The European cyber insurance market has developed at a slower pace and has not taken off in the way that the U.S. scene has due to a different cultural view toward data privacy and liability, but that could soon change depending on regulatory shifts and more awareness of the cyber threats that organizations in any country could experience.
In a recent Advisen webinar on developing a healthy European cyber insurance market, Advisen Director of Editorial Strategy & Products Rebecca Bole commented that “an ocean of cultural differences’ in business practices, loss experience, legal responses, and liability separate the U.S. experience from Europe’s.
As the cybersecurity culture shifts, it will be on the insurance industry to respond with the appropriate solutions for Europe’s specific interests and needs. And for the most part, European businesses have been less interested in the type of coverages that have proven popular in the U.S., there is still progress to be made.
The European Commission has always left data protection up to individual countries and those in the know say there is little in the way of notification requirements or fines to be feared in Europe. However, in 2012, the EC announced an intention to “update and harmonize” the data protection standard in Europe, according to Susannah Wakefield, partner at Taylor Wessing, with the implication that sanctions would become more severe and requirements more stringent.
Even with the motivating factor of potentially stiffer regulations, Europe may have a long way to go in recognizing the value of cyber insurance. Sarah Stephens, head of JLT’s cyber and technology practice, noted that the cyber insurance market in Europe is “simply not at the same scale” as in the U.S.,
“There is and has been a perception that cyber risk is just a U.S. issue, due to U.S. regulations,” she said, adding that there is an air of “defensiveness” for many organizations that feel cybersecurity is an IT issue with the collective feeling that “our IT guys have it under control.”
“That is changing as more and more companies across Europe do publicly report that they’ve had incidents,” Stephens said.
As for cyber insurance, the business community has expressed “greater skepticism of the usefulness,” she noted. Businesses generally seem to feel that a cyber-attack would be covered under their traditional insurance policies and a lack of large-scale losses enforces the theory.
“Sometimes you get a bit of a brick wall,” Stephens noted.
Of more interest to the European market for insurance purposes would be cyber-related physical damage losses, business interruption, reputational risk and system upgrades following an attack. Such options have made a few strides in the insurance market.
According to Kyle Bryant, ACE Europe’s regional cyber manager, cyber insurance in the region “existed in an entirely different realm” and reflects “complexities in how they look at insurance.”
“These conversations are where the challenges exist,” he said during the Advisen webinar.
According to Graeme Newman, marketing director for CFC Underwriting, while the financial services and retail sectors in U.S. are snapping up cyber coverage, in Europe, more energy companies, utilities, and other technology-based logistics firms are showing interest. Cybercrime coverages have also shown growth, he said, based upon “a huge shift from traditional crime to cyber crime,” with an eye toward protecting electronic funds and other susceptible assets.
“It’s a slightly different profile,” he told Advisen, adding that he is seeing “slow but steady adoption by the large corporates.”
On the privacy standpoint, absent tougher regulations, a case is being made for notification of breaches based “a moral requirement.”
“We haven’t got a culture of notifying at the moment,” Newman said.
European businesses, governments, and consumers face many of the same cyber threats as in the U.S. According to the latest European Union Agency for Network and Information Security (ENISA) “Threat Landscape” report, 2014 showed the most significant rise and expansion of threats in a single year. Europe and U.S. both fall victim to many of the same type of web-based attacks, the report revealed, although Europe was also found to be the region with the “lowest infection rates” due to spear-phishing email scams.
ENISA also noted that the focus on Big Data and accompanying risks will likely expand in Europe, following the lead of the U.S.
“Preparatory activities with regard to relevant regulation in the US have focused on big data by underlying its important role for society, but also stating risks to privacy and self-determination that are connected to this asset and related technologies. Similar activities have been in the reporting period within the European Commission. This is a very positive development, as this may help governmental/legal action to catch up in this area, being currently behind technological developments,” ENISA stated in its report.
Should more stringent privacy regulations be ushered in, the question becomes whether insurers can offer a solution to cover fines and penalties. And the answer may depend on whether the actions that led to a breach represented any kind of criminal behavior on the part of the insured.
“Insurers are keen to provide the broadest level of coverage that they can responsibly provide … to the extent that it’s not against public policy,” said Stephens.
More information Advisen Webinar: Practical Takeaways for a Healthy European Cyber Market