General Data Protection Regulation (GDPR) and Cyber Insurance
Written by: Black Kite
The countdown has begun: the General Data Protection Regulation (GDPR) will be applicable as of May 25th,2018, aiming to strengthen the rights of the citizens of EU on the internet. This regulation will be implemented by the European Union, but it is also interest of companies located in other countries, including the United States, which process data of EU citizens.
At first, the GDPR standard was intended to be mandatory for all professions in finance: e.g., accountants, auditors, insurers brokers, notaries, lawyers, banks, etc. However, it has recently been extended to all corporations and institutions that process personal data.
Therefore, many companies will be forced to meet this new regulation, but are they really ready it?
The short answer is “No”. Compliance with new regulations that GDPR brings might be a big challenge for many. Here is why:
Adopted in 2016 after a long debate among EU member companies, GDPR goes far beyond the data breach notification requirements. It seeks to fulfill three objectives:
- Harmonizing European regulations, meaning that everyone will have to apply the rules in the same way: no need to translate its provisions into national law.
- Understanding the data processing differently, so there will be new restrictions for companies on collection and management of personal data.
- Forging bonds of trust between companies and users through GDPR regulation, in which consumers will have the ability to access, correct, and delete private information.
Since fines in case of violation of these requirements the importance of cyber insurance will be hiked up in the following days.
Cyber Insurance Market
Cyber insurance products have been around for 25 years. The US is the largest market estimated to account for c.$1.5bn or c.%90 of the 2015 global standalone cyber premium. For sure, there are several factors that explains these impressive growth rates in the US. Data breach incidents involving large companies targeted by hacking groups, such as data breaches that Sonny (in 2011), Ebay (in 2014), and Yahoo (in 2016) have faced, are one of the main reason of this growth. Those security breaches put millions of customers at risk of identity and data theft, including bank account numbers, customer names, account names, and customer addresses. As a result, it’s not surprising that the US firms ranked cyber risk as their 5th most important risk whereas it was 18th back in 2011.
Cyber insurance was used to be purchased more likely by TMT (Technology, Media, and Telecom) companies. However, in recent years, demand is on the rise also with large corporations that store personally identifiable information (PII) and process great amount of financial transactions. Large retailers, heavily regulated financial institutions, are those examples that can be given. In addition, healthcare has also become a large and growing segment of the cyber market in order to protect the sensitive patient information that they hold.
A survey conducted by Aon shows that the US standalone cyber market’s annual growth may reach $5.6bn by 2020.
When it comes to Europe, cyber insurance is still a niche market. However, since breach rates have increased %36 since 2011, there is a growing awareness in recent years.
By now, the demand concerning cyber market was mainly focused on extortion and business interruption cover. However, now, this seems to change with the Europe Union Global Data Protection Regulation (GDPR).
While there used to be weak regulators with limited ability to sanction firms, following the upcoming GDPR, there will be strict regulation with a general requirement to notify in the event of a breach. Companies who do not comply with the new regulation may be fined up from 10 to 20 million euros, or from 2% to 4% of their global turnover depending on the type of activity and subject to monetary caps.
Will Cyber Insurance cover GDPR fines?
Meanwhile, many companies wonder whether their cyber insurance policies will cover the fines or not. They are not ready to comply with the upcoming GDPR yet. The answer of the question is both yes and no. Even though there are many aspects of GDPR that should be covered by cyber insurance policy, there might be some other GDPR violations that are not likely to be covered.
So, a company needs to be sure so as not to encounter unwanted results. Any GDPR violation may result in financial problems and damaged reputation for the company.
It is now very easy to identify the risk posture of 3rd party vendors or cyber insurance subscribers.