EU cyber regulations are about to get much tougher: insurers and businesses must respond

New EU data protection laws are expected to be adopted by early next year, requiring mandatory notification of serious data breaches. This could result in vastly increased fines and is driving significant demand for cyber insurance. However, insurers face significant hurdles before a stable and mature cyber market can develop, according to Nigel Pearson of Allianz.

The cyber insurance market is estimated to have grown from zero to approximately $2.0bn[1] in premium income since the first dedicated cyber insurance policies were issued over a decade ago in the US. Today, it is experiencing double digit growth on a yearly basis.

At present, about 90-95% of that premium income is in respect of US companies, but that is beginning to change with cyber insurance bought by non-US companies growing rapidly.

The demand for insurance is driven by many factors, but primary among these are (1) legislative developments in data protection law, and (2) the increasing frequency and severity of cyber incidents.

There are now 47 states in the US which have data protection laws containing some form of mandatory notification provision.  However, the picture outside the US is more fragmented. Many jurisdictions have passed tougher data protection laws but, crucially, mandatory notification of data subjects is not usually part of the legislation.

In the EU, this is about to change. The General Data Protection Regulation (GDPR) is moving inexorably towards implementation. Presently it is scheduled to be adopted by the end of 2015/early2016, after which there will be a further two year transition period. It will then be binding in all EU states.

This regulation will require mandatory notification of all serious data breaches to the regulator such that data subjects can take appropriate measures. Exactly what this will mean in practice is still unclear. There is, though, some precedent in the notification requirements that already exist for Communication Service Providers (CSPs) under the Privacy and Electronic Communication (PEC) Directive recently expanded upon in the PEC Regulation 677/2013.

This regime requires CSP’s to (1) report all data breaches to the regulator within 24 hours; and (2) notify the data subject "without undue delay" when the breach is "likely to adversely affect the personal data or privacy" of that individual. Whatever the final model adopted under the GDPR, notification costs are likely to increase significantly.

A second very important element of the GDPR is the ability to impose significant fines, potentially up to 5% of global turnover.  Google was recently fined €900,000 for breaking Spain’s data protection rules (a fine referred to as “pocket money” by the then EU Justice Commissioner). But under the new regime this fine could be about €750m – a different proposition altogether.

The size of recent breaches has been eye watering, with costs estimated in the hundreds of millions for certain incidents. But there is possibly a bigger issue at stake, namely frequency. It is very difficult to determine how many companies are suffering cyber security breaches but it is estimated to be well over half of all organisations recently polled in the UK[2]. Even small breaches can have significant cost implications for companies.

The combination of frequency and severity of breaches together with the ever-evolving legislative landscape is creating significant demand for cyber insurance.

Whilst there are now many insurers offering cyber insurance, significant hurdles need to be overcome before a stable and mature cyber insurance market can truly develop.

First, wordings need to evolve. There are many wordings and they are fairly complex. They are beginning to converge but many concepts remain untested.

Second, pricing is quite variable. This is not surprising as one of the main components – claims cost data – is still immature and developing.

Third, the aggregation potential is not well understood. One incident could have a catastrophic effect on an insurer’s book, therefore the need to understand the realistic disaster scenarios and develop a robust aggregation model is paramount.

Fourth, an insurer’s ability to underwrite the risk adequately is being tested by the complexity of IT systems and the increasing sophistication of threat vectors.

Whilst the task can at times seem daunting, companies are beginning to get a handle on their exposures and underwriters are beginning to overcome some of the hurdles. Having said that, we are undoubtedly in the early phases of development and there will be casualties along the way.  

Businesses and insurers both have an important role to play and big challenges ahead of them, but their ultimate goals are clear. Businesses must continue to strive to have a good understanding of their exposures and robust risk management. And insurers must provide comprehensive and adequately-priced risk transfer when it is needed.

 

Nigel Pearson is global head of Fidelity at Allianz Global Corporate & Specialty.

 

[1] The Betterly Report “Cyber/Privacy Insurance Market Survey 2014”

[2] 2014 Information Security Breaches Survey, UK Department for Business Innovation & Skills, London, 2014

Nigel Pearson, Allianz