Articles - Companies leaving it too late on cyber risk modifications?


The sluggish progress of the European Commission’s General Data Protection Regulation has encouraged some companies to believe that they can hold off until after the Regulation’s implementation before making modifications to their cyber risk management. This, however, will be leaving it too late.

 By Sarah Stephens, Head of Cyber, Technology and Media E&O, JLT Specialty
 One of the main topics of debate between the three parties – the European Commission, the European Parliament, and the European Council – is the size and severity of the fines that companies could face if they are found to negligently incur a data breach. In recent news it has been suggested that fines could range from two to five per cent of annual global revenue, with a maximum figure from €1 million to €100 million. There is no doubt that companies’ management of third-party data will be closely monitored as a result.
  
 Importantly, the regulations will introduce obligatory data breach reporting throughout Europe as this currently only applies in very few industry sectors and/or countries. A data breach must be reported in the event that it poses a significant ‘risk of harm’ to data subjects, or a serious violation of their rights.
  
 As the three European parties have entered the final round of negotiations, now they must agree on how to harmonise the different versions of the regulation. Much will be determined in the coming months.
  
 The question most companies will be asking themselves in preparation is how ‘risk of harm’ is calculated? Companies will only be able to assess whether a breach poses a ‘risk of harm’ if they have comprehensive documentation of their data and who it belongs to. They must also have appropriate procedures in place that permit them to quickly and accurately evaluate the extent of the data breach.
  
 Yet this is rarely the case. There are still many organisations, large and small, that do not know the exact number of customers they have on their books. They often do not know the different payment methods they use. In addition to this, they may also not know where their data is held. Subsequently, if there is a data breach, many companies won’t know how much data has been exposed or how many customers, employees or third parties have been affected, they will not be able to gauge the impact of the breach.
  
 Record-keeping of all data should therefore be far more detailed and cyber incident response procedures should be tested and re-tested to ensure they are fit for purpose. It is essential that response and management of a breach includes key stakeholders including senior management, risk managers and Chief Information Officers to ensure that they are applied across the company.
  
 This helps in quelling business interruption and reputational damage and lessens the chance of data breaches going undetected. It also ensures that a consistent, well-considered message is delivered.
  
 As companies seek more specific cyber insurance coverage for data protection and other cyber incidents, they will be more inclined to draw on specialised cyber risk underwriting and depend less on traditional insurance policies.
  
 Buyers shouldn’t assume that cyber insurance policies are not ‘fit for purpose’ or don’t work in practice. Cyber insurance has been around in various forms for more than 15 years, and has paid hundreds of millions of pounds in claims.
  
 Ultimately, the better companies understand their own risk profile – in particular their cyber exposures – and the better their internal systems, the more tailored and better priced cyber insurance they’ll be able to buy.
  
 Insurers in this arena will price for uncertainty, so companies that approach the market with evidence of their comprehensive risk mitigation strategies are better placed to secure top-notch cover.
  
 Cyber is a high growth market and competition among insurers is increasing. They are all keen to build good relations with customers and for their products to be seen favourably, especially as there are still some buyer concerns over the practicality of cyber insurance policies.
  
 As a result claims response is efficient, with insurers and insureds in this space cooperating collaboratively. Buyers have no excuse now not to fully map out their cyber exposures and to seek cyber cover.
  
 With the Europe’s data protection regulation around the corner, and insurers vying for new business, there might never be a better time.
  

Back to Index


Similar News to this Story

Actuarial Post Magazine Awards Winners Edition December 2024
Welcome to the Actuarial Post Awards 2024 winner’s edition and we hope you enjoy reading about their responses on having won their award. The awards
Guide to setting expense reserves under the new Funding Code
The new defined benefit (DB) funding code of practice (new Funding Code) requires all schemes to achieve funding levels that ensure low dependency on
Smooth(ing) Operator
Private equity can be a great asset. It’s generally the most significant way to have any real world impact as an investor (eg infrastructure assets li

Site Search

Exact   Any  

Latest Actuarial Jobs

Actuarial Login

Email
Password
 Jobseeker    Client
Reminder Logon

APA Sponsors

Actuarial Jobs & News Feeds

Jobs RSS News RSS

WikiActuary

Be the first to contribute to our definitive actuarial reference forum. Built by actuaries for actuaries.