I refer to my earlier writings about the need for insuring of risks arising out of non compliance of data protection regulations.
Ref: A Golden Era for Insurance Industry ushered in through Personal Data Protection Act of India
Now with the adoption of DPDPA 2023 and the imminent release of the DPDPA Rules, it has become necessary for Companies to start reviewing their DPDPA Risk Containment policy.
The estimation of the risk starts with the “Gap Analysis” which gives an early indication of how the Rs 250 crore Plus risk could affect the company theoretically. Companies put in place Risk mitigation efforts but the residual risk after mitigation has to be either absorbed or covered through appropriate insurance.
We do expect that the DPB will be considerate and adopt a soft approach towards imposing any penalties. Hence the real risk of administrative penalties for a company which in good faith has implemented DPDPA compliance can be considered much less. However, when a breach does occur, the cost of making improvements to the system following an inquiry by DPB is a reality and has to be covered along with whatever penalties are imposed. The cost of conducting a Data Breach Analysis will also be substantial.
Most Companies do use the services of the Big Four and spend huge money for both gap analysis and data breach analysis.
Presently Cyber Insurance policies do cover the losses to the first party in terms of expenses, liability arising out of claims by victims which we may call as the third party losses arising out of the breach. The “Administrative Penalties” are a new development in India and hence existing policies may not provide adequate coverage for the same.
While the Insurance Companies and the IRDAI needs to think of appropriate upgradations of their current policies even as they think of updating their own Cyber Security Policies to include DPDPA Compliance, FDPPI is launching on its Sixth anniversary on September 17 2024, an “DPDPA Readiness Assessment” (DPRA) at a minimal cost. The assessment based on a set of parameters evaluates the DPDPA readiness in terms of a DTS (Data Trust Score).
This DRA should also be considered as “DPDPA Insurability Assessment” which the Insurance Companies may use to accept any request for underwriting and fixing the premium.
The evaluation itself may be a “DPDPA Insurability Index” (DII) which should be either qualitative such as “Fair”, “Good” and “Excellent”. The “Good” index could be fitted to the normal premium level where as “Fair” may involve a surcharge and “Excellent” a discount in the premium. The assessment would be based on an interview by an auditor with a key executive of the organization, ideally the CEO.
In the event of a data breach there may be an assessment of the Claim which is an assessment which apart from identify the expenses incurred will also evaluate the root cause of breach to identify the negligence factor of the organization to assist the Insurance Companies to determine the claim. This Data Breach Claim Assessment (DBCA) may determine whether the Insurer approves the claim and if so to what extent.
The DRA is presently available for service through Ujvala Consultants Pvt Ltd while the DBCA is under development and identification of technology partners for technical evaluation of a data breach.
On or after 17th September 2024, the DRA would be available for companies.
Naavi
