The EU regulator is at the final stages to adopt the Data Protection Regulation which will set up new rules for operators on how private data must be managed.
In March 2014, the European Parliament strengthened several requirements such as making the applicable fines for breaching rules up to €100 million or 5% of annual worldwide turnover (whichever is greater) when the original proposal of the European Commission suggested fines “only” up to €1 million or 2% of annual worldwide turnover.
As usual in the European law making procedure, the text voted by MEPs is now Parliament’s official mandate to start negotiations with the Council of the EU as soon as Member States agree on their own negotiating position. A final agreement between both institutions can be expected before the end of 2014.
The possession of private data has a cost and the threat of cybercrime is primarily a concern for companies who manage a lot of client data. The upcoming legislation, the increase of data breaches due to higher reporting combined with well-informed public opinion ever more sensitive to data privacy, could mean also more claims to come for the cyber insurance industry.
This is an area of uncertainty for the insurance and risk management community. It is still unclear how carriers will price and deal with certain type of threats. One good illustration is the Zero Day concept.
Zero Day threats are defined as the vulnerabilities of a system that are yet not known by the developer itself. A Zero Day attack occurs when the vulnerability is exploited.
As in the Heartbleed breach which became known publicly in April 2014, there tends to be a time window between the moment when service providers issue bug corrections and the moment organisations effectively apply the updates and corrections.
If a claim arises due to the identified breach within this timeframe, it is not clear whether an insurer could or could not apply an exclusion for failing to maintain an updated IT infrastructure.
Cyber insurance policies are commonly underwritten with exclusions related to the failure to maintain an updated IT infrastructure, which means having the latest versions available and/or the last patches applied to correct identified vulnerabilities.
No more support
These exclusions are problematic as when, for example, Microsoft decides to stop providing support for its operating system Windows XP. The absence of support will now increase the probability of seeing the exploitation of vulnerability within Windows XP without any corrections or patches coming from Microsoft side.
In case of a claim, insurers may argue that the policyholder was no longer working with an up to date IT system and use the exclusion to deny coverage. Other insurance companies could also be tempted to charge extra-premiums for companies still re-lying on Windows XP.
The New Data Protection Regulation is expected to boost demand for cyber insurance, but it is literally impossible to prevent a Zero Day attack. If there is no coverage because of an exclusion, then what would be the use of such a policy?
The ability of an organisation to be agile and react rapidly to a new IT threat should be at the core of the wording and pricing assessment of a cyber-policy.