Underwriting cyber risk for multinational companies with the Europe’s GDPR

Beginning on May 25, 2018, the European General Data Protection Regulation (GDPR) will go into effect. This particular law will have sweeping impacts across the supply chain, which will include the U.S. Unlike many standards or regulatory guidance, the GDPR is the first to impose almost unreasonable and overly burdensome fines.

With less than a year to go, how an organization maintains, stores or transmits personally identifiable information (PII) of Europeans may have a profound impact on their bottom line. Penalties for violating the law include the costs of additional audits plus 20 million euros or 4 percent of the offending company's annual global revenue (whichever is higher).

As the GDPR becomes the new reality in risk management and governance, the ability to transfer the imposed financial risks will likely require how insurance companies evaluate an applicant's cyber risk profile.

Recently, I interviewed Judy Selby of Hanover Stone Partners, LLC, a firm specializing in providing risk consulting, risk management services and human capital consulting. Ms. Selby's area of expertise is in the cyber insurance markets. We discussed the GDPR and the implications to the insurance markets. Ms. Selby raised a great point pertaining to how brokers and carriers may encounter a bandwidth challenge in having enough manpower to adequately evaluate cyber risk profiles of multinational firms that are now subject to GDRP.

She went on to illustrate what many in the insurance field view insuring cyber as still an immature market segment and this lack of maturity may be problematic. The reason being that if a multinational applicant does not fully understand GDPR or how, where and when European PII applies, the ability to properly cover is likely proportional and limited exclusively to the context in which the applicant conveys it during the application process.

Underwriting may become even more onerous when we weigh the threats associated with bring your own devices (BYOD). The GDRP requires a company maintaining European PII to have a clearly defined expiration, triggering its complete removal under the "Right to be Erased" measure. What happens if a company acting in good faith removed the PII from its servers but yet an employee had on his/her phone and the phone was lost or stolen? In the event that the applicant advised the insurer their compliance with GDPR but was circumvented by an employee, is the employer held accountable? More likely than not, yes.

According to Eurostat, there are roughly 22,346,729 small- and medium-sized businesses. Since the onset of globalization via the internet, the supply chain is exceptionally large and impacts U.S. business owners. The ability to adequately protect privacy concerns with prudent cybersecurity programs is problematic for small and mid-size firms because of the cost and expertise requirements. Obviously the cost considerations are sizable. All the more reason to ensure you have a mechanism to transfer the risk and to understand what exclusions may apply.

[Related: General Data Protection Regulation (GDPR) requirements, deadlines and facts]

In speaking with Tyler O'Connor of CRC Insurance Services, Mr. O'Connor advised the cyber insurance market place still has soft penetration but is not designed to act as a "gotcha market place." Insurers operate under good faith and desire to support their clients. Having said that, if it comes to light the applicant misrepresented at the time the policy was enacted, there are grounds for exclusions and thereby may be justified in challenging a claim filed. He feels that the insurance markets tend to have a "knee jerk" reaction to a major event like TARGET or similar high-dollar value and very publicly facing incidents. But then almost as fast as the reaction ramps up, it subsides almost as rapidly. 

If history is any indicator, then the first GDPR fines will likely have a profound impact as well. The question is will claims of a few hundred thousand dollars up to the figures TARGET incurred have the same social and financial impact as 20 million euros time after time after time? One fact to be sure of is that insurers provide their clients with tools and resources to address crisis events like this as it has become increasing more commoditized as most lines of "peril" insurance are.