• United States




Underwriting cyber risk for multinational companies with the Europe’s GDPR

Jul 25, 20174 mins

How Europe's General Data Protection Regulation (GDPR) impacts cyber insurance.

European Union, EU
Credit: Etienne Ansotte/EU

Beginning on May 25, 2018, the European General Data Protection Regulation (GDPR) will go into effect. This particular law will have sweeping impacts across the supply chain, which will include the U.S. Unlike many standards or regulatory guidance, the GDPR is the first to impose almost unreasonable and overly burdensome fines.

With less than a year to go, how an organization maintains, stores or transmits personally identifiable information (PII) of Europeans may have a profound impact on their bottom line. Penalties for violating the law include the costs of additional audits plus 20 million euros or 4 percent of the offending company's annual global revenue (whichever is higher).

As the GDPR becomes the new reality in risk management and governance, the ability to transfer the imposed financial risks will likely require how insurance companies evaluate an applicant's cyber risk profile.

Recently, I interviewed Judy Selby of Hanover Stone Partners, LLC, a firm specializing in providing risk consulting, risk management services and human capital consulting. Ms. Selby's area of expertise is in the cyber insurance markets. We discussed the GDPR and the implications to the insurance markets. Ms. Selby raised a great point pertaining to how brokers and carriers may encounter a bandwidth challenge in having enough manpower to adequately evaluate cyber risk profiles of multinational firms that are now subject to GDRP.

She went on to illustrate what many in the insurance field view insuring cyber as still an immature market segment and this lack of maturity may be problematic. The reason being that if a multinational applicant does not fully understand GDPR or how, where and when European PII applies, the ability to properly cover is likely proportional and limited exclusively to the context in which the applicant conveys it during the application process.

Underwriting may become even more onerous when we weigh the threats associated with bring your own devices (BYOD). The GDRP requires a company maintaining European PII to have a clearly defined expiration, triggering its complete removal under the "Right to be Erased" measure. What happens if a company acting in good faith removed the PII from its servers but yet an employee had on his/her phone and the phone was lost or stolen? In the event that the applicant advised the insurer their compliance with GDPR but was circumvented by an employee, is the employer held accountable? More likely than not, yes.

According to Eurostat, there are roughly 22,346,729 small- and medium-sized businesses. Since the onset of globalization via the internet, the supply chain is exceptionally large and impacts U.S. business owners. The ability to adequately protect privacy concerns with prudent cybersecurity programs is problematic for small and mid-size firms because of the cost and expertise requirements. Obviously the cost considerations are sizable. All the more reason to ensure you have a mechanism to transfer the risk and to understand what exclusions may apply.

[Related: General Data Protection Regulation (GDPR) requirements, deadlines and facts]

In speaking with Tyler O'Connor of CRC Insurance Services, Mr. O'Connor advised the cyber insurance market place still has soft penetration but is not designed to act as a "gotcha market place." Insurers operate under good faith and desire to support their clients. Having said that, if it comes to light the applicant misrepresented at the time the policy was enacted, there are grounds for exclusions and thereby may be justified in challenging a claim filed. He feels that the insurance markets tend to have a "knee jerk" reaction to a major event like TARGET or similar high-dollar value and very publicly facing incidents. But then almost as fast as the reaction ramps up, it subsides almost as rapidly. 

If history is any indicator, then the first GDPR fines will likely have a profound impact as well. The question is will claims of a few hundred thousand dollars up to the figures TARGET incurred have the same social and financial impact as 20 million euros time after time after time? One fact to be sure of is that insurers provide their clients with tools and resources to address crisis events like this as it has become increasing more commoditized as most lines of "peril" insurance are.


Carter Schoenberg is the President and Chief Executive Officer of HEMISPHERE Cyber Risk Management, Inc. Mr. Schoenberg is a certified information system security professional with over 23 years of combined experience in criminal investigations, cyber threat intelligence, cyber security, risk management and cyber law. He is a cybersecurity subject matter expert supporting government and commercial markets to better define how to evaluate a risk profile and defining criteria for brokers and carriers to utilize in their determination on coverage and premium analysis.

HEMISPHERE is working with insurance stakeholders to define appropriate standards and training of brokers and agents in determining coverage requirements, scheduled for release later in 2017. HEMISPHERE is also working with the National Association of Insurance Commissioner’s Cyber Task Force.

Mr. Schoenberg’s expertise has been featured at many events and his background and knowledge in the Latin American markets, specifically in Panama’, has provided him with a unique and detailed view of this market segment.

Mr. Schoenberg is responsible for designing practical solutions to address cyber risk management using his proprietary cost-benefit analysis enabling system owners to make mission and cost justified decisions on cyber risk. Starting his career in law enforcement as a homicide detective, his work products have been actively used by DHS, the ISAC communities, and the Georgia Bar Association for Continuing Learning Educational (CLE) credits on the topic of cybersecurity risk and liability. His expertise is profiled at conferences including ISC2, SecureWorld Expo, ISSA and InfosecWorld.

The opinions expressed in this blog are those of Carter Schoenberg and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.