All organizations, whether businesses or government agencies, should be concerned with their cyber risk exposure at this very moment.

The connectedness among businesses, their operations, suppliers, and customers, due to the increasing use of digital technologies, means that every organization around the globe is vulnerable to potentially catastrophic losses resulting from electronic data theft and sabotage. This reliance among partnering organizations and the growing prevalence of the usage of big data, cloud computing, social media, “bring your own device” within corporate policies, and state-sponsored espionage have catapulted the number of risks resulting from cyber crimes into one of the top concerns of business leaders today.

And it is not just businesses. Local and national governments are catching up with this relatively new threat as well. Digital technology is more and more used for commercial purposes within those environments too. It is used to sell products and services, to optimize business processes, and/or to reduce operating costs. Known applications used across government agencies include cloud computing, email, the Internet, social media, mobile applications, as well as big data.

Whether in business or government, these technologies and new advancements play a major role in the realization of stakeholder value, whether this means optimizing profits or taxpayers’ monies. But when there are opportunities there are also downsides. Indeed, the downsides from data usage and sharing are increasing every day. Organizations must not only protect themselves from cyber abuse, they also need to protect the data and records of their most precious asset: their customers.

Data Dependence Comes with a Price

Our increasing dependence on digital technologies and data exchange, and the heightened susceptibility of businesses and governments to specific electronic risks, bring new challenges to world economies. Human and system failures are rapidly increasing, partly due to the heavy commercial dependence among supply chain partners. Currently, regular criminals, digital first individuals, professionals, as well as (former) employees can all be guilty of major crimes, ranging from data theft, fraud, sabotage, and espionage to hacking.

The financial consequences and bottom-line results of such crimes can substantially impact profit and non-profit organizations across all industries. Imagine the impact of legal liability, reputational damage, and business disruption on your current business operations and on your future sources of incomes.

The 2016 Global Cyber Impact Report

The whole insurance market is deploying innovative digital solutions to address uncertainties arising from the increased inter-connectivity among business operations.

The 2016 Global Cyber Impact Report from the Ponemon Institute¹ highlights interesting developments across a variety of industries, some of which I shall share with you below.²

• Nearly 65% of organizations expect their cyber risk exposure to increase in the next two years:
  • The impact of business disruption to cyber assets is 72% greater than to property, plant, and equipment (PP&E) assets.
  • Organizations valued cyber assets 14% higher than PP&E assets.
  • Quantification of probable maximum loss from cyber assets is 27% higher than from PP&E.
  • Organizations insure on average 59% of PP&E losses, compared to an average of 15% of cyber exposures.
• Information assets held by businesses and government are underinsured against theft or destruction based on their market value.
• Despite the increased risk digital undertakings have on businesses, companies are reluctant to purchase cyber insurance coverage.
• 69% of respondents to the Ponemon Cyber Survey believe their companies’ exposure to cyber risk will increase over the next 24 months … However, only 15% of respondents confess their company has cyber insurance coverage.
• 57% of companies in the Ponemon Cyber Study experienced a material or significantly disruptive security or data breach one or more times during the past two years, and the average economic impact averaged US$2.1 million.

How do Organizations Transfer Cyber Risk?

Some exposures can be transferred contractually. The marketplace is evolving fast on this specific subject to provide more personalized services solutions, such as loss control resources, data breach coaches, dedicated claims resources, and pre-approved panels of vendors and service providers to ensure adequate responses to individual breaches. And many insurers provide cyber coverage on a primary basis, i.e. the breach response coverage offering varies based on insurer and policy structures.

Ask your Organization These Key Questions

Before addressing the issue of risk transfer and cyber insurance options, let’s review why there is a need for these in the first place. The key questions that every risk officer should ask him- or herself are: “Can we identify and quantify the damages resulting from a successful cyber attack? And beyond the usage of readily available IT solutions, how do we protect ourselves from cyber risk?”

If your risk officer can answer these questions, it is likely that you have steps in place to create a safe cyber environment. However, organizations often struggle to answer these questions. In the worst-case scenario, many would not know what needs to be done in the first place.

General Data Protection Regulation (GDPR)

To create a safe cyber environment within your organization, you must first answer the questions we raised earlier, and then act on your findings as those choices will impact the safety of your employees and customers.

On 25 May 2018, the GDPR will come into effect. It is designed to ensure that every company within the European Union follows the same data safety regulations and every business should ensure that it takes the necessary steps to become compliant.

What does compliance under the upcoming GDPR mean?

An organization must:

• anchor privacy and data protection at the highest level within its business;
• perform a cyber-risk prevention analysis to identify privacy risks and control issues through appropriate techniques and measures;
• produce a register and record the usage of any sensitive data;
• classify the organization’s personal information to comply with statutory data retention and deletion periods;
• evaluate existing contracts with third parties with whom the organization shares information. Each organization will be asked to put data privacy and security agreements in place with each of its data processors;
• set procedures to adequately anticipate and handle a data breach;
• increase privacy awareness of all employees through educational activities;
• set privacy regulation based on the GDPR or adjust existing policies accordingly;
• inform those concerned about what will happen to their personal data;
• determine if your organization must have a data protection officer.

Every business, large or small, must ensure that they have procedures in place to deliver on these measures. However, it is clear that many organizations do not have the manpower or expertise to deliver on these and will need to find a “cyber risk partner” to ease the burden brought on them.

Growing Responsibility for Organizations

The GDPR does not just provide guidelines. Under the new regime, companies will have obligations towards every personal data record. They will have to comply with the European privacy laws and demonstrate that they are compliant by implementing technical measures and documenting that appropriate actions took place. The Regulation is there to regulate organizations and impose fines when they fail to comply.

Power to the People

The GDPR strengthens individuals’ privacy rights and gives individuals the ability to assert themselves when their data are misused. Post privacy law, organizations must get consent from every person to use any set of personal data. It must also be just as easy for any individual to withdraw his or her consent, and ask a business to delete any personal records they hold. It is also likely that organizations that pass data to third parties in a multi-party transaction will have to request that these third parties delete received data. And individuals wanting to change supplier(s) will be able to request that their personal data be shared with them or a third-party supplier in a standard format, to ease transactions with other sellers and service providers.

Consequences Beyond Reputational Damage and Disruption

It is simple. Businesses need to comply if they do not want to be fined. The best way to avoid a fine is to conduct a yearly Privacy Impact Assessment (PIA) and/or appoint a Data Protection Officer (DPO).

The penalty in the Netherlands for data breach is estimated to be a maximum of EUR 820,000 today. By 25 May 2018 the fines will grow: a two-tiered sanctions regime will apply. Businesses conducting breaches of specific types could incur fines of up to €20 million or 4% of global annual turnover for the upcoming financial year, whichever is the greater, which will be levied by the data watchdogs.

For other smaller breaches, the authorities could impose fines on companies of up to €10 million or 2% of global annual turnover, whichever is greater.

So Why Did we Start our Argument Focusing on Cyber Risk?

I must say that it is likely that any business out there will attempt to comply with GDPR. However, additional peace of mind will come for those that invest some time and effort in identifying the right cyber risk prevention and protection solutions that best suit them and their business.

Such insurance products would include coverage for the following:

• Liability risk, which provides compensation and legal support in the event of third-party claims resulting from loss of personal and/or business data;
• Crisis costs to undertake forensic investigations, reputational public repair, customer notification costs, credit monitoring, IT services, and cyber incident response services;
• Fines for research costs, legal assistance, and administrative fines;
• Digital media breach to cover compensation and defence costs related to third-party claims against you arising out of your multimedia activities (e.g. defamation, allegation, or plagiarism);
• Cyber extortion, including ransomware;
• Network interruption, loss of revenues, or net profits associated with network downtime.

Cyber insurance provides great assistance in the case of legal issues. Many of the products available will enable businesses to contact a team of lawyers to find answers for their data breach questions, and whom to inform in case of breach.

All in all, it is clear that businesses must start preparing their operations to avoid data-related claims. And if there is a data breach they must ensure that they have the right processes in place and that the business was protected by cyber insurance in the first place.