By Sarah Stephens, Head of Cyber, Technology and Media E&O, JLT Specialty
One of the main topics of debate between the three parties – the European Commission, the European Parliament, and the European Council – is the size and severity of the fines that companies could face if they are found to negligently incur a data breach. In recent news it has been suggested that fines could range from two to five per cent of annual global revenue, with a maximum figure from €1 million to €100 million. There is no doubt that companies’ management of third-party data will be closely monitored as a result.
Importantly, the regulations will introduce obligatory data breach reporting throughout Europe as this currently only applies in very few industry sectors and/or countries. A data breach must be reported in the event that it poses a significant ‘risk of harm’ to data subjects, or a serious violation of their rights.
As the three European parties have entered the final round of negotiations, now they must agree on how to harmonise the different versions of the regulation. Much will be determined in the coming months.
The question most companies will be asking themselves in preparation is how ‘risk of harm’ is calculated? Companies will only be able to assess whether a breach poses a ‘risk of harm’ if they have comprehensive documentation of their data and who it belongs to. They must also have appropriate procedures in place that permit them to quickly and accurately evaluate the extent of the data breach.
Yet this is rarely the case. There are still many organisations, large and small, that do not know the exact number of customers they have on their books. They often do not know the different payment methods they use. In addition to this, they may also not know where their data is held. Subsequently, if there is a data breach, many companies won’t know how much data has been exposed or how many customers, employees or third parties have been affected, they will not be able to gauge the impact of the breach.
Record-keeping of all data should therefore be far more detailed and cyber incident response procedures should be tested and re-tested to ensure they are fit for purpose. It is essential that response and management of a breach includes key stakeholders including senior management, risk managers and Chief Information Officers to ensure that they are applied across the company.
This helps in quelling business interruption and reputational damage and lessens the chance of data breaches going undetected. It also ensures that a consistent, well-considered message is delivered.
As companies seek more specific cyber insurance coverage for data protection and other cyber incidents, they will be more inclined to draw on specialised cyber risk underwriting and depend less on traditional insurance policies.
Buyers shouldn’t assume that cyber insurance policies are not ‘fit for purpose’ or don’t work in practice. Cyber insurance has been around in various forms for more than 15 years, and has paid hundreds of millions of pounds in claims.
Ultimately, the better companies understand their own risk profile – in particular their cyber exposures – and the better their internal systems, the more tailored and better priced cyber insurance they’ll be able to buy.
Insurers in this arena will price for uncertainty, so companies that approach the market with evidence of their comprehensive risk mitigation strategies are better placed to secure top-notch cover.
Cyber is a high growth market and competition among insurers is increasing. They are all keen to build good relations with customers and for their products to be seen favourably, especially as there are still some buyer concerns over the practicality of cyber insurance policies.
As a result claims response is efficient, with insurers and insureds in this space cooperating collaboratively. Buyers have no excuse now not to fully map out their cyber exposures and to seek cyber cover.
With the Europe’s data protection regulation around the corner, and insurers vying for new business, there might never be a better time.
|