Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

05:40 PM

Two Years on from GDPR: Has It Driven Growth in Cybersecurity Insurance?

Whilst GDPR has put the spotlight on data privacy and cyber issues, there are other more prominent trends that are driving a greater take-up of cyber insurance, says Ben Maidment, Class Underwriter - Cyber, Physical & Technology at Brit Insurance.

Many in the insurance industry, myself included, expected the introduction of GDPR in May 2018 to drive a boom in demand for cyber insurance products in the UK and Europe, as data protection and privacy became a board-level conversation for companies both big and small. However, whilst it has contributed to the growth of the cyber insurance market, we have seen other significant trends contribute to the real uptick in demand — namely, the exponential rise in size, frequency and sophistication of ransomware attacks and increased understanding of "silent cyber" risks.

GDPR: Cybersecurity in the Spotlight
Data privacy legislation and regulation implemented in the US in the mid-2000s drove demand for cyber insurance in the North American market, as businesses looked to protect their digital assets. We expected much the same trends to translate to Europe with the introduction of GDPR, with the enforcement of the legislation and prohibitive potential fines leading to an increase in cyber insurance uptake.

CyberResilience-20Undoubtably, we have seen demand increase for cyber insurance products since the introduction of GDPR across Europe in May 2018, as well as following high profile data breaches. The loss of customer data and large resultant fines totalling in the hundreds of millions have demonstrated just how severe the impact of cyber-attacks could be. As a result, data intensive businesses and sectors which handle and transfer large volumes of sensitive personal data such as healthcare and retail banking, have been quick to see the benefits of taking out cyber insurance policies.

However, we have not seen the pick-up we expected in industries which are less data intensive (such as manufacturing) and SMEs who believe they are unlikely to be the target of a cyber-attack due to their low profile and size.

One additional explanation for the muted pick-up of GDPR driven cyber insurance is the lack of clarity from the regulatory authorities over whether the potentially very large fines levied against businesses under the legislation can be recovered under insurance policies. GDPR sets a maximum fine of €20 million (about £17.5 million) or 4% of annual global turnover — whichever is greater. Understandably, if a company is unsure if this potential fine would be covered under their policy, they are less likely to seek cover.

For these reasons, whilst GDPR was certainly an important milestone in Europe’s data privacy landscape, it could be argued that a number of other factors have played a more prominent role in the last two years in driving the growth in the cyber insurance market.

Ransomware on the Rise
When speaking to our clients, the growing frequency, severity and sophistication of the ransomware threat to their businesses has been their biggest concern and the true catalyst for cyber insurance adoption. And the numbers support this; McAfee Labs Threats Report in 2019 recorded an astonishing 118% rise in ransomware attacks in the first quarter of last year.

The threats presented by ransomware are twofold: first, ransomware is designed to encrypt a file system, potentially causing an irreversible damage or loss of data – leading to financial losses from interruption to business operations. Second, an increasing number of cyber criminals are using this ransomware to extort money from their victims in exchange for a release of their systems.

INFOGRAPHIC: Cyber Security Breaches Report 2020

2017 saw the emergence of new and destructive strains of malware and ransomware such as WannaCry and NotPetya. The threat, however, continues to evolve, becoming more sophisticated as new variants emerge, posing significant threats to even the most resilient of companies.

More recent strains include REvil/Sodinokibi, a Ransomware-as-a-Service (RaaS) operation which recently targeted New York law firm Grubman Shire Meiselas & Sacks, leaking personal documents of celebrities such as Lady Gaga.

This year has also seen NetWalker, another RaaS tool, pose an increasing threat, recently announcing a significant recruitment drive to expand its network of affiliates to disseminate its ransomware more widely.

Ransomware attacks have not just impacted those who handle data governed by GDPR, but those for whom business interruption can be catastrophic: logistics, manufacturing and shipping. As a result, cyber insurance demand has rocketed in the face of this growing ransomware threat facing all sectors and sizes of businesses.

Listening out for "Silent Cyber"
The third factor driving the uptake of cyber insurance is the industry and regulatory push to eliminate ambiguity over coverage for cyber incidents in non-specific policies commonly purchased by companies, with the mandate to either explicitly provide such coverage or to exclude it altogether.

Traditional Property and Casualty policies were not created with cyber exposures in mind and customarily neither implicitly include nor exclude cyber risks. This causes obvious concerns as companies may be under the impression they have adequate cover through their traditional policy, but find themselves mistaken depending on how the coverage in their policy is interpreted at the time of loss.

In addition to coverage considerations, with the increase in high profile cyber related losses in recent years, regulators have become increasingly concerned that such exposures are being neither adequately underwritten nor priced for in certain Property and Casualty policies and such “silent cyber" or "non affirmative cyber" coverage should be eliminated.

This has led to less cyber coverage being available under traditional policies, and instead the purchase of standalone and specific cyber products. In doing so, companies benefit from greater certainty and clarity over their coverage in the event of a breach or hack, while regulators can be more confident that cyber exposures are being adequately underwritten, priced and monitored.

The Role of Insurance
It is crucial, therefore, in the face of these three trends driving the awareness of cyber risks, that management teams engage with the insurance industry to better understand the risks that they face — and to ensure that their policies provide cover for it.

And insurance doesn't just provide financial cover if the worst should happen, they can also support companies to mitigate risks before the fact as well as helping the company recover. Insurers such as Brit are able to provide additional "value-add" services, including education, risk management training, access to global cyber experts, including IT and forensic specialists, lawyers and crisis PR advice.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-31
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivile...
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.