This article was First Published on Bar and Bench on 13th January 2024.

Why do you need a Cyber Insurance Policy?

As many organizations process personal and sensitive information, continuously monitoring data protection practices should be a part of organizations’ data governance frameworks. 

Organizations need to implement robust privacy and security practices considering the standard industry practices, the data processing activities, and the applicable legal and regulatory requirements.

The adequacy of privacy and security practices always depends on whether they can address the dynamic risks and threats in the cyber sphere. Regular assessment of an organization’s privacy and security practices could help in verifying the adequacy of privacy and security practices.

Additionally, organizations can undergo appropriate data protection audits and obtain third-party data protection certifications such as ISO 27701, 27001, SOC2, and other certifications of the same kind. These certifications can reflect the strength of an organization’s privacy and security practices (and hopefully reduce insurance premiums). Additionally, ISO 27701 certification has controls that closely align with the requirements under the GDPR.

Data protection certifications and privacy and security practices may only mitigate the possibility of a breach, rather than prevent a data breach. In other words, due to the fast-paced change in technology, there is always a likelihood that the information would become subject to breach in the cybersphere, and organizations are still exposed to risks of financial, reputational, and other repercussions.

The penalty for breach under the DPDPA can be up to Rs. 250 crores, and under the GDPR it can go up to 10 million euros or 2% of an organization’s annual turnover and/or 20 million euros or 4% of an organization’s annual turnover of an organization. The penalty is determined depending on the severity and nature of the breach. Additionally, there could also be indemnification obligations towards third parties and they may be uncapped or capped at a substantially higher value.

Cyber liability insurance, to a considerable extent, helps the organization to accommodate these risks and indemnification obligations. It also minimizes the risk of closure of business operations. As general insurance would not usually cover these risks, it is recommended that organizations choose separate cyber liability insurance to add another layer of protection to their business operations.


Author: Sandeep G, Associate at NovoJuris Legal

Similar Articles

Contact us for a Solution

Contact us for more information about our services and how we can help


As per the rules of the Bar Council of India, we are not permitted to advertise or solicit work. By accessing and browsing through this website, all users agree and acknowledge that the content of this website is for informational purposes only and that there has been no form of solicitation, advertisement or inducement by NovoJuris Legal or its members, in any form. No information provided on this website should be construed as legal advice and NovoJuris Legal shall not be liable for consequences of any action taken by relying on the information provided on this website.