On May 25, 2018, the European General Data Protection Regulation, or GDPR, takes effect. While the regulation is far reaching, there are several interesting and very relevant sections for cyber insurance and cyber risk modelling. A few key sections are discussed below. The text of the entire regulation is at the link above. Our understanding is that the GDPR will apply to companies around the world who have data on European Union citizens.
Article 33 of the regulation requires notification of breaches within 72 hours of discovery, and Article 34 requires communication regarding the breach to the impacted parties. This is associated with several specific costs that would almost definitely be insurable, including notification costs, forensic costs, credit monitoring costs, and potential liability. In fact, it is likely the case that breach notification laws in the United States have led to the vast majority of cyber insurance being written for U.S.-based companies today, and also the extremely fast growth of cyber insurance take up in the U.S. Laws in 47 states currently require breach notification; only South Dakota, Alabama, and New Mexico have no such requirement—and New Mexico will become the 48th state to require notification when their new law takes effect next month. As European companies prepare for GDPR over the next year, they will most likely take a new look at purchasing cyber insurance.
One of the most interesting (and perhaps concerning) sections is Article 83, which allows for fines of “up to 4% of the total worldwide annual turnover [revenue] of the preceding financial year.” Speaking with many of our own (re)insurer clients around the world, there is still no consensus on whether the prescribed fines are insurable. Regardless, these fines would apply to insurance companies as well if their data were breached, so it is important to account for this in business plans and manage the risk.
With increasing regulation in cyber comes growing opportunity—the chance to expand a book of business into new markets and new organisations that hadn’t previously considered the need for cyber insurance. AIR’s cyber modelling efforts can help support new and established cyber insurers as they manage their portfolios.
Find out more about GDPR at our Insurance in the digital world: cyber, data and technology – from hype to reality event on 19 October. Find out more and book your place here.
About the author:
Scott Stransky is Assistant Vice President and Principal Scientist in AIR's Research and Modelling group. He leads the Statistics and Applied Mathematics group, which is responsible for cyber risk modelling, supply chain modelling, life and health modelling, and stochastic catalog generation for various wind perils. He managed the research and development of AIR’s most recent tropical cyclone models for the Caribbean and Hawaii, and severe thunderstorm models for the US and Canada. He has participated in damage surveys for severe thunderstorms, tropical cyclones, and wildfires. Scott earned a B.S. in Mathematics with Computer Science from the Massachusetts Institute of Technology and an M.S. in Atmospheric Science from the Massachusetts Institute of Technology. His Master’s research involved numerical modelling of rotating fluids in the laboratory setting and extrapolating the results to real-world weather models. He has been at AIR since 2007.