On May 25, 2018, a year from today, the European General Data Protection Regulation, or GDPR, takes effect. While the regulation is far reaching, there are several interesting and very relevant sections for cyber insurance and cyber risk modeling. A few key sections are discussed below. The text of the entire regulation is at the link above. Our understanding is that the GDPR will apply to companies around the world who have data on European Union citizens.
Article 33 of the regulation requires notification of breaches within 72 hours of discovery, and Article 34 requires communication regarding the breach to the impacted parties. This is associated with several specific costs that would almost definitely be insurable, including notification costs, forensic costs, credit monitoring costs, and potential liability. In fact, it is likely the case that breach notification laws in the United States have led to the vast majority of cyber insurance being written for U.S.-based companies today, and also the extremely fast growth of cyber insurance take up in the U.S. Laws in 47 states currently require breach notification; only South Dakota, Alabama, and New Mexico have no such requirement—and New Mexico will become the 48th state to require notification when their new law takes effect next month. As European companies prepare for GDPR over the next year, they will most likely take a new look at purchasing cyber insurance.
One of the most interesting (and perhaps concerning) sections is Article 83, which allows for fines of “up to 4% of the total worldwide annual turnover [revenue] of the preceding financial year.” Speaking with many of our own (re)insurer clients around the world, there is still no consensus on whether the prescribed fines are insurable. Regardless, these fines would apply to insurance companies as well if their data were breached, so it is important to account for this in business plans and manage the risk.
With increasing regulation in cyber comes growing opportunity—the chance to expand a book of business into new markets and new organizations that hadn’t previously considered the need for cyber insurance. AIR’s cyber modeling efforts can help support new and established cyber insurers as they manage their portfolios.