News & views

Thursday, May 19, 2016


With companies facing increased obligations and high potential penalties, will they turn to cyber insurers for help? NIG director of underwriting and pricing Justin Clarke looks at the possible consequences for the insurance business

Cybercrime is so fast-moving that the law is scrambling to keep up. Now the EU has finalised legislation that has been in the pipeline since 2012 – and will close up some of the loopholes that have allowed so much cybercrime to go unreported.

It also significantly expands the obligations of companies that process individuals’ personal data – which will impact SME businesses along with larger organisations.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a milestone in EU data protection law. Until now, each member state had its own rules. The GDPR unifies the law across the EU. It also significantly expands the obligations of companies that process individuals’ personal data – which will impact upon SME businesses along with larger organisations.

The GDPR will come into force in mid-2018[1], but companies need to start making changes now if they want to be ready to meet their new obligation and avoid potentially crippling new fines for getting things wrong.

Many businesses will be looking for support during the preparation process and beyond.

Rules and practicalities

While the text of the GDPR is vast, it’s helpful to focus on three key points:

- Accountability. Under the GDPR, companies are responsible for building data protection and privacy into their organisational design. Procedures, staff training, IT services – all of these must be up to standard. Any data processing they carry out must be lawful and justified.

- Notification. As authorities are well aware, some large companies currently make the commercial decision not to report cybercrime[2]. While, previously, companies could sweep data protection breaches quietly under the rug, the GDPR obliges companies to notify the authorities of all breaches that put individuals at risk (where feasible, within 72 hours[3]). In high risk cases, they’ll also need to notify the individuals whose data has been hacked.

- Consent. The GDPR lays out more stringent requirements on getting properly informed consent for the use of data – particularly surrounding data being moved outside the EU.

In a practical sense, this means companies should be reviewing all of their policies for data protection in preparation for 2018. The regulation will require many to appoint expert data officers, and to carry out risk and impact assessments of all data processing. They will also have to prepare procedures for reporting, so that they can keep within the 72-hour limit in case of a breach.

Penalties for non-compliance

And now we come to the looming threat for companies – the penalties. Of course, the penalty will depend on the nature and effect of the offence or breach. The rules set out two tiers of fines according to the seriousness of the infringement. The figure that has boardrooms sitting up and taking notice is the maximum penalty allowed: 4% of global turnover. That’s a potentially crippling blow to a company.

Things that could trigger fines for businesses of up to €20million (£15.7m) – or a penalty of that business’s 4% total worldwide turnover for the previous year (whichever is the higher) include breaches of:

- the basic principles for processing data – including conditions for consent;

- international transfers; and

- not complying with orders imposed by the supervisory authorities.

The lower 2% of their turnover or €10million (whichever is higher) can be imposed on businesses if they do not fulfil the obligations set out in the regulations on a range of measures, including[4]:

- maintaining written records;
- reporting breaches when required by the GSPR to do so;
- implementing technical and organisational measures to ensure data protection by design and default;
- conducting impact privacy impact assessments;
- appointing data protection officers where appropriate; and
- subcontracting correctly and with the right authority;

Implications for cyber insurance

Obviously, the GDPR is a game-changer for companies that process data – and it’s likely to have some equally extreme impacts on the cyber insurance industry.

Increased interest in protection. Because of the potential fines under the GDPR, cybercrime can no longer be considered as an acceptable ‘running cost’ of business. Companies will need protection. This should lead to greatly increased interest in cyber insurance, and a corresponding surge in the market.

Increased awareness. Since cyber attacks must be reported under the GDPR, we can expect some disturbing statistics to be published in the next few years. Companies that have not yet experienced serious attacks, and do not pay much attention to the risk, will be given a sharp wake-up call when they see the true prevalence of data breaches.

Potential for better risk calculation. Currently a limited number of insurers have dipped their toe into the waters of cyber insurance. The GDPR’s reporting obligation will make it much easier to estimate the occurrence and risk of cybercrime, making it a less murky prospect for insurers. Because of this, there is likely to be a wider cyber insurance offering. Insurers already offering cyber insurance will be able to offer better value by singling out lower risk companies.

Help from insurers to reduce risks. The insurers working in this field could look to help their clients with risk management and risk reduction to prevent potential breaches and improve their client’s systems. The help available from different insurers could also help differentiate between providers.

This is a huge opportunity for insurance companies and brokers to gain a footing in an expanding market. The goal must be to offer companies support as they prepare for the challenges the GDPR lays out.

And don’t forget to make sure your own systems and processes' comply with the regulations too. Find out more about the GDPR from the ICO website.

[1]http://www.europarl.europa.eu/news/en/news-room/20160407IPR21776/Data-protection-reform-Parliament-approves-new-rules-fit-for-the-digital-era (assuming the GDPR is soon to be published in the EU journal) [2]https://www.london.gov.uk/sites/default/files/gla_migrate_files_destination/Tightening%20the%20net_0.pdf 2.6, 3.15, etc. [3]http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf P53
[4] We haven’t included every single example but key ones for businesses.