If there’s anything to say about 2018, it’s that the year was rule-laden, from GDPR coming into effect in the UK to mandatory breach notifications in Canada being enforced shortly after the legalization of marijuana. The handling of sensitive data by multinational businesses has become infinitely more complex, according to one expert, since they now have to worry about a variety of international laws and regulations besides those at home.
“Prior to the last 12 months, there were very few international regulations that required mandatory notification to end data subjects, and that’s changed dramatically,” said Graeme Newman, chief innovation officer at CFC Underwriting. “Multinational businesses have a huge patchwork of complex privacy regulations they now have to deal with and comply with and react to. Not only that, but increasing teeth have been put into these regulations.”
For one, there’s the potential of facing major fines up to 4% of annual global revenue in the event that a business breaches GDPR, and while regulations have made the world akin to a privacy breach minefield, they’ve also had the upside of increasing awareness of the issue among corporations.
“There’s been a lot of talk about privacy regulation that has caused businesses to focus, for a moment at least, on the value of the data that they’re holding, and understanding that somebody’s social security number, even their name, their address, and their email, is as valuable as physical possessions that they may entrust the business with,” said Newman. “That’s creating a mindset shift about how businesses collect that data, how they store that data, and ultimately how they share it.”
Brokers who put their heads in the sand on cyber risk and believe it won’t affect their commercial clients risk losing that business to a broker who will bring it up with them, but Newman sees another species of broker also prowling the cyber market.
“There’s the other type of brokers who are hungry for information and there’s no shortage of information out there for them,” he said, though he adds that it can seem overwhelming to read everything out there on the topic of privacy, data, and cyber threats, not to mention that the insurance industry as a whole often over-complicates cyber insurance when they don’t need to.
“At the end of the day, I think it’s pretty simple – if your clients store data, whether that be commercially sensitive data or personally sensitive data, they have to recognize that’s an asset just like any other asset, and they have to look after it - and that asset can also be insured. Clients that use technology in order to run their businesses have to accept that technology can break and that it can no longer be available, which can cause a loss of profits for them.”
At the same time, there’s no shortage of options out there for insureds as many mainstream, well-established insurers are offering cyber coverage, and putting out new, competitive products in this space.
“Brokers needn’t be afraid of addressing cyber as a concept, and if we stick to higher level, simple, and straightforward principles, it is a relatively easy product to understand and to sell,” said Newman.