In addition to data breaches causing actual business and reputational losses, businesses will also have to contend with fines from government regulators and lawsuits from affected customers – factors that cyber cover providers must take into account.
According to a report by security publication Stratfor, governments, especially in Europe and North America, are requiring companies to improve their network defences, with fines awaiting those who fail to do so. Meanwhile, businesses that expose customers’ information are increasingly being sued by affected consumers.
The report cited the example of the US government’s ‘carrot and stick’ approach, where the ‘carrot’ involves funding to improve cyber security and law enforcement assistance. On the other hand, ‘sticks’ include fines linked to regulatory violations arising from data breaches, as well as settlements from class-action lawsuits.
Companies in the healthcare, retail, and financial services sectors are the most likely to incur fines or lawsuits related to data breaches. In October, the US Department of Health and Human Services fined health insurer Anthem US$16 million – the largest-ever fine imposed by the department – for a 2014 data breach that exposed the data of almost 79 million individuals.
In Asia, there have been similar cases, such as that of three insurers in Singapore fined by the country’s financial regulator for data breaches. However, the various markets in Asia-Pacific still have “piecemeal” regulations, especially in mandatory breach notification, according to a report by Marsh, titled ‘Cyber Risk in Asia-Pacific - the Case for Greater Transparency’. This signifies that governments in the region have not yet recognized the importance that transparency plays in the fight against cyber risk.
While regulations in the region have yet to evolve to catch up with those in North America or the European Union, it is important that insurance providers and brokers anticipate more stringent regulations, such as the EU’s General Data Protection Regulation (GDPR). This includes factoring in the costs of legal defences and regulatory fines, which some cyber insurance policies in the past did not due to lack of prior legislation or jurisprudence.
However, Marsh still warned that insurance cannot realistically cover all risks.
“There is no one standard policy to cover cyber risk as the characteristics of cyber threats vary widely across industries and corporation size, while the terms and coverage of policies are complicated in nature,” Marsh said. “Thus, companies need to have a deeper understanding of their own exposure as it will help determine the appropriate type and amount of coverage required based on their risk tolerances.”