Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Physical Security

05:40 PM

Two Years on from GDPR: Has It Driven Growth in Cybersecurity Insurance?

Whilst GDPR has put the spotlight on data privacy and cyber issues, there are other more prominent trends that are driving a greater take-up of cyber insurance, says Ben Maidment, Class Underwriter - Cyber, Physical & Technology at Brit Insurance.

Many in the insurance industry, myself included, expected the introduction of GDPR in May 2018 to drive a boom in demand for cyber insurance products in the UK and Europe, as data protection and privacy became a board-level conversation for companies both big and small. However, whilst it has contributed to the growth of the cyber insurance market, we have seen other significant trends contribute to the real uptick in demand — namely, the exponential rise in size, frequency and sophistication of ransomware attacks and increased understanding of "silent cyber" risks.

GDPR: Cybersecurity in the Spotlight
Data privacy legislation and regulation implemented in the US in the mid-2000s drove demand for cyber insurance in the North American market, as businesses looked to protect their digital assets. We expected much the same trends to translate to Europe with the introduction of GDPR, with the enforcement of the legislation and prohibitive potential fines leading to an increase in cyber insurance uptake.

CyberResilience-20Undoubtably, we have seen demand increase for cyber insurance products since the introduction of GDPR across Europe in May 2018, as well as following high profile data breaches. The loss of customer data and large resultant fines totalling in the hundreds of millions have demonstrated just how severe the impact of cyber-attacks could be. As a result, data intensive businesses and sectors which handle and transfer large volumes of sensitive personal data such as healthcare and retail banking, have been quick to see the benefits of taking out cyber insurance policies.

However, we have not seen the pick-up we expected in industries which are less data intensive (such as manufacturing) and SMEs who believe they are unlikely to be the target of a cyber-attack due to their low profile and size.

One additional explanation for the muted pick-up of GDPR driven cyber insurance is the lack of clarity from the regulatory authorities over whether the potentially very large fines levied against businesses under the legislation can be recovered under insurance policies. GDPR sets a maximum fine of €20 million (about £17.5 million) or 4% of annual global turnover — whichever is greater. Understandably, if a company is unsure if this potential fine would be covered under their policy, they are less likely to seek cover.

For these reasons, whilst GDPR was certainly an important milestone in Europe’s data privacy landscape, it could be argued that a number of other factors have played a more prominent role in the last two years in driving the growth in the cyber insurance market.

Ransomware on the Rise
When speaking to our clients, the growing frequency, severity and sophistication of the ransomware threat to their businesses has been their biggest concern and the true catalyst for cyber insurance adoption. And the numbers support this; McAfee Labs Threats Report in 2019 recorded an astonishing 118% rise in ransomware attacks in the first quarter of last year.

The threats presented by ransomware are twofold: first, ransomware is designed to encrypt a file system, potentially causing an irreversible damage or loss of data – leading to financial losses from interruption to business operations. Second, an increasing number of cyber criminals are using this ransomware to extort money from their victims in exchange for a release of their systems.

INFOGRAPHIC: Cyber Security Breaches Report 2020

2017 saw the emergence of new and destructive strains of malware and ransomware such as WannaCry and NotPetya. The threat, however, continues to evolve, becoming more sophisticated as new variants emerge, posing significant threats to even the most resilient of companies.

More recent strains include REvil/Sodinokibi, a Ransomware-as-a-Service (RaaS) operation which recently targeted New York law firm Grubman Shire Meiselas & Sacks, leaking personal documents of celebrities such as Lady Gaga.

This year has also seen NetWalker, another RaaS tool, pose an increasing threat, recently announcing a significant recruitment drive to expand its network of affiliates to disseminate its ransomware more widely.

Ransomware attacks have not just impacted those who handle data governed by GDPR, but those for whom business interruption can be catastrophic: logistics, manufacturing and shipping. As a result, cyber insurance demand has rocketed in the face of this growing ransomware threat facing all sectors and sizes of businesses.

Listening out for "Silent Cyber"
The third factor driving the uptake of cyber insurance is the industry and regulatory push to eliminate ambiguity over coverage for cyber incidents in non-specific policies commonly purchased by companies, with the mandate to either explicitly provide such coverage or to exclude it altogether.

Traditional Property and Casualty policies were not created with cyber exposures in mind and customarily neither implicitly include nor exclude cyber risks. This causes obvious concerns as companies may be under the impression they have adequate cover through their traditional policy, but find themselves mistaken depending on how the coverage in their policy is interpreted at the time of loss.

In addition to coverage considerations, with the increase in high profile cyber related losses in recent years, regulators have become increasingly concerned that such exposures are being neither adequately underwritten nor priced for in certain Property and Casualty policies and such “silent cyber" or "non affirmative cyber" coverage should be eliminated.

This has led to less cyber coverage being available under traditional policies, and instead the purchase of standalone and specific cyber products. In doing so, companies benefit from greater certainty and clarity over their coverage in the event of a breach or hack, while regulators can be more confident that cyber exposures are being adequately underwritten, priced and monitored.

The Role of Insurance
It is crucial, therefore, in the face of these three trends driving the awareness of cyber risks, that management teams engage with the insurance industry to better understand the risks that they face — and to ensure that their policies provide cover for it.

And insurance doesn't just provide financial cover if the worst should happen, they can also support companies to mitigate risks before the fact as well as helping the company recover. Insurers such as Brit are able to provide additional "value-add" services, including education, risk management training, access to global cyber experts, including IT and forensic specialists, lawyers and crisis PR advice.

This story first appeared on IFSEC Global, part of the Informa Network, and a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things and more.

IFSEC Global, part of the Informa Network, is a leading provider of news, features, videos and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies – like video surveillance, access control, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Visit the Web's Most Authoritative Resource on Physical Security

To get the latest news and analysis on threats, vulnerabilities, and best practices for enterprise physical security, please visit IFSEC Global. IFSEC Global offers expert insight on critical issues and challenges in physical security, and hosts one of the world's most widely-attended conferences for physical security professionals.

Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.