Companies handling personal data in Europe will soon be exposed to the risk of suffering very high fines if this data gets into the wrong hands. The EU General Data Protection Regulation (GDPR) will come into force in 2018. It significantly broadens the definition of what it means for an individual to have suffered by having personal data exposed and who is responsible. It could get ugly. So what are the implications for cyber insurance?
Cyber, according to Hans Allnutt, a partner at the law firm DAC Beachcroft, is all around us now, and that is why defining the insurance coverage from losses related to cyber incidents resists simple classification.
Hans was speaking last Friday (14 October) at the Chartered Insurance Institute (CII) lunchtime lecture in Lloyds. Hans leads the firm‘s cyber risk and breach response team and understand as well as anyone the challenges of managing losses related to cyber.
How big is the cyber insurance market?
Opinions vary on how much insurance premium is associated with cyber, ranging from $1m for pure cyber cover (SNL Financial) or up to $10m if sources of silent exposure are taken into account. New underwriting opportunities abound, but the chance of incurring a major, unexpected loss are as high as any other line of business.
Data has been referred to as the new oil. Hans asked if it could be the next asbestos. There is an ugly data monster coming over the hills of Europe in 2018. The GDPR will fundamentally increase the risk of litigation and fines to any company that handles personal data. The larger the volume of data and the more sensitive it is, the higher the cost. Potential fines can be levied up to the greater of 4% of turnover or €20m. No one yet knows what the implications for insurers could be.
Cyber may be all around us, but that doesn’t mean we can’t try to impose some structure on the different way losses can occur. Hans presented a framework of Operational, Informational and Physical loss types to help understand and categorise the different types of loss.
Data breach, one of the prime examples of informational losses, is the type of cyber attack that we hear about most frequently. The massive increase in volume and transferability of data creates many more opportunities for loss. Targeted attacks by malicious actors have resulted in headline losses, for example, Yahoo, Sony, Target or Talk Talk. Yet there are many other, frequently smaller, breaches occurring which are the result of human error. These are less visible, but under GDPR, could be fatal for a company that is held responsible for the breach, even if only due to a careless mistake by an employee, with no external hacker involved.
In the UK, data breaches are policed by the ICO, the Information Commissioner’s Office. This independent body supported by the UK Government, has the role of upholding information rights, promoting openness by public bodies and ensuring data privacy for individuals. Under the existing UK Data Protection Act ICO already has the ability to prosecute and fine organisations. In the last two years ICO has acted in 181 cases – details of each case are available on their website. TalkTalk, the mobile phone operator, was fined £400,000 after its data breach in 2015. A hacker found a vulnerability in outdated internal databases and exposed the details of 156,959 customers. TalkTalk had acquired the database when it acquired Tiscali in 2009.
External hackers are not the only source of potential problems
To get a sense of how vulnerable any company could be to the big stick the GDPR data monster might wield in 2018, consider Blackpool Teaching Hospitals NHS Trust. The trust was fined £185,000 after one of their staff made the type of mistake that is probably happening every day across the country, albeit in a less public manner and with less sensitive information. The trust had been required to publish equality and diversity metrics on its website and posted a summary in a pivot table derived from a spreadsheet. In posting the pivot table, the trust’s employee also inadvertently made available the private details of over 6,000 members of staff that included dates of birth, religious beliefs, sexual preferences and National Insurance numbers to anyone that double-clicked on the table. The data had been available online for 11 months. Under GDPR the costs of a similar error could be far greater.
In most jurisdictions today, it is the companies that are controlling the data that are considered responsible for misuse. GDPR extends the responsibility to companies that are processing the data as well, significantly extending the number of companies that could be held responsible for a breach.
There are 204 pages of detail in how GDPR will work. DataIQ has a handy summary. There are obligations to report breaches (within 72 hours) and certain companies may need to appoint Data Protection Officers. Any person that has suffered “non-material” damage will now have the right to receive compensation, there is no longer a need to prove financial loss. Furthermore, non-profit bodies can lodge a complaint on behalf of multiple people, opening up the potential for mass litigation.
GDPR is on track to apply in the UK from 25 May 2018. It will be unclear for some time what the impact of Britain’s departure from the EU will mean for adoption of the legislation long term, but any company operating in the EU will be subject to these rules.
How will the insurance market respond?
So where does this leave insurers? Has the market learnt its lesson from asbestos which is now expected to cost insurers as much as $85bn? Insurers have less than two years to come up with a cyber insurance product that explicitly caters for data breach and subsequent costs under GDPR, and ensure they are not inadvertently exposed to losses from other non Cyber specific policies.
Across all lines of business, insurers are recognising the benefits of assisting their clients in preventing losses, not just (sometimes reluctantly) paying claims after a loss has occurred. In an area that is evolving as fast such as cyber, the insurance industry has the chance to truly demonstrate leadership – helping to define, expose and manage this moving and evolving risk. The data monster is unlikely to go away, but perhaps it can be tamed.
My thanks to Hans Allnutt for allowing me to use his slides. Whilst informed and inspired by Hans' presentation to the CII, much of the material in this article is based on additional research. Many of the opinions are mine and may not reflect the views of Hans or DAC Beachcroft.
This article was originally published in Linkedin. from where you can comment on it, or forward to your network.