New European regulations are forcing large corporations to closely examine cyber security and what measures they are taking to mitigate against potential cyber breaches. European legislators are putting into place complex new data protection laws that will force all companies to make customers aware of data breaches.
The new laws are designed to bring cohesiveness to pan-European regulations and to bring uniformity to cyber security across the European Union’s member states.
Tanguy Le Gouëllec de Schwarz, partner at law firm Goldberg Segalla, suggests that the law is similar to previous EU regulations.
“The large majority of the regulation is not very different at all from the original regulation, the centrepiece of which was the directive 95/46ED. That was the directive that was established from which local laws, such as the data protection 1998 in the UK for instance, were derived.”
He adds that the laws are there to bring all EU member states in line with one another and to ensure that they all behave in a similar fashion.
“Unfortunately some of the member states enacted this directive in slightly different ways,” he says.
“The primary object of creating these regulations is to streamline everything across all member states. It’s not necessarily because a lot of things have happened and there was a need for legislation. It’s just to make sure that everybody behaves the same way. This is especially true with respect to protection of individual’s personal data and the free movement of that personal data, so the object of the regulation is still to protect the individual.”
However, the new laws are unique in the fact that they bring to the table new penalties for non compliance.
This is going hand in hand with the requirement that almost all industries are soon to be required to notify their customers in the case of data breaches, says Tom Scourfield, partner and the UK head of intellectual property at CMS Cameron McKenna.
Le Gouëllec de Schwarz comments that data breach notification makes up the vast majority of the new regulations. “Now the regulation will make everybody responsible for data breach notifications and that is across the board regardless of how much personal data you handle,” he says.
“There is a threshold of 500 individuals personal data where you don't have to follow some of the regulations but regarding data breach notifications that is something everybody needs to abide by. The other big change is the level of accountability and transparency that the company will have to have.”
Another fine mess
Another important change is the potential severity of the fine that companies are likely to face if they are found to not be compliant with the data protection regulations.
“There have always been data protection laws, for example in the UK if you seriously contravene the data protection legislation you can be fined to up to £500,000 <$775,550>,” explains Scourfield. “It’s a not an insubstantial amount but at that value it’s not worthy of board level attention. However, when the new European data protection regulation comes into force that number is likely to change from £500,000 to 2% of global turnover.
“So if you're a large multinational and you get it wrong and suddenly you're looking at up to 2% of global turnover it immediately gets everybody's attention. Obviously this would be only in the worst case scenario.”
Worryingly, the fine in itself is not the only economic consequence that insureds could face if they suffer a large data breach, however.
“If you had a massive 2% turnover fine the effect on the company's value could be considerably more than 2%,” says Stephen Tester, partner in the insurance and reinsurance group at CMS Cameron McKenna. “This raises the spectre of stockholder derivative claims against the company’s directors if it can be shown that relevant officers failed to have proper procedures in place to stop this kind of thing from happening (or failed to ensure that the procedures were followed).”
Tester reports that there is a debate about whether a fine itself is insurable.
“There is a big question about the extent to which you can insure the fine itself,” he says. “The answer tends to vary depending on who has imposed the fine and the applicable law and jurisdiction. In the UK, for example, the FCA
Insurers may, however, be able to cover the costs that companies will have to pay in dealing with data breach investigations.
“There is less controversy about cover for the costs of dealing with investigations that might lead up to fines,” says Tester.“The best view is probably that you can normally cover your costs in dealing with investigations. There may have to be some provision for clawing back those costs if it was found that there was some kind of morally reprehensible behavior but in general terms it should be possible to cover them.”
The final and most difficult area of potential costs associated with data breaches is a firm’s reputational damage. Tester concedes this is difficult to quantify, especially if there is a substantial claim associated with it.
“Quite apart from the fines and so on there is the reputational damage that is caused by all this,” he says. “It is very difficult to cover reputational damage per se and a number of insurers have given thought to how they might cover it but none have really come up with any good ideas other than to meet the costs of PR consultants who are engaged to try and contain the reputational fall-out.”
An untested market
One of the problems that is currently associated with cyber as a specialist line of business is that there are very few models that exist to quantify how expensive it is to write and how it should be underwritten.
Dan Gerber, partner at Goldberg Segalla, says that the insurance industry is still waiting to feel the full brunt of potential cyber security breaches and how costly they can be.
He comments: “The industry may be waiting for its Hurricane Katrina moment with respect to cyber.”
This lack of a market-changing cyber incident means some in the industry have historically taken a more relaxed approach to cyber security risk. This approach could be harmful to the industry if it was to see a greater frequency in expensive cyber incidents.
Huhnsik Chung, partner in charge at Edwards Wildman in New York, claims the insurance industry has to try to understand the risks associated with cyber attacks in order to price it effectively.
“I think the insurance industry itself has tried to come to grasp with what the exposures depicted by this risk that they’ve signed on to really are,” says Chung. “I can say it is an exposure that the industry as a whole generally is not familiar with. There have been market leaders that have been writing these types of policies starting seven or eight years ago.
“Some of those leaders have now pulled out with others taking a bigger chunk.”
Chung comments that many insurers continue to price cyber risk ineffectively and sometimes offer cyber coverage as an add-on, rather than a separate stand alone policy. He warns that every time there is a data breach it is potentially tens of millions of dollars at risk. Some insurers are virtually adding on cover for free.
“For $50 you can get an endorsement that covers such an exposure and you may have some limits, maybe $1m, $500,000, maybe $100,000,” says Chung. “Getting $50 for that kind of tack-on coverage when you could have a disgruntled employee that steals all the credit card information and names
This policy becomes even more dangerous when the figures being talked about by legislators in Europe are taken into account and it suggests that levels of cover are likely to change as insurers realise that the type of coverage being added on to more standard policies is not sufficient to cover the extensive risk associated with cyber security.
Tester of CMS feels that insurers who write “low or no cost” cyber extensions to policies that are designed to deal with other risks are risking dangerous additional exposure.
“They are also missing an opportunity to provide properly priced stand alone cyber coverage,” he says. Tester thinks this will change as insurers become more aware of the risks involved.
“Insurers know that the risk is getting much bigger and they are much more aware that if they give it away
“For that reason we are all seeing insurers specifically stripping out the cyber cover and covering it separately, either because they see an opportunity or as a way of protecting themselves.”
Le Gouëllec de Schwarz at Goldberg Segalla advises insurers to look carefully at how their policies are worded as the breach notification process can be expensive.
“I think that one has to look carefully as to what exactly the insurer provides as an add-on for cyber risk,” he says. “If it is the litigation cost and therefore the responsibility of the insured because some data was divulged or disclosed when it shouldn't have been, then I would say the insurer should look carefully at what a policy says because breach notification costs can be huge and sometimes can be as high as £50 per individual. If you have 100,000 customers that suddenly put costs into a very large figure. So the advice will be for the insurers to look very carefully at this add on what exactly they mean by cyber risks.”
For insurers, the issue of cyber security is not limited to their clients. Insurers themselves are privy to vast amounts of personal information that would fall under the new personal data protection regulations.
Under the new regulations insurers will have to be aware that their own data protection procedures are also under scrutiny, with the potential fines and economic damages being applicable to them as well as their clients.
Scourfield at CMS Cameron McKenna notes that the new regulation is as important for insurers’ own data as it is for the insureds, and will further limit the ability of insurers to share data globally.
“There are obligations not only in respect of protecting their own data, but also their ability to exploit and share data across the group,” he says. “Even under current data protection legislation, you're not allowed to send it outside the European economic area without proper safeguards and protections in place.”
Aside from the economic implications the reputational problems of a data breach are as relevant for insurers as they are for insureds.
“On the reputation perspective the last thing any decent insurer needs is to have a problem themselves because they are going to look like they haven't got their own house in order,” says Scourfield.
Of the essence
Time is essential when cyber breaches occur. It is vital that insureds contact insurers and they in turn contact legal representatives as soon as possible to mitigate any further potential fallout from the incident.
Gerber at Goldberg Segalla says that the potential severity of serious personal data cyber breaches has meant that law firms are being called in as soon as breaches take place.
“If the law firm is brought in at the moment that the crisis begins and they retain all the experts on their end then there is attorney client privilege attached,” he says. “This is a reverse from where your cyber experts would come in first and then perhaps retain or work with a law firm because there was an argument that privilege would not be attached.”
This advice is shared by Tester and Scourfield at CMS Cameron McKenna, who recommend that any firm which is at risk of a large cyber breach should think ahead and have a multi professional team pre-assigned to deal urgently with any crisis.
Insurers have a role to play in supporting these. Tester and Scourfield comment there is a clear demand for insurer-backed multi-jurisdiction cyber crash teams to help an insured company manage the fallout.
Cyber security is likely to continue to be a pressing issue over the coming years for insurers and their clients and the new EU regulations make compliance with cyber security regulations an economic and reputational necessity. Insurers must be aware of the risks associated with a potential breach.
By Sam Kerr – firstname.lastname@example.org