Newly passed EU laws on data protection and cybersecurity could be a boon for insurance companies, which could pick up more clients once the rules go into effect in 2018.
Under the data protection regulation and the network and information security (NIS) directive, the EU’s new cybersecurity law, companies will be required to report to authorities if their digital networks are attacked by hackers. Both laws were approved earlier this year.
There is very limited data about how many companies in Europe have already purchased insurance policies to cover hacking attacks. Insurance companies and researchers say that’s because the market is still too young.
In 2014, a report from Deloitte found that 90% of the worldwide market for insurance against digital attacks was based in the US, where premiums for those policies alone reached a gross $2 billion that year.
That same year, the large German engineering firm Bosch bought the most expensive insurance policy for digital attacks to date, covering damages worth up to €100,000 million.
Europe slow to catch up
But insurance policies for digital security have been slow to catch on in Europe.
With the data protection and cybersecurity laws set to go into effect in 2018, government offices, industry groups and think tanks are trying to figure out how many companies already pay for what insurers call cyber risk insurance.
The EU cybersecurity agency ENISA organises a working group on insurance covering tech security breaches.
ENISA director Udo Helmbrecht says that there is not nearly as much data reflecting how probable and costly attacks in the technology sector are as there is concerning car security, a traditional industry covered by insurance companies.
“But we see that more and more insurance companies build models for calculating risks. And there is more and more a demand from the industry, which asks for insurance models,” Helmbrecht said.
Demand on the rise
Helmbrecht predicted that the demand from companies and insurers will push the cyber insurance market to grow and that the notification requirement under the NIS directive might fuel the trend.
The cybersecurity rules will require operators of so-called essential services, including energy, healthcare, banking and transport, to report security breaches.
Under the EU data protection regulation, a broader range of companies will have to inform authorities within 72 hours if they’ve suffered an attack that exposes personal data.
Those requirements will likely mean that authorities will receive more data about security breaches.
An increase in information detailing attacks could feed back to insurance companies and sharpen their method for calculating the probability of future breaches.
EU negotiators wrapped up talks on a major data protection reform last night (15 December) that will tighten privacy laws and determine how companies handle consumers’ personal data.
The OECD is planning to publish a series of three reports later this year on the market for cyber risk insurance, which is almost entirely based in the United States and only now starting to get off the ground in Europe.
Requirements to report attacks under the new EU laws could change that.
“I think it is a potential growth factor,” said Mamiko Yoko-Arai, coordinator of the research at the OECD.
SMEs more vulnerable
Cyber risk insurance policies often cover liability complaints and loss of income from damage to a company’s systems.
The OECD is asking for information from private companies and government offices in its member states, which include 21 EU countries. The organisation plans to outline whether insurers can calculate how likely a company might be to suffer a cybersecurity attack.
“We want to find out if insurance companies can quantify their risks,” said Yoko-Arai.
“We’re trying to find out what risk models they have. How advanced are they and are there areas where greater data collection could help with policy calculation?” she added.
Yoko-Arai said the OECD studies will use the data on cybersecurity breaches to pinpoint areas where there could be tighter consumer protection measures. While larger companies are more likely to already have insurance that covers digital attacks, smaller companies are much more vulnerable.
“If SMEs are attacked, it could wipe them out completely,” Yoko-Arai said.
EU lawmakers and member states on Monday (7 November) struck a deal on the bloc’s first broad cybersecurity law to affect multiple industry sectors.
The EU network and information security directive will oblige companies to be audited for preparedness and to notify national authorities of cyber incidents with a “significant impact" once it goes into effect in 2018. The directive also suggests that market operators will be liable regardless of whether or not they carry out the maintenance of their network internally or if they outsource it.
The EU singled out a number of sectors which it claimed require more action on cybersecurity including “critical” infrastructure operators in energy, transport, banking and healthcare services.
EU negotiators also struck a deal on new data protection rules this year that will go into effect in 2018. The general data protection regulation will require companies to report to authorities within 72 hours if consumers' personal data has been compromised during an attack on their digital systems.