With less than a year to go before its implementation on May 25, 2018, the General Data Protection Regulation (GDPR) is high on the agenda of (re)insurers operating within the European Union (E.U.) or providing services to E.U. residents. The new regulation, which aims to enhance the consistency of data protection rules across the E.U. and simplify the regulatory environment, will create signifi cant new obligations for companies processing personal data, including (re)insurers. The GDPR further intends to increase the effectiveness of the right to data protection and to put individuals in control of their own data. Whilst this is expected to provide regulatory challenges for (re)insurers, the requirement for mandatory notifi cation of serious data breaches is also likely to fuel both supply of and demand for cyber insurance in Europe.
As part of its monitoring of industry issues, A.M. Best is holding ongoing dialogues with rated companies regarding the steps they are taking to prepare for the implementation of GDPR. Insurers have been asked a series of questions including how they plan to demonstrate adherence to the obligations and whether their company has been prompted to buy cyber insurance coverage that they would have not otherwise considered. In discussions, as well as in a questionnaire on GDPR, rated entities have also disclosed how they expect it will impact the cyber insurance market from an underwriting standpoint and any likely change in the wording of (re)insurance policies as a result of its implementation.
Implications for (Re)insurers as Data Controllers
In the lead up to the introduction of GDPR, European insurers, as data controllers, have told A.M. Best they are undergoing a comprehensive review of their data-related risk management, looking at breach-response plans and the resilience of their systems. They have also increased their focus on governance. Additional complexities are faced by insurance groups with subsidiaries in multiple jurisdictions, as regulatory gap analysis highlights meaningful discrepancies among current national data protection standards.
(Re)insurers confi rm that actions are being undertaken both internally, through training, and review of procedures, policies and processes, and externally, as privacy notices, customer documentation and contracts need to be realigned to comply with the upcoming standards. These actions are particularly important for personal lines insurers. In some cases, companies have been pushed to look for new skills to address the challenge. The pending GDPR has also prompted some companies to reconsider roles and functions within their organisations, promoting closer integration among IT, compliance, legal and risk management departments.
Rated insurers also highlight that prevention initiatives have been coupled with updated incident response plans, including the creation of emergency management teams. Companies are currently testing and fi ne-tuning these plans, with results analysed by the chief operating and chief risk offi cers and periodically discussed at board level. Despite the importance and breadth of the review process, companies appear confi dent of their progress, as they describe an average level of readiness of seven out of ten.
To date, there has only been a moderate increase in the appetite of (re)insurers for additional cyber coverage in preparation for GDPR enforcement. This stance can be partly explained by the uncertainty surrounding the insurability of potential administrative penalties issued under the new regulation.
Opportunity for Insurers Offering Cyber Cover
In A.M. Best’s view, the new data regulation will help align European standards with those in the U.S. However, the most significant consequence of the implementation of the GDPR is likely to be a marked growth in cyber insurance revenues, with some carriers suggesting it will represent “a shot in the arm” for the non-U.S. cyber market. The GDPR is, therefore, expected to represent a major change for the European cyber insurance market.
The introduction of the GDPR is expected to affect both demand and supply of cyber insurance, albeit over different timeframes. In the short term, as stricter data-breach reporting rules enhance transparency, a considerable increase in reported breaches will likely spread risk awareness beyond major corporations down to small and medium enterprises, resulting in higher demand for cyber products. A.M. Best expects this trend to be reinforced by the resonance of high-profile loss events such as WannaCry and Petya, the ransom-ware attacks in May and June 2017. A recent report by A.M. Best, “Cyber Line Expected to be One of the Leading P/C Growth Areas”, published June 22, 2017, stated demand for cyber insurance increases after every reported breach, and coverage is estimated to increase to USD 7.5 billion to USD 20 billion by 2020.
In the medium-term, as more and more reliable data becomes available, with positive implications for pricing models, insurance supply should gain momentum. (Re)insurance companies expect some new products to make an appearance on the market, such as liability cover for new technology and connectivity risks. However, a far greater role is expected to be played by existing products, with industry observers indicating that carriers currently have untapped capacity in cyber insurance. Interestingly, some market participants suggest that insurers will refrain from inserting additional exclusion clauses in their policies as a result of the GDPR, as new entrants increase competitive pressures in the cyber insurance market.
In A.M. Best’s view, the combination of the higher levels of competition, limited historical data and (potentially) high severity losses, increases the need for a strong focus on enterprise risk management (ERM).
Cyber Risk in A.M. Best’s Ratings
For several years now, A.M. Best has been monitoring how companies develop their expertise on cyber risk and how they integrate risk management with other functions, including underwriting.
Moreover, A.M. Best recognises cyber threats are a potentially significant risk to insurers and mitigating the risk should be a sub-component of an organisation’s ERM strategy. The holistic framework which A.M. Best adopts includes an assessment of an insurer’s susceptibility to cyber threat from the perspective of technology, people, processes and preparedness. Additionally, A.M. Best, in collaboration with insurance cybersecurity specialists, evaluates the motivation of threat actors to direct their efforts at a particular carrier. Ongoing monitoring of rated entities is also carried out through periodic questionnaires and in management meetings.
For companies writing cyber insurance, A.M. Best also asks for details on potential aggregation of cyber exposures, both to quantify their level as compared to the company’s free capital and to determine the level of sophistication of the tools used in its measurement. An assessment of a company’s attitude towards risk mitigation practices, such as the assessment of silent cyber exposure, the level of underwriting limits and the purchase of adequate reinsurance protection, is also embedded in the rating process.