Many firms have woken up to the risk posed by cyber crime and data disclosure following the introduction of new EU regulations. But claims are also expected to rise

There’s been a boost to the UK cyber insurance market thanks to the introduction of the EU’s General Data Protection Regulation (GDPR).Insurers are reporting both an increase in cyber cover sales and rising interest across the sector as firms realise the scope for fines and penalties in the event of data disclosure – which can be through human error as well as a cyber attack.

The implementation of GDPR in May represented probably the biggest-ever shake-up of data-protection regulations and was widely predicted to prompt an increase in claims, already at a high.

Adrian Scott, global head of cyber at Pen Underwriting, confirmed the growth in cyber insurance sales.

“The simple answer is yes, it has increased the number of purchases that we’ve seen. We started selling cyber in the UK last June and every month we’ve improved our sales. I can’t explicitly say it is because of GDPR, but sales are definitely more than I thought they would have been.

“Since 1 January the number of enquiries about cyber insurance, questions from brokers, has definitely increased substantially. There’s definitely more of a focus on the subject of cyber and GDPR this year.”

GDPR has raised awareness of the cyber risk for all consumer-facing organisations.

Screen Shot 2018-09-13 at 09.16.29

“It started a much broader conversation, across not only the insurance industry but across industry – full stop – as companies addressed the potential impact,” says Scott.

“Awareness and education are changing. That’s very important and something that has to happen for the market to develop to its maximum level. GDPR is a small element of cyber insurance, but because of its profile it has created a focus on the whole area. That has been positive and has helped us by acting as a launching pad to educate and inform people about what cyber insurance actually does.”

He added: “People are asking if they’re covered for GDPR. That can mean a lot of things. That can mean not only fines and penalties, but it can also mean if you have a GDPR event you’ve probably got a number of other things going on.”

Clients pull the trigger

Sarah Stephens, head of cyber, content, and new technology risks at JLT Specialty agrees that GDPR has pushed cyber cover growth this year.

“Clients that have been thinking about buying cover for several years have suddenly pulled the trigger. We are definitely seeing an increase in both interest and premium growth as a result,” said Stephens. “GDPR has raised awareness and it is this that starts to drive growth at the same pace as notification laws in the US drove growth 10 years ago. I’ve had an industrial firm with a very low exposure to personally identifiable information raise that recently as a key concern, only because of GDPR.

Screen Shot 2018-09-13 at 09.15.58

“It has facilitated a lot of conversations about the scope of cyber insurance. Where you might think on the surface it just applies to cyber attacks, the conversations around GDPR really make it clear that human error or the wrongful disclosure of information have nothing to with a cyber attack and can open up coverage. From that perspective it has really led to a lot of conversations that might not have happened before.”

Claims at record levels

According to research from AIG Europe, implementation of GDPR will also propel data breach and other security failure insurance claims higher still. Claims were already at record levels, with the insurer seeing as many cyber claim notifications during 2017 as it had in the previous four years combined.

More notifications are expected as companies are increasingly inclined to report breaches. AIG agreed that the impact of GDPR on cyber claims will be similar to that witnessed in the US after breach notification laws came into effect.

Previously, many small-and medium-sized firms might not have notified the authorities after a breach. Now they are legally obliged to do so. They also have to factor in a shift in attitudes about personal data among consumers, who are becoming more switched on to their rights. This has been partly driven by GDPR but also by events such as the Cambridge Analytica and Facebook data scandal.

Richard Breavington, a partner at law firm RPC, says it is too early for claims arising from GDPR, but there are already more notifications.

“We have definitely seen an uptick in breach responses. People are more aware and very mindful of the notification requirements,” says Breavington.

“Whereas previously people might have taken a more relaxed view, now where they are not sure about the incident, about its severity, they are much keener to find out what they need to do.

“Once you go down that road in some cases you’ll find a bit more than you might expect. Hence the claims are probably increasing both in number and severity.”

He added: “It is because of GDPR that people are now more aware and don’t want to risk not notifying, or not carrying out the investigations that they should. That’s why we’re seeing the uptick.”