Key Exclusions
Definition
Cyber Insurance exclusions are specific events, circumstances, or types of losses that the policy does not cover. Understanding exclusions is critical because cyber incidents often straddle the line between covered and excluded events. Indian Cyber Insurance policies have both standard exclusions common to all general insurance and cyber-specific exclusions unique to digital risks.
Explanation in Simple Language
Major Exclusions in Indian Cyber Insurance Policies:
1. War & Terrorism: Losses from acts of war, invasion, or government-ordered shutdowns. Some policies also exclude state-sponsored cyber attacks (a grey area — attributing an attack to a nation-state is difficult).
2. Prior Known Events: If the insured was aware of a breach or vulnerability before the policy inception and did not disclose it, any resulting claims are excluded.
3. Failure to Maintain Minimum Security Standards: If the policy specifies minimum IT security requirements (firewalls, antivirus, patching, MFA) and the insured fails to maintain them, claims may be denied.
4. Infrastructure & Utility Failures: Power outages, ISP failures, or telecom disruptions (unless caused by a cyber attack on the insured's own systems).
5. Bodily Injury & Property Damage: Physical harm resulting from a cyber attack (e.g., a hacked industrial control system causing an explosion) is typically excluded from Cyber but may be covered under General Liability.
6. Contractual Penalties: Penalties arising purely from breach of contract (as opposed to regulatory fines) are excluded.
7. Patent & IP Disputes: Losses from intellectual property infringement lawsuits are excluded.
8. Unencrypted Portable Devices: Some policies exclude breaches caused by theft of unencrypted laptops, USB drives, or mobile devices.
9. Social Engineering (in basic policies): Basic policies may exclude losses from CEO fraud, invoice manipulation, or business email compromise. These require a specific endorsement.
Real-Life Indian Example
IT Services Firm — Hyderabad:
A software services company suffered a data breach after an employee's laptop was stolen from a train. The laptop contained an unencrypted database export with 12,000 client records. The company filed a Cyber Insurance claim for Rs 35 Lakhs (notification costs + regulatory defense).
The insurer rejected the claim citing two exclusions: (a) the stolen laptop's hard drive was not encrypted, violating the policy's minimum security standards clause, and (b) the company had no Mobile Device Management (MDM) policy, which was a warranty condition in the policy. The company appealed to the Ombudsman but the rejection was upheld because the policy clearly stated encryption of portable devices as a pre-condition.
Claim Scenario
Scenario: Social Engineering Fraud — Textile Exporter, Surat
A textile exporter received an email appearing to be from their UK buyer requesting a change in bank account details for a Rs 85 Lakh payment. The finance team verified the email (which was a spoofed address) and transferred Rs 85 Lakhs to the fraudster's account. The company filed a Cyber Insurance claim.
The insurer denied the claim because the base policy excluded "voluntary parting of funds based on fraudulent communication" (social engineering). The company had not purchased the optional Social Engineering Fraud endorsement (additional premium of Rs 15,000). The company lost Rs 85 Lakhs entirely.
Lesson: Always recommend the Social Engineering / Funds Transfer Fraud endorsement — it costs a small fraction of the potential loss.
Learning for POSP / Advisor
Key Points for POSPs on Cyber Exclusions:
1. Always walk the client through major exclusions at the time of sale. The most common disputes arise from exclusions the client did not understand.
2. Recommend add-on covers for: Social Engineering Fraud, Cyber Terrorism (where available), Reputational Harm, and PCI-DSS fines for businesses handling card data.
3. Ensure the client understands "minimum security standards" requirements — the policy may require firewalls, updated antivirus, regular patching, MFA, and employee training. Non-compliance voids coverage.
4. Highlight the difference between regulatory fines (often covered) and contractual penalties (usually excluded). A DPDP Act fine may be covered; a penalty for breaching an NDA is not.
5. War and terrorism exclusions are evolving — the NotPetya attack (2017) led to major coverage disputes globally. In India, this remains a grey area for state-sponsored attacks.
Summary Notes
1. Key exclusions: war/terrorism, prior known events, failure to maintain minimum security, infrastructure failures, bodily injury/property damage, contractual penalties, IP disputes, unencrypted devices.
2. Social engineering fraud requires a separate endorsement — always recommend it.
3. Minimum security standards (MFA, patching, encryption, firewalls) are warranty conditions — non-compliance voids claims.
4. Regulatory fines under DPDP Act are generally coverable; contractual penalties are not.
5. The war/cyber warfare exclusion is a grey area — attribution of state-sponsored attacks is difficult.
6. POSPs must explain exclusions clearly at point of sale to avoid disputes later.