WASHINGTON – The European Union's General Data Protection Regulation is starting to have an impact on demand for cyber insurance – an impact that will likely accelerate as other jurisdictions adopt similar privacy regimes, experts say.
market for cyber coverage and the US property / casualty insurance industry's total direct written cyber premiums increased 8% in 2018 to $ 2 billion, according to report released by Fitch Ratings Inc. on Tuesday, which said that GDPR and its potential for significant penalties are spurring more interest in cyber risk management and coverage even though the growth rate has slowed compared with 2017. GDPR enforcement took effect in May 201
“There's no question that the GDPR has created interest and purchasing around cyber insurance,” Matthew McCabe, New York-based senior vice president president and assistant general counsel on cyber policy for Marsh Inc., said at the National Association of Insurance Commissioners' International Insurance Forum in Washington, DC, on Monday. "I was a little surprised the take-up wasn't immediate, but we're starting to see increased purchasing in the EU."
The EU had data regulation before the GDPR took effect, but "we've really seen that hammer come down, "he said.
GDPR is starting to have an impact, with thousands of complaints filed and regulators currently engaged in large-scale investigations, said Gareth Truran, head of London market supervision, PRA Insurance Directorate, Bank of England.
"It is relatively early in terms of the consequences flow through the system in terms of penalties and enforcement actions and so on," he said.
The focus on cyber insurance is likely to expand as more jurisdictions adopt similar regimes, which will also cause compliance challenges, Mr. McCabe said.
"We see mimic regimes popping up all over the world and within the United States and they're not always compatible," he said. GDPR and I'm aware of how much or complicated that might be with, I now have regime B that has an overlap but it's not exactly and now that's going to exist in seven or eight of my major locations around the world. It's a really, really complex question for businesses that are going to pose a lot of traps. To work that back into cyber insurance, if you know that traps out there, you better have that assessment of what (is) the financial impact of falling into that trap and you have better answer for how you are going to approach that impact . ”
About a third of the largest companies in the UK market have purchased cyber insurance, but the take-up rate among smaller organizations is much lower even though they are more reliant on the post-breach response and resources of insurers, Truran said.
"Although it's easy sometimes to focus on the challenges for larger companies, which are obviously in some ways more difficult because of the size of the operations, they also tend to have a better level of cyber security, and better understanding, better preparation, "he said. Take-up rate among smaller companies is" an area where we'd expect to see over time that change. "
Risk managers in industries that traditionally do not buy cyber insurance have started purchasing the product "because insurers have more carefully started to define the boundaries" of what is covered and not covered, said Trish Comiskey, vice president, risk management corporate insurance, Hancock Whitney Bank in New Orleans, who has purchased cyber insurance dating back to the 1998 and the concerns revolving around Y2K.
"If you have a business interruption claim for a property you have cyber intrusion, more than likely it's not going to be covered any more, "she said.
" Companies that don't even deal heavily with personally identifiable information are just what they see, "Ms. Comedy added. “They have all come to realize a cyber attack is just a data breach and theft. It's now business interruption and it's going to be supply chain disruption. ”
But there are still critical questions about the boundaries of coverage, experts say. For example, Zurich American Insurance Co. Purchased by Deerfield, Illinois-based snack food and beverage company Mondelez International Inc.'s expenses from its exposure to the NotPetya virus in 2017, leading to litigation called Mondelez Intl. Inc. v. Zurich Am. Ins. Co. filed in Illinois Circuit Court in Cook County, Illinois, in October 2018. The governments of the United States and United Kingdom blamed the attack on a Russian military attack on Ukraine that spread to computer systems worldwide.
Recent legal cases such as this is one of the reasons why cyber risk is difficult for insurers, said Allison Berke, executive director, Stanford Cyber Initiative at Stanford University in California.
"But I think we're going to see that more than that becomes a valid judicial challenge," she said.
However, whatever the outcome of that litigation, "that might have no applicability for the next policy because The way the war exclusion was drafted, "Mr. McCabe said.
"There is no singular war exclusion and in cyber insurance, the war exclusion is perhaps negotiated anew on every bond," he said. any decent broker that this is a relevant issue and you need to address the exclusion based on the reason for purchasing any policy. ”
There could be pockets of cover for cyber risk in general liability policies, said Lori Bailey, Boston- based global head of cyber risk, commercial insurance, Zurich
"There could be some coverage built into those forms on a silent basis," she said. "The challenge, of course, may be up to the court to interpret whether any coverage exists. For most customers and companies we talk to, they want to know where their cyber is sitting. They do not necessarily need to erode on another policy if they have a huge property exposure, a huge casualty exposure, so having those dedicated limits and the dedicated product has become more important than the years have progressed. ”
And risk managers must be careful of insurance policy clauses in the scenario where multiple policies can be responded, Ms. Comiskey said For example, a kidnap and ransom policy may pay to the deductible of the cyber policy, but risk managers have to make sure the cyber insurer is willing to allow for the erosion of the deductible or you might get a payment and then you are going to suffer another deductible before your cyber policy comes in, "she said.