigation,
or administrative, bankruptcy or regulatory proceeding or
investigation;

F Any of the following:

(1) Any warranty, representation or guarantee; inaccurate, inadequate,

or incomplete description of the price of goods, products or services; or
any failure of goods, products or services to conform with an
advertised quality or performance; or liquidated damages; or any
failure to provide goods or products, or perform services within a
specified time period, by a deadline or according to specified
milestones; or the collection of or seeking the return of fees or
royalties or other compensation paid to insured; or the cost of
providing, correcting, re-performing, or completing any services.

(2) Any intentional violation of insured privacy policy; or

G. Any circumstance or occurrence that has been reported to an

insurer on, or is covered under, any other policy of insurance prior to
the inception date of this policy; or alleging or arising out of the same
wrongful act or series of continuous, repeated or related wrongful acts
or alleging the same or similar facts, alleged or contained in any claim
that has been reported, or any wrongful act(s) of which notice has
been given, under any policy of which this policy is a replacement or
succeeds in time;

H. any otherwise covered wrongful act committed prior to the

Retroactive Date or after the last termination date.

74
Under coverages C, D, E and F only, insurer does not cover any
claim, wrongful act, or loss alleging, arising out of or resulting,
directly or indirectly, from:

I. Any of the following:

(1) Any shortcoming in security that insured knew about or ought

reasonably to have known about prior to the inception of this policy;

(2) Failure to take reasonable steps, to use, design, maintain and

upgrade security; or

(3) The inability to use, or lack of performance of, software:

J. Any seizure, confiscation, nationalization, or destruction of computer

system or information assets by order of any governmental or public
authority;

K. Any wear and tear or gradual deterioration of computer system or

information assets;

75
 COMPARITIVE STUDY OF THREE POLICIES
Table on Salient Provisions of Cyber insurance
Policies
Net e-Comprehensive Webnet Protection
Advantage
Security
COVERAGES
First Party
Coverages
Destruction, Y. Y. Expressly covers Y. Includes
disruption malicious coverage for losses
or theft of alteration due to malicious
information or malicious codes (“Malicious
assets destruction of code” defined as
information by any “software program
person, of that maliciously
information as a introduced into the
result of malicious computer the
code, of computer Insured’s
programs owned or Information
licensed. (This may Processing System
be covered under and/or networks,
definition of and propagates
“computer system” itself from one
(includes computer to
“computer another
software accessible without the
through the authorization of the
Internet”) Insured Company”.
of netAdvantage. Are viruses
excluded from
coverage?)
Includes computer
programs and
trade
secrets. Proviso
that information
and computer
program be
subject
to regular network
back-up
procedures.
Payment of actual
and necessary

76
 expenses incurred
to replace or
restore
info assets to the
level which they
existed prior to the
loss

Internet Business Y Y. Dependent Y. Includes

Interruption business dependent income
interruption loss.
covered by
endorsement.
Cyber extortion Y Y. “The Insured Y
shall use its best
efforts at all times
to ensure that
knowledge
regarding
the existence of
the
Extortion coverage
afforded by this
Policy is restricted
as far as possible.”
Fraudulent N. Expressly Y. Express Not expressly
electronic excluded. covered: covered. (Probably
transfers Insured having not covered under
transferred fund or definition of e-
property as direct business
result of information assets
fraudulent: (=electronic
input of data, information and
modification or computer
destruction of programs). Not a
information, qualifying cause.
preparation or
modification of
computer program,
alteration or
destruction of
information due to
malicious code.
Denial of service Expressly covered Y. Expressly stated
attack as a “qualifying
cause”

77
Rehabilitation Y. Reimbursement Y. Public relations
expenses for expenses expenses
incurred
to Reestablish the
reputation of the
insured (including
public relation
expenses)

Third Party Liability Coverages (For claims made during the policy period or
extended reporting period for acts committed by the insured on or after the Retroactive
Date and before the end of the Policy Period.)
Internet Content Y Y (Libel, invasion of Y. Libel, invasion
privacy (“the right of privacy,
of individual to plagiarism,
control infringement of IP
the disclosure of (except patent)
Information that
identifies the
individual,)
copyright
infringement,
plagiarism, etc.
Emotional distress
excluded.
Internet Security Y. For claims Y Y
arising from
“failure of
security”
(defined as:
failure of
insured’s
hardware,
software or
firmware
(including
firewalls,
filters,
DMZs,
antivirus)
including
theft of
passwords or
access code
which results

78
 in a
computer
attack).
Note:
Unintentional
Programmin
g and/or
Operational
error does
not
constitute
failure in
security.
Defense Costs Y Y. Insurer has right Y
and duty to
defend.
Limit: up to
payment of “all
reasonable and
necessary legal
costs”.
EXCLUSIONS
Failure to back-up Y Y Y
Failure to take Y Y. Always includes In “Policy
reasonable steps proviso on its Conditions”: “You
to coverages: agree to protect
maintain and Provided and
upgrade security always that the maintain your
Insured Company computer system
maintain System and your e-
Security levels that business
are equal to or information assets
superior to those in and e-business
place as at the communications to
inception date of the level or
this standard at which
Policy they existed and
were
represented…”
Fraudulent, Y Y Y
dishonest and
criminal acts of
insured
Inability to use or Y. Due to Y. Any Implied exclusion:
lack of expiration, “malfunction or lack of
performance of cancellation, error in performance

79
software withdrawal, programming or of software
programs or have not errors or omissions programs not part
been in processing” (in of “qualifying
released computer cause”.
from programs)
Development excluded.
stage, or
have not
passed test
runs; or due
to
installation
or failure to
install
software; or
due to
configuration
problems.
Wear and tear of Y Y. “Loss resulting “Based upon or
insured’s from (a) arising out of
information mechanical ordinary wear and
assets failure, (b) faulty tear, gradual
construction, (c) deterioration of; or
error in design, (d) failure to maintain
latent defect, (e) [e-information]
wear and tear, (f) assets and
gradual computer systems
degradation, (g) on which they are
electrical processed…”
disturbance, (f)
failure, breakdown
or defect within the
medium upon
which any
electronic record
may be stored”
Electric and Y Y (see above). Failure of:
telecommunicatio (Also: “The failure telephone lines,
n or interruption of data transmission
failures the infrastructure or wireless
of the Internet or connections,
other telecommunication
telecommunication s
s equipments or
system, except electronic
where such infrastructure not

80
 infrastructure was under the insured’s
under the control,
operational control malfunction of
of the insured. satellite, failure of
power or utility
service
Breach of patents First party: 1st party covered –
or trade secrets Trade as part of
secrets “electronic
covered information”.
provided Third party: Patent
valuation infringement
agreed upon; excluded
3 party both
rd

patents and
trade secrets
excluded
Loss or claim Y Y Y
notified
a prior insurer
Claim arising out Y Y Y
of liability to
related parties
(1st and 3rd party: Y
failure of any
computer or
software to
correctly assign
any date)
OTHER RELEVANT PROVISIONS
Retentions Retention There is only single Waiting period
same as in loss retentions specified for
liability limits (“arising out of any business
below + single event or interruption.
Retention series of related Each loss
waiting event”).Any deductible, and
hours for recovery (net of each claim
business expenses) of deductible, for any
interruption property, money, loss or claim
and internet etc., applied arising from the
extra according to same interrelated
expense (1) loss of insured qualifying cause.
coverages. on top of single
loss or aggregate
policy limits (2)
reimbursement of

81
 amount paid by
insurer (3) single
loss retention.
Liability Limits Limit for Insurer liable only Aggregate Policy
each after insured Limit (for 1st and
wrongful act satisfies retention 3rd party losses).
or related and shall not Separate limits for
acts, each exceed policy limit. each coverage
for (a) Aggregate limits parts
internet for (a) 1st party (b) (3 3rd party
content 3rd party; with coverages and 6 1 st

liability, (b) applicable single party coverages).

internet loss limit for each; With stipulation for
security sub limit if hourly loss limit
liability, (c) contingent and total limit for
cyber- business business
extortion; interruption (one interruption and
and for each resulting from dependent
failure or failure of computer business
series of not operated by interruption.
related insured but upon
failures of which insured
security: (d) depends upon) if
asset and endorsement
income opted.
protection.
Criminal Reward Y Investigative
Fund expenses by
insured
expressly covered.
Surveys Y. At any Y. Annual: Insurer Y. At option of
time. has right to survey insurer: as part of
operations and underwriting, in
premises; costs deciding whether
born by insurers. to continue/modify
coverage, or
processing of
loss/claim.
Insurer liable only Definition of 1st Party loss of 1st party insurance
for transcription “Loss” info, etc.: insurer is for “restoration
or (“actual and shall be liable only costs” (i.e., “actual
replacement cost necessary for (a) labor for the and necessary
costs transcription or expenses
incurred by copying of [incurred]
the insured information, to replace, restore,
for replacing, programs, or e or recreate [e-

82
 reproducing, -record, or the assets]
recreating, purchase of to the level
or restoring hardware and or condition in
the insured’s software for actual which they existed
information reproduction of prior to the loss”).
assets”. info, program or e-
record.
Additional offices Establishment of
Covered additional offices
or
information
processing system
(other than
consolidation,
merger or
purchase of assets
of another
company) covered
provided insured
employs “at least
the same level
of system security
as were in place
for the existing
systems and
offices at the
inception of this
policy”.
Notice required Insured shall notify
for insurer of change
change of control in
power to
determine
management by
virtue of
ownership, voting
rights, or contract;
otherwise
coverage
terminated for loss
or claim “after the
date of change of
control”
Termination of Y. 30 days Y. 60 notice from
policy notice from insurer or
insurer. immediately on

83
receipt of notice
from insured; refund
of unearned
premiums computed
pro-rata. Insurers not
liable for loss not
discovered prior to
the effective date of
termination.

84
85
Q1) At what frequency is your website or internet
services updated?

monthly
12%

weekly
88%

Generally companies updated their website /internet services weekly.

The main reason is website /internet services are the source of
information to the customer.
Customer can get information about companies from their websites.
Websites are the sources of publicity for the company. Customer visit
to the website first to know about products, services etc provided by
the company.
The main motive of the company behind the websites is to provide
information on the single click of mouse. The customers rely on the
information provided on the websites.
In case of insurance companies and bank, online portals websites is an
essential component so the websites/internet services are updated
frequently for better services.

86
Q2) whether a clearly stated privacy statement been
established on your website and has been reviewed
by legal council?

No
0%

Yes
100%

Each and every company is strictly following the legal norms

established by the legal council. No website can work without fulfilling
these norms.
All the websites have to be registered with the legal council.

87
Q3) Are you aware of IT ACT 2000?

No
11%

Yes
89%

The main objective of the Act is to provide legal recognition for

transactions carried out by means of electronic data interchange and
other means of electronic communication, commonly referred to as e-
commerce, which involve the use of alternatives to paper-based
methods of communication and storage of information to facilitate
electronic filing of documents with the Government agencies.

In the survey conducted out of 100, 89% are aware or It Act 2000 and
11% are not aware of IT Act 2000.

88
Q4) Do you have cyber insurance?

Yes
18%

Not aware
55%
No
27%

Cyber insurance, also known as network intrusion insurance, protects

businesses from losses of electronic data. Such losses can be the result
of viruses, hack attacks, cyber-terrorism or even intellectual property
theft.
According to survey 55 % people even do not know about cyber
insurance. Out of remaining 45% people only 18% person’s company
has cyber insurance and rest do not have cyberinsurance.
Cyber insurance is not very popular in India. Because cyber insurance
is very expensive and the coverage is very limited. Insurance
companies are not wiling to offer wider cover because there is more
risk as there is no past data available of the past claim experience.

89
Q5) whether the corporate awareness training
sessions are provided to assist persons to understand
the security measures?

No
24%

Yes
76%

90
Q 6) Are firewalls in place to avert unauthorized
access to internally protected network from external
sources?

No
13%

Yes
87%

A firewall is a dedicated software running on the computer, which

inspects network traffic passing through it, and denies or permits
passage based on a set of rules.
It blocked the unauthorized access and protects the company’s server
from virus and hackers etc.
Firewall is very common method of security in India. Mostly companies
have firewall to avert unauthorized access.
According to survey 87% companies have firewall and rest 13%
companies do not have firewalls. Some companies rely on antivirus or
other measures rather than firewall to secure their data from virus and
hackers.

91
Q7) Are general backup and recovery procedures
documented?

No
0%

Yes
100%

According to the survey it has been found that all the companies have
backup and recovery procedures well documented.
It is very important in case of breach of security and to minimize the
losses.
It helps the company to recover their lost data easily after the loss.

92
Q8) In event of a security breach do you have
computer incident response team?

No
31%

Yes
69%

A computer incident response team is composed of individuals trained

to respond quickly to specific incidents like at the time loss or damage
and to reduce the recovery time and costs.
Out of 100 surveys 69% companies have CIRT rest 31% companies do
not have CIRT.
The main reason for not having CIRT is that it is very expensive and
only big companies can afford it.
CIRT's key mission is to orchestrate a speedy and organized
companywide response to computer threats.

93
Q9) Do you sell product or services through your
website or internet services?

Yes
24%

No
76%

According to survey, only 24% companies sell their products while 76%
do not sell their products through their websites or internet services.
Insurance companies, banks, online portals sell their product through
their websites. On the other hand, IT companies use their website as a
tool to make people aware about their products and companies vision
and mission

94
Q10) security solution and implementation
Have any of these security system been
implemented
a) Security Management Software (SMS)
b) Routing and Switching Technology (RST)
c) Data Integrity Programs (DIP)
d) Virtual Private Networking (VPN)

SMS
29%
VPN
37%

RST
16%
DIP
18%

VPN, SMS, RST, DIP are most commonly used security system in India.
All these system helps the company from external attacks or viruses.
According to the survey 37% companies uses VPN as security system.
29% companies uses SMS technique, 18% uses DIP technique and 16%
RST security system.
In all the above security systems VPN is most secured system and
hence widely used in companies.

95
Q11) Are credit & criminal background checks being
performed on all existing / new employees and
consultants?

Yes
41%

No
59%

According to the survey 41% companies check the credit & cyber
crime background of new employees as well as existing employees.
Where 59% companies do not check these important issues.
In today’s cyber world it is very necessary to check credit/cyber crime
background of all the employees to save the company from any cyber
loss.

96
Q12) How often the firewalls, intrusion prevention
and anti virus safeguards updated or Product
revisions?

weekly
8%

monthly
22%

automatic
55%

semi-annually
15%

According to the survey 55% companies have automatic updated anti

virus,firewalls etc.
8% companies have updated their anti virus safeguards and all
weekly.22% companies updated their anti virus safeguard once in a
month. Where 15% companies updates their anti virus safeguards
once in 6 months.
More delayed anti virus safeguard updating more chances of breach in
security.
All the MNC have automatic updating processes.

97
Q13) Do you prefer In-house projects/outside
projects?

In house
project
not applicable 11%
22%

outside project
67%

According to survey 11 % companies prefer in- house projects where

67%companies go for outside projects.22% companies are not dealing
in software development.
In-house projects are those which a company develops for them and
then sells it. Outside project are developed by companies for other
business on proposal.
The main reason company prefer in-house project because in-house
projects there are less chances of security breach also no third party
liability in case of any loss .
Outside project are more risky and can cause more loss to the
company in the case of any breach in the security. Companies prefer in
–house but it is very rare that they have a choice.

98
 RECOMMENDATIONS
• There should be more specific coverage available to the
customer.

• There should be flexibility to add/delete cover according to the

needs of the company because no two companies have same
threats.

• Insurers should focus on the reducing the cost to make it popular

in country

• Till now just 3-4 companies have cyberinsursnce product so more

companies should enter in this portfolio to provide more
competitive products.

• Indian companies should established R&D department with

foreign insuer to make products for the country specific because
laws are different in India compare to other countries.

• There should be more detailed cyber-actuarial investigation to

develop more specific product.

• There should be more detailed investigations about the company

before giving the cover to minimize the claim ratio.

• There should be more techno savvy surveyors should be hire to

investigate the actual cause of the loss.

99
100
 CONCLUSION

Till now, insurance had been restricted to medical, life and protection
against damages to assets. Initially IT industry had been left out of the
purview of insurance and IT companies had suffered losses from the
cyber extortion, e-business interruption, denial of service attacks to
programming errors, incorrect recommendations and even
inappropriate installation and training.

The fact that businesses are becoming more dependent on the Internet
creates a whole new set of risks and the Internet has helped
companies expand their reach and explore alternate business
opportunities but it has also left them vulnerable to denial of service
attacks and hacking. Many companies have faced ransom demands
from cyber squatters who occupy domain names on the Internet that
should rightfully belong to the company. Even software developers and
companies are liable for legal action from customers dissatisfied with
their products or services.

The biggest problem was that most traditional insurance plans don't
include coverage for cyber risks is because the technology revolution is
a relatively new phenomenon, and insurance companies have been
slow to respond.

Now with growth of insurance sector , insurance companies are

offering products for IT companies to protect themselves from a range
of possibilities like cyber extortion, e-business interruption, denial of
service attacks virus, worm to programming errors, incorrect
recommendations and even inappropriate installation and training.

Different insurer are providing insurance coverage for cyber space and
giving IT companies Banks, BPOs etc a relief to work freely in cyber
space. Companies like Tata–AIG, ICICI Lombard , HDFC General
insurance are providing cyberinsursnce to the companies.

Still a long way to go for insurer. There is a need of more customized

product with wider coverage and at affordable price to cater the need
of different organisation.

101
 BIBLIOGRAPHY
BOOKS AND MAGAZINES REFERRED:

Economic times.
• Insurance post October 2007
• Hacker attack by Richard mansfield

WEBSITES REFERRED:

• The Economic Case for Cyber insurance, UIUC --

http://law.bepress.com/cgi/viewcontent.cgi?
article=1001&context=uiuclwps
• An Insurance Style Model for Determining the
Appropriate Investment Level against Maximum Loss
arising from an Information Security Breach
--http://www.dtc.umn.edu/weis2004/adkins.pdf
• Risk Analysis and Probabilistic Survivability Assessment
(RAPSA): An Assessment Approach for Power Substation
Hardening
--http://www.cs.uidaho.edu/~krings/publications/SACT-2002-
T.pdf
• CSI/FBI Report 2005
--http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2004.pdf
• AIG Board Responsibilities for Managing the eBusiness.
--http://www.aignetadvantage.com/content/netad/aigbooklet.pdf
• Predicting Internet Attacks: On Developing An Effective
Measurement Methodology
--http://www.sosresearch.org/publications/ICFC00.PDF
• A Framework for Using INSURANCE FOR CYBER-RISK
MANAGEMENT
--http://delivery.acm.org/10.1145/640000/636774/p81-
gordon.pdf?
key1=636774&key2=0110973111&coll=GUIDE&dl=GUIDE&CFID
=41840499&CFTOKEN=98227484
• What Does a Computer Security Breach Really Cost?
--http://www.avatier.com/files/pdfs/CostsOfBreaches-
SANSInstitute.pdf
• Assessing the Risks of Cyber Terrorism, Cyber War and
Other Cyber Threats --http://www.csis.org/tech/0211_lewis.pdf

102
• Ask the Expert
--http://www2.cio.com/ask/expert/2003/questions/question1577.
html?CATEGORY=6&NAME=Cyber%20Behavior
• A directory of markets for cyber insurance
--http://www.agentandbroker.com/default.cfm?page=291
• Cyber Insurance Terms & Definitions
--http://www.imms.com/cyberglos/#c

103
Annexure

104
 Questionnaires
COMPANY NAME:
NAME OF RESPONDENT:
DESIGNATION:

1. At what frequency is your website or internet services updated?

a. Weekly
b. Monthly

2. Do you sell product or service on your website or internet

services? yes/no

3. Whether a clearly stated privacy statement been

established on your website and has been reviewed by legal
council? Yes/no

4. Are you aware of IT ACT 2000?

Yes/no

5. Whether the corporate awareness training sessions is provided

to assist persons to understand the security measures?
Yes/no

6. Are firewalls in place to avert unauthorized access to internally

protected network from external sources?
Yes/no

7. Are general backup and recovery procedures documented?

Yes/no

8. In event of a security breach do you have computer incident

response team?

Yes/no

9. Security solution and implementation

Have any of these security systems been implemented-
a. Security management software
b. Routing and switching technology
c. Data integrity programs
d. Virtual private networking

105
10. Do you have cyber insurance?
a. Yes
b. No
c. Not Aware

11. Are credit & criminal background checks being performed on all
existing/new employees, and consultants?
Yes/no

12. How often the firewalls, intrusion prevention and anti virus
safeguards updated or product revisions?

a. Weekly
b. Monthly
c. yearly

Date : Signature

106
GLOSSARY
Ankle Biter

A person who aspires to be a hacker/cracker but has very limited

knowledge or skills related to information systems. Usually associated
with young teens who collect and use simple malicious programs
obtained from the Internet.

Attack
An attempt to bypass security controls on a computer. The attack may
alter, release, or deny data. Whether an attack will succeed depends
on the vulnerability of the computer system and the effectiveness of
existing countermeasures.

Audit Trail
In computer security systems, a chronological record of system
resource usage. This includes user login, file access, security violations
occurred, legitimate or unauthorized.

Birthday attack
Based on the statistical probability that finding two identical elements
in a known finite space, the expected effort takes the square root of
the key space number of steps. Example: with only 23 people in a
room, there is a better than even chance that two have the same
birthday.

Bomb
A general synonym for crash, normally of software or operating system
failures.

Breach
The successful defeat of security controls, which could result in a
penetration of the system. A violation of controls of a particular
information system such that information assets or system
components are unduly exposed.

Brute force attack

Typically a known plain text attack that exhausts all possible key
combinations. Any key length above 94 bits is virtually infeasible to
perform this attack.

Computer Network attack

Operations to disrupt, deny, degrade, or destroy information resident

107
in computers and computer networks or the computers and networks
themselves.

Correlation attack
Combining the output of several stream ciphertext sequences in some
nonlinear manner. Thus revealing a correlation with the combined
keystream and attacked using linear algebra.

Cracker
A popular hacking tool used to decode encrypted passwords. System
administrators also use Crack to assess weak passwords by novice
users in order to enhance the security. Cracker: One who breaks
security systems.

Cracking
The act of breaking into a computer system. The act of breaking into a
computer system or account; what a cracker does. Contrary to
widespread myth, this does not usually peristence and the dogged
repetition of a handful of fairly well-known tricks that exploit common
weaknesses in the security of target systems.

Craming
A subtle scam used to get someone to change telephone long distance
carriers without their knowledge.

Darkside hacker
A criminal or malicious hacker, opposite of a white-hat hacker.

Data diddling
The act of intentionally entering false information into a system or
modifying existing data.

Data driven attack

A form of attack that is encoded in innocuous seeming data that is
executed by a user or a process to implement an attack. A data driven
attack is a concern for firewalls, since it may get through the firewall in
data form and launch an attack against a system behind the firewall.

Data-in-motion attack
An adversary’s attempt to capture information while in transit, similar
to man-in-the-middle-attack.

Denial of service
Action(s) that prevent any part of an information system from
functioning in accordance with its intended purpose. Usually flooding a
system to prevent it from servicing normal and legitimate requests.

108
Derf
Gaining physical access to a computer that is currently logged in by an
absent minded individual.

Hacker
A person who enjoys exploring the details of computers and how to
stretch their capabilities. A malicious or inquisitive meddler who tries
to discover information by poking around. A person who enjoys
learning the details of programming systems and how to stretch their
capabilities, as opposed to most users who prefer to learn the
minimum necessary.

Hacking
Unauthorized use, or attempts to circumvent or bypass the security
mechanisms of an information system or network.

Hijacking
An action whereby an active, established, session is intercepted and
co-opted by the unauthorized user. IP splicing attacks may occur after
an authentication has been made, permitting the attacker to assume
the role of an already authorized user. Primary protections against IP
splicing rely on encryption at the session or network layer.

Indirection
Covering your tracks so that the target cannot identify or prove who is
attacking them.

Internet worm
A worm program that was unleashed on the Internet in 1988. Robert T.
Morris wrote it as an experiment that got out of hand.

IP spoofing
An attack whereby a system attempts to illicitly impersonate another
system by using IP network address.

Letterbomb
A piece of e-mail containing live data intended to do malicious things
to the recipient’s machine ‘or terminal. Under UNIX, a letterbomb can
also try to get part of its contents interpreted as a shell command to
the mailer. The results of this could range from silly to denial of
service.

Logic bomb

Also known as a Fork Bomb - A resident computer program which,

when executed, checks for a particular condition or particular state of

109
the system which, when satisfied, triggers the perpetration of an
unauthorized act.

Mailbomb
The mail sent to urge others to send massive amounts of email to a
single system or person, with the intent to crash the recipient’s
system. Mailbombing is widely regarded as a serious offense.

Malicious code
Hardware, software, of firmware that is intentionally included in a
system for an unauthorized purpose; e.g. a Trojan horse.

Man-in-the-middle
An active attack that typically is gaining information by sniffing or
tapping a line between two unsuspecting parties.

Passive attack
Attack which does not result in an unauthorized state change, such as
an attack that only monitors and/or records data.

Passive cheater
The threat of unauthorized disclosure of information that doesn’t
change the state of the system. A type of threat that involves the
interception, not the alteration, of information.

Perimeter security.
The technique of securing a network by controlling access to all entry
and exit points of the network. Usually associated with firewalls and/or
filters.

Piggyback attack
Gaining unauthorized access to a system via another user’s legitimate
connection.

Ping –of-Death
The use of Ping with a packet size higher than 65,507. This will cause a
denial of service.

Sniffer/sniffing
a program running on a computer or device that’s attached to a
network that filters, captures, and records network traffic, i.e. packets.

Spam
A program to capture data across a computer network. Used by
hackers to capture user ID names and passwords. Also a software tool
that audits and identifies network traffic packets.

110
Spoofing
Impersonating a server or person without permission. Pretending to be
someone else. The deliberate inducement of a user or a resource to
take an incorrect action. Attempt to gain access to a system by
pretending to be an authorized user. Impersonating, masquerading,
and mimicking are forms of spoofing.

Superzapping
The use of a utility program to modify information in computers.
Leaving no trail of evidence, it circumvents the application from
processing data or commands.

Threat
The means by which to launch a threat agent to adversely affect an
automated system, facility, or operation can be manifest. A potential
violation of security.

Tripwire
A software tool for security. Basically, it works with a database that
maintains information about the byte count of files. If the byte count
has changed, it will identify it to the system security manager.

Trojan horse
An apparently useful and innocent program containing additional
hidden code, which allows the unauthorized collection, exploitation,
falsification, or destruction of data.

Virus
A program that can infect other programs by modifying them to
possibly include an evolved copy of itself.

Worm
Independent program that replicates from machine to machine across
network connections, often-clogging networks and information systems
as it spreads.

111