False sense of security over cyber risk following GDPR delays

Delay in the adoption and implementation of the EU’s General Data Protection Regulation (GDPR) means some risk managers have potentially placed the matter on the “back burner” and could therefore be storing up severe problems for their employers, according to Alan Moore, head of UK business and global chief underwriting officer at Generali Global Corporate & Commercial (GC&C). The GDPR rules were finally adopted on 26 April, but do not need to be transposed into national law and become effective until 25 May next year. The regulation is designed to strengthen and unify European data protection rules for all EU citizens and incorporate all foreign companies that process data of EU residents. The rules demand that any breaches are notified to the authorities within 72 hours. They will bring Europe into line with the US and rapidly raise awareness of the true scale of this problem. The GDPR also brings in a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover or €20m, whichever is the largest, for those organisations that break the rules. According to a UK government 2015 information security breaches survey, 90% of large organisations and 74% of SMEs reported a security breach. This led to some £1.4bn in regulatory fines that year. The GDPR’s fines of either €20m or 4% of worldwide turnover make the current maximum penalty of £500,000 per event seem rather puny. The Payment Cards Industry Security Standards Council (PCI SSC) revealed last October that if data breaches remain at 2015 levels, the fines paid to the European regulator could skyrocket to a 90-fold increase. In monetary terms, the £1.4bn of UK fines in 2015 would have led to £122bn of penalties under the GDPR rules, the PCI SSC calculated. Mr Moore fears that too many UK risk managers have not really appreciated the potential scope of these new EU rules and need to act fast. “We find that awareness of cyber risk is very mixed in the UK. It really seems to depend upon the type of company. Financial institutions are more up to speed because they have been dealing with this risk for a rather long time. But if you consider all the other organisations that hold data, I am not convinced that they have really considered this risk too much,” he told Commercial Risk Europe. “This is a challenge, and I suspect has largely occurred because of the delay in the arrival of the EU regulations. I feel that many risk managers simply put the matter on the back burner and do not fully appreciate the reporting requirements and potential costs involved if they do have a data breach,” he added. Doug Robare, head of financial lines at GC&C, said that when risk and insurance managers do get around to seriously looking at this risk and the transfer options, they need to choose carefully. This is not a one-size-fits-all coverage, he stressed. “Fines may be insurable in the US but they are generally not in Europe. So, examples of coverage that may work well in the US or even the UK may be useless in Italy, Germany or France. The market has to get away from pitching a product and has to translate the discussion to fit with local conditions,” said Mr Robare. “I suspect that, as in many specialty areas, people may put on an air of lack of concern or false confidence simply because they are not comfortable with the topic. Risk managers are generally not IT experts and why should they be? What you have to ask is whether the dialogue is happening between the IT people and the risk people. If not, it needs to happen,” he added. “Sometimes the potential point of entry is not actually known and people do not really understand that the crown jewels of a company may well be highly exposed whether directly or through the back door. And this risk will get bigger. It will have implications for other lines of coverage such as directors and officers, professional indemnity, supply chain and the like. This is part of an education process for the whole market and our job as insurers and brokers is to bring information to the table so we can develop solutions, not off-the-shelf products,” concluded Mr Robare.

False sense of security over cyber risk following GDPR delays

Want to read this article?

Read Next

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Want to read this article?

Read Next

Action needed to bridge $800bn Asian climate finance gap

Courage and collaboration needed to manage emerging construction sector risks

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Related Articles