WASHINGTON – The European Union’s General Data Protection Regulation is starting to have an impact on demand for cyber insurance – an impact that will likely accelerate as other jurisdictions adopt similar privacy regimes, experts say.

The United States is the largest market for cyber coverage and the U.S. property/casualty insurance industry’s total direct written cyber premiums grew 8% in 2018 to $2 billion, according to a report released by Fitch Ratings Inc. on Tuesday, which said that GDPR and its potential for significant penalties is spurring more interest in cyber risk management and coverage even though the growth rate has slowed compared with 2017. GDPR enforcement took effect in May 2018.

“There’s no question that the GDPR has created interest and purchasing around cyber insurance,” Matthew McCabe, New York-based senior vice president and assistant general counsel on cyber policy for Marsh Inc., said at the National Association of Insurance Commissioners’ International Insurance Forum in Washington, D.C., on Monday. “I was a little surprised the take-up wasn’t immediate, but we’re starting to see increased purchasing in the EU.”

The EU had data regulation before the GDPR took effect, but “we’ve really seen that hammer come down,” he said.

GDPR is starting to have an impact, with thousands of complaints filed and regulators currently engaged in large-scale investigations, said Gareth Truran, head of London market supervision, PRA Insurance Directorate, Bank of England.

“It is relatively early in terms of seeing the consequences flow through the system in terms of penalties and enforcement actions and so on,” he said.

The focus on cyber insurance is likely to expand as more jurisdictions adopt similar regimes, which will also cause compliance challenges, Mr. McCabe said. 

“We see mimic regimes popping up all over the world and within the United States and they’re not always compatible,” he said. “If I’m in the private sector and I’m looking at the GDPR and I’m aware of how onerous or complicated that might be to comply with, I now have regime B that has an overlap but it’s not exact and now that’s going to exist in seven or eight of my major locations around the world. It’s a really, really complex question for businesses that’s going to pose a lot of traps. To work that back into cyber insurance, if you know that traps out there, you better have that assessment of what (is) the financial impact of falling into that trap and you better have an answer for how you’re going to approach that impact.”

About a third of the largest companies in the U.K. market have purchased cyber insurance, but the take-up rate among smaller organizations is much lower even though they are arguably more reliant on the post-breach response and resources of insurers, Mr. Truran said.

“Although it’s easy sometimes to focus on the challenges for larger companies, which are obviously in some ways more difficult because of the size of the operations, they do also tend to have a better level of cybersecurity, a better understanding, better preparation,” he said. Take-up rate among smaller companies is “an area where we’d expect to see over time that change.”

Risk managers in industries that traditionally do not buy cyber insurance have started purchasing the product “because insurers have more carefully begun to define the boundaries” of what is covered and not covered, said Trish Comiskey, vice president, risk management corporate insurance, Hancock Whitney Bank in New Orleans, who has purchased cyber insurance dating back to the 1998 and the concerns revolving around Y2K.

“If you have a business interruption claim for property because you have cyber intrusion, more than likely it’s not going to be covered anymore,” she said.

“Companies that don’t even deal heavily with personally identifiable information are just horrified by what they’re seeing,” Ms. Comiskey added. “They have all come to realize a cyberattack isn’t just a data breach and theft. It is now business interruption and it’s going to be supply chain disruption.”

But there are still critical questions about the boundaries of coverage, experts say. For example, Zurich American Insurance Co. invoked the “war exclusion” in relation to a property insurance policy purchased by Deerfield, Illinois-based snack food and beverage company Mondelez International Inc.’s expenses stemming from its exposure to the NotPetya virus in 2017, leading to litigation called Mondelez Intl. Inc. v. Zurich Am. Ins. Co. filed in Illinois Circuit Court in Cook County, Illinois, in October 2018. The governments of the United States and United Kingdom blamed the attack on a Russian military attack on Ukraine that spread to computer systems worldwide.

Recent legal cases such as this is one of the reasons why cyber risk is difficult for insurers, said Allison Berke, executive director, Stanford Cyber Initiative at Stanford University in California. 

“But I think we’re going to see that more if that becomes a valid judicial challenge,” she said.

However, whatever the outcome of that litigation, “that might have no applicability for the next policy because of the way the war exclusion is drafted,” Mr. McCabe said.

“There is no singular war exclusion and in cyber insurance, the war exclusion is perhaps negotiated anew on every binding,” he said. “Each carrier takes its own tack to it, but it is laser focused certainly by any decent broker that this is a relevant issue and you need to address the war exclusion based on the reason for purchasing any policy.”

There could be pockets of cover for cyber risk in general liability policies, said Lori Bailey, Boston-based global head of cyber risk, commercial insurance, Zurich.

“There could be some coverage built into those forms on a silent basis,” she said. “The challenge, of course, is it could be up to the court to interpret whether any coverage exists. For most customers and companies that we talk to, they want to know where their cyber is sitting. They don’t necessarily want it eroding on another policy if they have a huge property exposure, a huge casualty exposure, so having those dedicated limits and the dedicated product has become more important as the years have progressed.”

And risk managers must be careful of insurance policy clauses in the scenario where multiple policies can respond, Ms. Comiskey said. For example, a kidnap and ransom policy may pay up to the deductible of the cyber policy, but risk managers “have to make sure the cyber insurer is willing to allow that to count for the erosion of the deductible or you might get a payment and then you’re going have to suffer another deductible before your cyber policy comes in,” she said.