Privacy rules may boost cyber purchasesReprints
Companies that hold data on EU citizens, including those based in the United States, must ready themselves for upcoming legislation that will harmonize the rules on data breach reporting in Europe and introduce hefty penalties for companies found to fall foul.
The European Union’s wide-ranging rules on data security, the General Data Protection Regulation, will come into force in May 2018, and many companies already are well-prepared for the changes the rules will bring, experts say.
And the GDPR likely will lead to increased interest and takeup of cyber insurance coverage in Europe, they say.
The GDPR will apply to companies that are “processors” or “controllers” of data on citizens of the European Union — including the United Kingdom which, though slated to leave the EU, will still be part of the GDPR’s scope when it comes into force.
The scope of the new rules is broad and, among other things, requires data controllers to notify their state’s data protection authority of a breach with 72 hours.
Fines for breaches may be substantial — up to 4% of annual revenue for the most serious breaches. The GDPR also will require many companies to have data protection officers in place.
Companies based outside of the EU, but which may hold the data of EU citizens, need to ready themselves for the new rules, experts say.
The GDPR represents a “sea change” in data protection legislation in the EU, said Matt McCabe, a senior vice president in the cyber risk practice at Marsh USA Inc. in New York.
The changes may not be felt overnight, but those companies that already have a “level of maturity” in their cyber risk management likely will be better equipped to cope with the new rules, he said.
For example, companies that have well-established breach response plans, which they rehearse regularly, will be in a better position, Mr. McCabe noted.
Multinational companies are aware of the potential impact of the GDPR and should be undergoing privacy impact assessments to understand what data on EU citizens they have and how they are protecting it, he said.
There will be an effect on the cyber insurance market, which is at the end of the “risk appreciation cycle,” Mr. McCabe noted. Companies with mature cyber risk management practices are aware that they will not always be able to spend their way out of a breach crisis and put effort into risk mitigation and then use insurance as a risk transfer tool for the risk that remains, he said.
In a report, Oldwick, New Jerseybased rating agency A.M. Best Co. Inc. said the GDPR would likely have several effects on the European cyber insurance market, where takeup has lagged that of the United States.
“From an underwriting standpoint, the most significant consequence of the implementation of the GDPR is likely to be a marked growth in cyber insurance revenues, with some carriers suggesting it will represent a ‘shot in the arm’ for the non-U.S. cyber market,” said Alvise Argenton, a Best financial analyst in London.
In its report, Best noted that in the short term, an expected sharp rise in reported breaches will increase risk awareness and likely spur demand for cyber coverage. In the medium term, as more reliable data about breaches emerges, there should be benefits for pricing models, enabling the supply of relevant insurance products to increase.
Sarah Stephens, head of cyber, content and new technology risks at broker Jardine Lloyd Thompson Group P.L.C. in London, said there already has been an uptick in demand for cyber insurance from European buyers.
“Previously, buyers of cyber insurance would often test the water with limits starting at £10 million to £20 million, but we have recently observed new buyers starting out with programs as large as £275 million,” she said.