Cyber breaches could soon get a lot costlier in Europe
The clock is ticking for compliance with the EU’s General Data Protection Regulation (GDPR), with enforcement of the new regime due to kick in from to 25 May 2018. The countdown is a certainty but big question remains unanswered: are GDPR fines insurable for risk managers; and how ruthless will regulators be in punishing offending firms?
“GDPR is on everyone’s mind. That’s a big question about whether the fines are insurable,” Kyle Bryant (pictured), Chubb’s head of cyber risk for UK and Europe, told StrategicRISK.
“They are regulatory penalties and the way they are classified matters. The EU still needs to create the enforcement body to effectuate the GDPR. Someone is going to have to make the decision. The EU enforcement body will select the regulator best suited to manage the investigation and enforcement,” he added.
Bryant described “a disbelief that regulators will take action immediately” among some firms. He cited a digital transformation presentation from UK risk management association AIRMIC, supported by Chubb and published in June, which suggested that only by 2021 will a slim majority (55%) of risk managers be compliant. “A lot of people think there’s going to be a lag time from going active to the first enforcement actions,” said Bryant.
As with so much regulation within Europe’s single market, implementation will likely vary in speed and style among the continent’s patchwork of regulators. However, depending on whichever local regulator is in the driving seat, Bryant had a stark warning for those treating compliance with complacency.
“If you’re sitting in a jurisdiction where the regulator is active – let’s say France, Spain or the Netherlands – then you may be in for a rude awakening,” said Bryant. “The regulators are ready to act. A Dutch law was put into place in readiness for GDPR from January 2016. There have already been fines and penalties levied against corporations already – some of our own clients, for sure.”
Some regulators have larger staffs and are better prepared, he suggested. The French regulator started auditing companies a year ago, for example, and the Netherlands has prior enforcement experience.
German and UK regulators also look relatively well prepared. In Spain, Bryant cited a new privacy law, under which hospitals have already been levied fines for complacence over data protection. “GDPR is going to give them another tool in the toolbox,” Bryant said.
From an insurer’s perspective, the new rules also represent an opportunity. “GDPR is certainly driving demand and take-up rates for standalone cyber insurance. These are long term conversations, largely focused on wordings,” said Bryant.
“Risk managers are being proportionate and making sure information collected is appropriate to needs. Companies are working on security, for the most part lining themselves up to have a reasonable preventative strategy, and also purchasing risk transfer.”