Data protection changes will herald sea change in cyber insurance adoption-Marsh

“The challenge for insurers is that the interest in cyber insurance has been much greater than the appetite to purchase policies but this is changing and the carriers are telling me that they expect a much better conversion rate in 2013,” said Mr Motzfeldt.

Mr Motzfeldt was speaking to Commercial Risk Europe at the International Cyber Threat Task Force summit held in Dublin, where the emerging risks from the cyber world were outlined to an audience of IT security and risk managers. Also appearing at the event was Ireland’s Data Protection Commissioner Billy Hawkes who outlined the likely rule changes from the EU and a stricter approach from data protection authorities.

The EU Privacy Directive draft was published in January and is expected to be implemented by 2015. It will introduce one single law across all of Europe and will apply unambiguously to any company offering goods or services in the territory, regardless of where the data is actually held. “The new law emphasises that data protection is a fundamental right so it has upped the ante,” said Mr Hawkes. Consequently companies should be taking a risk-based approach to data protection.

hide

“The organisation must carry out a risk assessment and form a policy that the board can sign off on and decide who has responsibility for each facet of that policy. Compliance to international standards is what we look for in an audit and this will soon become law. We look to see that there is proper security technology in place and that people know what they are doing,” continued Mr Hawkes.

In addition to the need for strengthened data security, the new directive will introduce mandatory notification in the event of a data breach. There will be an obligation for authorities to impose administrative sanctions of up to €1m or 2% of turnover. “This sum should lead boards to wake up and help IT security managers get the budget they need for new technology and tools,” said Mr Hawkes. “It could also open the way for individual or class action suits, as we have seen in the US.”

It should also open the way for more suitable insurance products, said Mr Motzfeldt. “Traditional underwriters have struggled to understand the cyber world because the risks do not fit easily into the business lines that the insurance industry is built on. But fines and mandatory notifications are much more predictable and quantifiable risks are therefore much more suitable for insurers.”

This is evidenced by the number of insurers, such as Beazley, QBE, Chubb and Chartis, which have recently launched their cyber insurance policies across Europe, presumably because they anticipate an increase in adoption as a result of the changes to EU data protection law.

Furthermore, underwriters are increasingly working with IT specialists and including access to third party providers like IT forensic consultants, law firms and PR companies as part of their cyber insurance policies.

Chartis launched its CyberEdge policy, previously available in the US and UK, across Europe in September. “The implementation of the new EU privacy directive will bring much more penal fines and mandatory notification in the event of a data breach and as awareness of the changes increases, we hope the take up of insurance will also increase,” says Scott Diamond, Deputy Manager, Financial Lines, Ireland, Chartis Insurance.

Despite insurers’ optimism, there is a recognition that more work needs to be done in order to fully satisfy corporate risk managers, especially for first party coverage for network interruptions, said Mr Motzfeldt.

Larger companies may find that a $100m limit for first party coverage is not high enough to be meaningful. Meanwhile deductibles of between eight to twelve hours may be unsuitable for firms that would consider themselves terminally damaged after three hours in the event of a network interruption.

Back to top button