By Eelco Ouwerkerk
Industry Director Wholesale and Retail, Aon
All organizations, whether businesses or government agencies, should be concerned with their cyber risk exposure at this very moment.
The connectedness among businesses, their operations, suppliers, and customers, due to the increasing use of digital technologies, means that every organization around the globe is vulnerable to potentially catastrophic losses resulting from electronic data theft and sabotage. This reliance among partnering organizations and the growing prevalence of the usage of big data, cloud computing, social media, “bring your own device” within corporate policies, and state-sponsored espionage have catapulted the number of risks resulting from cyber crimes into one of the top concerns of business leaders today.
And it is not just businesses. Local and national governments are catching up with this relatively new threat as well. Digital technology is more and more used for commercial purposes within those environments too. It is used to sell products and services, to optimize business processes, and/or to reduce operating costs. Known applications used across government agencies include cloud computing, email, the Internet, social media, mobile applications, as well as big data.
Whether in business or government, these technologies and new advancements play a major role in the realization of stakeholder value, whether this means optimizing profits or taxpayers’ monies. But when there are opportunities there are also downsides. Indeed, the downsides from data usage and sharing are increasing every day. Organizations must not only protect themselves from cyber abuse, they also need to protect the data and records of their most precious asset: their customers.
Our increasing dependence on digital technologies and data exchange, and the heightened susceptibility of businesses and governments to specific electronic risks, bring new challenges to world economies. Human and system failures are rapidly increasing, partly due to the heavy commercial dependence among supply chain partners. Currently, regular criminals, digital first individuals, professionals, as well as (former) employees can all be guilty of major crimes, ranging from data theft, fraud, sabotage, and espionage to hacking.
The financial consequences and bottom-line results of such crimes can substantially impact profit and non-profit organizations across all industries. Imagine the impact of legal liability, reputational damage, and business disruption on your current business operations and on your future sources of incomes.
The whole insurance market is deploying innovative digital solutions to address uncertainties arising from the increased inter-connectivity among business operations.
The 2016 Global Cyber Impact Report from the Ponemon Institute1 highlights interesting developments across a variety of industries, some of which I shall share with you below.2
Some exposures can be transferred contractually. The marketplace is evolving fast on this specific subject to provide more personalized services solutions, such as loss control resources, data breach coaches, dedicated claims resources, and pre-approved panels of vendors and service providers to ensure adequate responses to individual breaches. And many insurers provide cyber coverage on a primary basis, i.e. the breach response coverage offering varies based on insurer and policy structures.
Before addressing the issue of risk transfer and cyber insurance options, let’s review why there is a need for these in the first place. The key questions that every risk officer should ask him- or herself are: “Can we identify and quantify the damages resulting from a successful cyber attack? And beyond the usage of readily available IT solutions, how do we protect ourselves from cyber risk?”
If your risk officer can answer these questions, it is likely that you have steps in place to create a safe cyber environment. However, organizations often struggle to answer these questions. In the worst-case scenario, many would not know what needs to be done in the first place.
To create a safe cyber environment within your organization, you must first answer the questions we raised earlier, and then act on your findings as those choices will impact the safety of your employees and customers.
On 25 May 2018, the GDPR will come into effect. It is designed to ensure that every company within the European Union follows the same data safety regulations and every business should ensure that it takes the necessary steps to become compliant.
What does compliance under the upcoming GDPR mean?
An organization must:
Every business, large or small, must ensure that they have procedures in place to deliver on these measures. However, it is clear that many organizations do not have the manpower or expertise to deliver on these and will need to find a “cyber risk partner” to ease the burden brought on them.
The GDPR does not just provide guidelines. Under the new regime, companies will have obligations towards every personal data record. They will have to comply with the European privacy laws and demonstrate that they are compliant by implementing technical measures and documenting that appropriate actions took place. The Regulation is there to regulate organizations and impose fines when they fail to comply.
The GDPR strengthens individuals’ privacy rights and gives individuals the ability to assert themselves when their data are misused. Post privacy law, organizations must get consent from every person to use any set of personal data. It must also be just as easy for any individual to withdraw his or her consent, and ask a business to delete any personal records they hold. It is also likely that organizations that pass data to third parties in a multi-party transaction will have to request that these third parties delete received data. And individuals wanting to change supplier(s) will be able to request that their personal data be shared with them or a third-party supplier in a standard format, to ease transactions with other sellers and service providers.
It is simple. Businesses need to comply if they do not want to be fined. The best way to avoid a fine is to conduct a yearly Privacy Impact Assessment (PIA) and/or appoint a Data Protection Officer (DPO).
The penalty in the Netherlands for data breach is estimated to be a maximum of EUR 820,000 today. By 25 May 2018 the fines will grow: a two-tiered sanctions regime will apply. Businesses conducting breaches of specific types could incur fines of up to €20 million or 4% of global annual turnover for the upcoming financial year, whichever is the greater, which will be levied by the data watchdogs.
For other smaller breaches, the authorities could impose fines on companies of up to €10 million or 2% of global annual turnover, whichever is greater.
I must say that it is likely that any business out there will attempt to comply with GDPR. However, additional peace of mind will come for those that invest some time and effort in identifying the right cyber risk prevention and protection solutions that best suit them and their business.
Such insurance products would include coverage for the following:
Cyber insurance provides great assistance in the case of legal issues. Many of the products available will enable businesses to contact a team of lawyers to find answers for their data breach questions, and whom to inform in case of breach.
All in all, it is clear that businesses must start preparing their operations to avoid data-related claims. And if there is a data breach they must ensure that they have the right processes in place and that the business was protected by cyber insurance in the first place.