Cyber risk—A ‘market’ in need of codification—comment

But, despite all this uncertainty, and not least because of all the media hype and developing legislation around this topic, the one inevitable question that board members will throw at the risk manager is: How much of this can we insure and how cheap can you get it for? The feedback from the recent Risk Frontiers seminar on the topic of Cyber Risk that we hosted in Brussels along with Belgian risk management association Belrim at the end of September suggested that the depth and breadth of coverage available for cyber risk is indeed rising. The market is growing in the US in particular. This is mainly because the US government has already identified this as an important area and has quite quickly developed new legislation that, among other things, makes it mandatory for companies to report data breaches as fast as possible.hideThis helps provide the data and transparency that the insurers need to try and quantify the risk and presumably the US legal community has not been slow to tap into this new vein of fees to thereby spark healthy demand among corporations. Europe is a little behind the curve in this area. It does not quite yet have the same level of robust and consistent rules that would help companies and their risk managers work out what actually needs to be managed. There is also currently no mandatory reporting mechanism in place that would force companies to let people politely know when their data has been stolen or lost and at the same time provide insurers with some decent working data and ‘loss experience’. But don’t panic—help is at hand. The EC’s draft Privacy Directive sets out what needs to be managed and protected and what will happen to those companies that fail to do so. It also contains a requirement for a 24-hour data breach notification period. The details are not entirely clear and are evolving and it seems that the legislation will not actually arrive until 2015, which is rather a long wait as individuals, companies and their insurers try to work out what to do about it. Nicolas Dubois of Directorate-General Justice Unit (JUST) at the European Commission, also told delegates at the Brussels seminar that the current EU proposals for a 24-hour data breach notification period may well change shape before final implementation. He then confirmed that the Privacy Directive will realistically not come into force for another three years. The draft caused a stir when released, not least because of the 24-hour notification period. But Mr Dubois used his place on the podium to play down fears that the scheme will be overly onerous. Changes may still be made to this particular proposal, he conceded. Mr Dubois argued that, from a risk perspective, the sooner a company notifies stakeholders of a breach, and takes appropriate mitigation measures, the less damage will be caused. He also said that it is no longer acceptable for individuals not to be notified when their data is compromised. Mr Dubois also told attendees at our cyber event that the draft proposals will give greater enforcement powers to data protection agencies and harmonise their response to breaches. And he added that, to ensure that punishment is standardised, national data protection authorities will be asked to assess each other’s rulings. It is of course a simple fact that too many rules emanate from Brussels. The confusion and uncertainty that often surround them arguably can deliver more costs than benefits for European business, not to mention the questionable concept of being told what to do by unelected bureaucrats. But in this case it would seem that rules are definitely needed to help deliver a coherent framework in which to try and manage these complex, fast changing and interdependent cyber risks. The Risk Frontiers survey shows without a shadow of a doubt that risk and insurance managers are currently grappling with a very uncertain and fluid risk horizon currently and they need help to ensure that their corporations can reap the benefits of technology, not just the risks. Greater legislation and from that legal certainty can only help in this regard and at the same time should spark a healthier insurance market that is prepared to offer bigger limits and more innovative and broad-based coverage.

Cyber risk—A ‘market’ in need of codification—comment

Want to read this article?

Read Next

International SOS warns of ‘burnout epidemic’

Strebel to replace Gonzalez as head of Swiss Re China

Risk managers want software providers to integrate more AI tools

Court says German government must tighten up climate protection

Premium increases continue to slow down in US commercial P&C market

International SOS warns of ‘burnout epidemic’

Strebel to replace Gonzalez as head of Swiss Re China

Risk managers want software providers to integrate more AI tools

Court says German government must tighten up climate protection

Premium increases continue to slow down in US commercial P&C market

Want to read this article?

Read Next

International SOS warns of ‘burnout epidemic’

Strebel to replace Gonzalez as head of Swiss Re China

Risk managers want software providers to integrate more AI tools

Court says German government must tighten up climate protection

Premium increases continue to slow down in US commercial P&C market

Related Articles