Cyber insurance is a type of insurance used to cover damages that may be caused by a cybercrime. This could include the theft of personal data of clients, employees or suppliers.
A company which falls victim to the theft of third party data, or loses customer data due to either computer or human error (i.e. treatment of data with due care) can face significant penalties, as stipulated in the new European General Data Protection Regulation (GDPR).
In this post we will explain what cyber insurance is, which crimes it can cover, and which aspects of the new GDPR are relevant with regards to the processing of personal data.
This post is also available in Spanish.
What is Cyber insurance?
Cyber insurance will play a key role in the insurance industry in the next decade. In 2015, companies spent 2,500 million euros on Cyber insurance, and this figure is forecast to rise to 7,000 million euros in 2020, according to consultants PwC Spain.
The National Cybersecurity Institute (Incibe) states that there are four ways to handle cyber risks: avoidance, mitigation, acceptance or transfer. Cyber insurance focuses on the last of the above approaches.
THIBER is an independent organisation which focuses on the study of security and defence in cyberspace. In their study ‘Cyber insurance: the transfer of cyber risk in Spain’, they define cyber insurance as "insurance products whose objective is to provide protection against a wide range of incidents arising from the risks present in cyberspace, the use of technological infrastructures and the activities developed in this environment ".
Basically, cyber insurance offers protection against claims from third parties and employees and any possible investigation for a breach of legislation in this field.
Which cyber risks does cyber insurance cover?
As with all insurance policies, cyber insurance covers the basics, plus other optional guarantees. Although each contract is different, cyber insurance covers a wide range of risks that can be categorised in two groups:
1. Damages to self
They are the derivatives of loss of income as a result of a security breach or a denial of service attack.
Which cyber risks are covered?
- Cover for data hosted in the cloud.
- Expenses incurred for management and communication of the crisis (using IT consultants).
- Technical assistance and incident investigation expenses (forensic reports).
- Repair and restoration costs for deleted data and damaged equipment.
- Ransom payment.
- Legal defence and protection against fines or sanctions from regulatory bodies.
2. Damages from third parties
Which cyber risks are covered?
- Liability cover for loss of personal data.
- Expenses for notification of privacy breaches to the owners of the registries or to affected third parties.
- Protection against third-party claims in cases of data custody, corporate media defamation or malware infection.
- Coverage of cybercrimes: phishing scams, telephone hacking, electronic fraud and cyber extortion.
Some insurance companies offer additional prevention coverage in their cyber insurance, such as security audits.
In the case of such an extra being contracted, security experts from the insurance company will analyse the protection status of the systems and implement tools for the adequate adaptation to the new European Data Protection Regulation.
Cyber insurance - prevention or solution?
Insurers are faced with the difficult task of assessing the impact of cyber risks, in most cases, with little data.
For this reason, in order to grant a cyber insurance policy, insurers demand to adapt companies to the requirements of the current legislation on the protection of personal data.
For this, companies must comply with a series of security measures that demonstrate a certain maturity and responsibility of management to mitigate the risks.
It can be said that cyber insurance also works as a method of prevention, because it often entails the requirement to adopt protection measures and incident management procedures for legal compliance. Without such systems in place, cyber insurance will not be granted.
Cyber insurance thus contributes to improving the security of the companies in terms of information systems and data processing, and by extension that of all related parties (customers, partners, collaborators, suppliers, suppliers, etc.).
At the same time, it can be said that cyber insurance is the solution because, when a cyber-attack occurs, if the company is insured, the damages are transferred to the insurer.
Cyber insurance and data processing according to the RGPD
Almost every day there are stories of companies that have had their information stolen, even personal data of their clients, or have been subject to some form of online extortion, such as the cyber-attacks known as ransomware.
Important law firms have been victims of cyber-attacks that have been used to expose confidential information about clients, for example the Panama Papers case or the Football Leaks case, filtering documentation of high profile characters from law firms.
Given the situation, the EU has pushed for important reforms in legislation in order to protect people's privacy. The new General Data Protection Regulation will come into force on May 25th 2018.
This regulation contains new obligations and sanctions, and will demand changes that businesses must enforce, both with respect to the design of the processes for treatment of personal data, and the treatment of data management.
What are the three principal aspects of the GDPR?
Three of the key aspects of this regulation are as follows:
1. Severe penalties.
Penalties range from 600,000€ to 20,000,000€, or 4% of turnover.
2. The obligation of businesses to communicate any security breach to the regulatory bodies.
The regulatory bodies will closely monitor company activity, investigating any breach in terms of data protection which is expected to cause claims against the company. This requires a greater level of control to detect any security breach.
3. The requirement to obtain a declaration from the interested party that states their unequivocal agreement with your processing their data.
Tacit consent will be forbidden under the new RGPD.
In the event that a company falls victim to a cyber-attack, the theft of data from its customers, employees or suppliers may incur severe penalties under the new Data Protection Regulation.
It is from there that the need to contract insurance policies to cover cyber-attacks and security gaps in information systems arises
Cyber insurance is undoubtedly the insurance policy which will take centre stage in the industry over coming years, especially within professional sectors such as legal, financial, technological, healthcare and retail companies, as companies in these sectors are usually the most affected by cybercrime.
The new General Data Protection Regulation is expected to be an incentive for companies to take an active interest in securing their data, both due to the impact on reputation that communicating a breach in systems entails, and the high sanctions established in the new RGPD.
This post is also available in Spanish.