One thing is for certain: cyberattacks have become the norm, not the exception. Not even the NSA is capable of completely warding off security breaches. Major banking and retail institutions, as well as the government, are not surprisingly the most likely targets because of the amount of sensitive and private data they control. Still, other companies outside these sectors must heed the warnings and not become the next cyber victim. Protecting against cyber vulnerability is not merely a domestic issue. Rather, multinational companies are prime targets, and are currently undergoing institutional changes to navigate the EU General Data Protection Regulation (GDPR) that goes into effect May 2018.
Touted as “the most important change in data privacy regulation in 20 years,” the GDPR is designed to protect EU citizens from privacy and data breaches, but will have a broad global impact for multinational companies. Importantly, the GDPR’s influence is not limited to companies located in the EU. It will also apply to non-EU businesses processing data of EU citizens. Its jurisdiction is expansive. The impact on cross-border data transfers cannot be overlooked.
With approximately 180 days until the regulation is enforced, companies will be hard pressed not only to consider their compliance strategy, but also how best to manage their business’ risk. There are hefty fines should a company fail to comply with the GDPR (up to 4% of annual global turnover or €20 Million), but the business losses and reputational harm can be even more significant. Cyber insurance may be one means to protect against these stricter data protection laws, and now is the time to explore what insurance products are available, well in advance of the GDPR being enforced.
Companies face vast cyber risks, some of which are insurable now, and others that may become insurable on the market as the industry evolves. Cyber policies often cover losses incurred by companies to notify their clients that their personal data has been compromised, for example, but these policies can also have broad exclusions for critical infrastructure or acts of war by foreign states and military action. While many cyber policies cover business interruption damages incurred when operations are suspended or stalled, the limits on this coverage is often limited, so be aware of your policy limits to ensure that your coverage provides adequate protection for your business. Some policies cover losses of your own data, but do not necessarily cover liabilities arising from losses of customer or other third-party data. Moreover, permanently lost data often falls outside the scope of cyber coverage.
Now is the time to reach out to your insurance brokers to purchase coverage that protects against cyber threats and to research whether the marketplace offers policies that could cover the potential penalties your company could face related to changes in privacy regulation. Consult with coverage counsel to better understand how policy provisions have been interpreted, and the coverage positions taken by insurers in the cyber marketplace.