DEBATE: Insuring against regulatory penalties
Pro: Sarah Stephens, head of cyber & commercial E&O at Aon Risk Solutions EMEA
Insurance can and should cover non-criminal privacy-related regulator fines. Most insurers will write into their policies that regulatory fines are covered “to the extent insurable under applicable law.”
We have seen insurers pay out on some fines related to breaches of the Privacy Rule in the Health Insurance Portability and Accountability Act (“HIPAA”) in the US but it will be interesting to see if insurers are able to apply the same logic in light of the EU General Data Protection Regulation introducing bigger fines.
I think the fine is just part of it…and that covering the fines isn't the first motivation for most companies. Basically, part of the underwriting process on cyber insurance is to really subject the companies to a review and part of the benefit of this is giving them a stamp of approval.
In Europe, we see customers much more focused on business interruption due to a cyber-attack or technology failure, and the benefits of having access to external experts and reimbursement for their extra expenses and lost income. They're less concerned about liability although that potentially could change with the new regulation.
All kinds of corporate risks are insured, it's just a prudent measure. To be eligible for cyber you need to demonstrate due diligence, protection and agility to face new cyber threats.
Insurance helps to smooth out some of the uncertainty as well as provide an additional external check to help companies on the path to agile security.
Anti: Becky Pinkard, director, Security Operations Centre at Pearson
I would say to businesses that the best way they can protect customer data, assure customer confidence and brand integrity is to actually understand and provide the necessary fundamental security controls so that they meet the regulatory requirements.
I look at cyber insurance as padding - it may help if you suffer a breach. It's not a substitute or be-all-and-end-all; it's a protective tool to give added assurance.
Cyber insurance is also still a niche product – I think of it as DLP (data leakage prevention) – everybody talks about it, but they're not sure how it fits in the organisation, or how the various processes and components work. Companies are often not doing a whole lot with it.
What companies must get right is hiring the right security people to help them understand the regulatory requirements and what exactly to protect. There's so much advice and opinion out there that it can be overwhelming.
I've spoken with individuals and taught classes where people have been interested in investing in cyber insurance to give assurance, but without necessarily having the baseline security requirements. In order to obtain realistic quotes, you must have the security basics sorted before you even pursue cyber insurance.
Companies need proven security experts to lead the way and give them professional advice. Security, as an industry, has sprung up quite quickly and the breadth and complexity of the domain can be daunting. Cyber insurance is not a plaster for the unwitting or unwilling.
From the September 2014 Issue of SCMagazine UK »