trending Market Intelligence /marketintelligence/en/news-insights/trending/pqzhwzu1q1pwmy1o58bpfw2 content esgSubNav
In This List

New EU data privacy rules spur questions, concerns in cyber liability space

Blog

The Big Picture 2022 Insurance Industry Outlook

Podcast

Next in Tech | Episode 37: Insurance impacts on technology and vice versa

Case Study

A Prestigious Global Business School Gains a Competitive Edge

Video

S&P Capital IQ Pro | Unrivaled Sector Coverage


New EU data privacy rules spur questions, concerns in cyber liability space

U.S. insurance underwriters and brokers have been fielding a rush of questions related to the European Union's new data privacy regulations, which take effect May 25.

Several speakers at a cyberrisk conference said they expect an increase in claims on cyber policies due to the impact of enforcement actions related to the EU's new General Data Protection Regulation, or GDPR. However, there is concern over whether existing cybersecurity policies will cover fines and penalties from European regulators amid expectations that the new rules will be enforced aggressively against American companies.

Liability policies will likely pay for costs related to enforcement actions that stem from data breaches. It is unclear whether those policies will deal with penalties over failures to comply with the new regulations in cases where there are no such breaches, according to speakers on a panel discussion at Advisen Ltd.'s Cyber Risk Insights conference in Chicago.

"I don't think any of us know what to expect," said Brett Anderson, a breach response services manager for Beazley PLC. The matter might have to be settled in court, Anderson said during a panel discussion.

In Europe, a study by Aon and DLA Piper found that civil penalties such as the ones that can be levied under GDPR are insurable in only two of 30 countries reviewed (Finland and Norway). The legislation allows for fines of up to €20 million, or 4% of a firm's global turnover.

Insurance brokers are being asked to act as consultants of sorts by their customers and help them to comply with the new regulations, said Meredith Schnur, an executive at USI Insurance Services LLC. For instance, companies have to ensure that their systems are not collecting customer data without their consent, as that is a key plank of GDPR.

The new rules are so broad that enforcement-related costs will not always be included under existing cyber policies, said Schnur, senior vice president for professional risk practice.

"There are two issues: Insurability and then there's definitely the implications in terms of coverage depending on what part of GDPR you've been found to be in violation of or not compliant with," she said.

Brokers have been asking carriers to make amendments to cyber liability insurance to include more coverage for, among other things, additional enforcement action costs under the new privacy rules, Schnur added.

A spike in breach and other security failure-related claims is likely after the new rules go into effect, according to AIG Europe Ltd. The company in a recently released report said companies will become more likely to report breaches and, leading to a rise in cyber claims similar to what the industry saw after U.S. state breach notification laws went into effect.

While many smaller companies are advised to submit notifications of breaches, they are not forced to do so under current law, explained Kathy Avery, an AIG financial lines major loss adjuster. That will change once GDPR comes into effect.

"We’re certainly anticipating more notifications after that," she said.

The new regulation could also lead to an increase in shareholder lawsuits against companies and their directors, AIG said in its report. Almost every high-profile breach has been followed up by class-action litigation, the insurer noted, and that trend could continue with GDPR.

Not everyone believes the new rules will have a dramatic impact. Jay Kramer, a partner at law firm Lewis Brisbois Bisgaard & Smith LLP, said the perception of extra risk is overblown. Speaking during an Advisen conference panel discussion, Kramer said he tells clients whom he advises on cyber liability that the new European regulations mostly overlap with privacy measures that companies should already have in place.

"Being prepared to secure and respect the privacy of the data that you hold, and to respond to incidents, are things that are required already in all 50 [U.S.] states," Kramer said.