EU tightens Data Protection Rules
Compelling companies to notify supervisory authorities when a breach occurs will drive the growth of cyber insurance in the EU. The Civil Liberties, Justice and Home Affairs (LIBE) Committee of the European Parliament has approved the compromise amendments on the European Commission’s proposals for a new Data Protection Regulation and have voted to adopt the LIBE report. The report includes approval for mandatory data breach notification and an increase in fines for compromising sensitive customer information.
The US already has mandatory notification rules in place and this has driven take-up of specialist first and third-party liability cyber insurance products.
In the UK and Europe, the cyber insurance market is still in its infancy. But it is thought that the new rules on notification, in tandem with steeper fines for failing to install adequate protections against data breaches, will compel companies to purchase cyber cover.
Key changes in the EU reform include:
• A single set of rules on data protection, valid across the EU;
• Obligation for companies and organisations to notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours);
• Increasing fine to 5% of annual worldwide turnover (or EUR100m, whichever is greater) for breaking the rules.
It will be the first revision to EU data protection laws since 1995 and is intended to strengthen online private rights and boost Europe’s digital economy.
“The European Parliament has just given its full backing to a strong and uniform European data protection law that will cut costs for business and strengthen the protection of our citizens: one continent, one law,” said vice-president Viviane Reding, the EU’s Justice Commissioner. “The vote also sends a clear signal: as of today, data protection is made in Europe."
Commission President José Manuel Barroso has called for a swift adoption of the data protection reform, before the end of this parliamentary term (following the 2014 elections).
“The cost to business of implementing the changes required to comply with this piece of regulation may be significant, but the cost of failing to comply could be far greater,” says Stephen Wares, Marsh’s Cyber Liability Practice Leader for Europe, the Middle East and Africa (EMEA). “It is clear that there is a strong will from the EU to give national regulators increased powers, with the suggested fining structure acting as an effective deterrent for non-compliance.
“While the deadline for implementation next year remains fluid, organisations should start considering the effect of the regulation on their operations and begin a process for ensuring compliance.”
Growing cyber market
Cyber liability is one of the fastest growing emerging risks facing organisations of all sizes and from a variety of sectors. In the UK, 93% of large corporations and 76% of small businesses experienced a data breach in the last year, according to PwC.
The C-suite has woken up to the importance of cyber security following a series of high profile incidents since 2011. Cyber security moved from 12th to 3rd place in this year’s Lloyd’s Risk Index.
Risk managers also consistently identify cyber crime and data privacy as one of the most concerning risks facing their organisations. Those surveyed by ACE at this year’s Association of Risk and Insurance Managers (Airmic) conference said new data protection regulations would be the primary driver of growth in cyber liability insurance.
Over the last five years the cyber offering at Lloyd’s has grown significantly in scope with a number of insurers developing bespoke solutions to cover first and third-party risks.
Some of the risks insured by cyber products include loss or damage to digital assets, non-physical business interruption, cyber extortion, securities and privacy liability and crisis management expenses. Some insurers also offer cover for loss of reputation, human error and regulatory fines and defence.
“Take up was limited frankly but as the products have developed in partnership with client request so we’re seeing the take-up level increase,” says Ben Maidment, privacy, cyber and technology underwriter at Brit Insurance. “This is also partly as a result of legislation changes, particularly in the US.
“More and more markets have come into this space over the last few years and there’s been a certain amount of commoditisation of the product out there on offer,” he continues. “Three or four years ago we were one of four Lloyd’s insurers alone writing this business and now you can probably double that as least. And other people are beginning to dip their toe into the market by supporting managing general agents.”
“Where we have focused additionally is on the risk management services which we offer to our clients as well,” he continues. “As an emerging area of exposure a lot of organisations – some small but some multinationals too – don’t have the internal resource capability in order to adequately assess their exposure and mitigate it effectively. So we offer risk management services to our clients.”
While the indemnification is an important aspect of the cover available, a big part of the solution is the access the insurer gives to experts when a breach occurs. IT forensics, crisis management specialists and legal experts are some of the vendors on offer to help manage the fallout.
“In that golden hour or two after a breach happens there are certain things which can prejudice some clients,” says Maidment. “They may do something for the best possible reasons which has actually not sought to mitigate the loss but accentuated it.”
“It’s very important to act on a data breach as soon as possible because a lot of things can happen in a short space of time,” he continues. “We give the ability day or night to speak to experts in the field who can tell them what they should do, but equally important what they shouldn’t do. So we’re there to hold their hand through the entire process.”