Businesses are becoming increasingly aware of insurance products that protect against the risks posed by data breaches and liability for other cyber incidents, an expert has said
Insurance data risks and cyber liability specialist Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said that in-house lawyers were encouraging businesses to become more aware of cyber products but that they still faced challenges in convincing senior management that it is worth investing in insuring against the risk of cyber attacks.
Birdsey was commenting after a Zurich-sponsored survey of more than 500 risk managers by insurance market researchers Advisen detailed that 60% of companies do not have cyber liability insurance.
According to the survey, 52% of companies that currently do not purchase cyber liability insurance said that they were not considering buying such coverage within the next year. Only 24.3% of those surveyed said they were considering buying the coverage, with a further 23.6% not sure.
The Advisen survey report (9-page / 3.95MB PDF) said that the figures indicate that this area “represents a growth opportunity for brokers and insurers”.
“When you consider the increasing frequency, severity and exposure of security and data breaches, it is surprising that 52% of companies said they would not be considering buying data risks or cyber liability insurance next year,” Birdsey said.
“In our experience, companies are starting to appreciate the exposures they face and are beginning to review and understand the various insurance products in the market. However, the test remains whether advocates for data risks or cyber liability insurance cover at General Counsel or Chief Privacy Officer level can persuade their management teams to allocate budget to buy cover in the next financial year,” the expert added.
Birdsey said that the UK and European markets for cyber liability insurance are “developing slowly” and “following a similar pattern” to what has happened in the US and Canadian markets which he said “exploded” following “a number of high-profile breaches around five years ago”. Those cases include ones reported by supermarket chain Hannaford Brothers and discount retailer TJX in 2007 and by Heartland Payment Systems in 2009.
The Advisen report outlined that more companies have measures in place to respond to data breaches and cyber incidents than have cyber liability insurance.
“More than two-thirds of respondents claimed that information security risks are a specific risk management focus within their organisations,” the report said. “Organizations increasingly have implemented, or are in the process of implementing, an organisation-wide information security approach. Most organizations have some form of multi-departmental information security and cyber risk team or committee.”
“More than two thirds of respondents said their organizations have a disaster response plan in place in the event of a major breach,” it added.
Birdsey said that data risk and cyber liability insurance can help businesses reduce their exposure to damages often associated with major incidents.
“While it is encouraging to see that companies are investing in prevention, and all companies should at a minimum have in place both an Incident Response Plan including an Incident Response Team and run regular breach response rehearsals, security is not always perfect and it is equally important to have a team of experts on standby including legal, forensic and PR teams to respond immediately when required,” Birdsey said.
“From a financial perspective, as breaches can have a significant financial and reputational impact, companies should at the very least consider transferring any data breach exposures off their balance sheet by way of a suite of data risks or cyber liability insurance products,” he added.
In January the European Commission published a draft General Data Protection Regulation in a bid to reform the fragmented and outdated data protection framework that currently exists across the EU.
If the draft Regulation comes into force companies would be required to notify any individuals concerned and regulators with certain information about any personal data breach “without delay and, where feasible, not later than 24 hours after having become aware of it”. The information should include recommendations over what people can do to “mitigate the possible adverse effects of the personal data breach”.
Under the Commission’s proposals regulators would have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation.
The European Commission also recently said that it intends to “present a comprehensive strategy on cyber security” before the end of the year. The proposals will contain draft legislation with the aim of improving “network and information security across the EU” and will “provide for a cooperation mechanism amongst the Member States and introduce security requirements for the private sector”.
In July the European Commission launched a consultation on the issue, seeking the views of Governments, businesses and others in a bid to help it form its legislative plans. At the time it said that businesses could be required to report when their “essential” systems have been disrupted due to “cyber incidents”. At the time the Commission said its aim is to “enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU.”