Multinational Cyber Risk and Solutions Are Evolving

15 July 2019

Cyber risks are evolving fast, and the situation is especially acute for multinational businesses.

Multinational companies are increasingly exposed to large, complex cross-border cyber risks through their supply chains, third-party vendors, and increasing levels of regulation, as highlighted in Chubb's recent report, Managing Tomorrow's Cyber Risks and Multinational Insurance.

As this risk continues to evolve, companies will not only need bespoke risk transfer, they will also need expert support to identify emerging risks and respond globally to cyber events, the whitepaper says.

International Regulation

Multinational businesses need to keep pace with a rapidly evolving, complex patchwork of privacy and data protection laws.

The EU’s General Data Protection Regulation (GDPR) holds global companies to account over the processing, control, and aggregation of data across national boundaries. A growing number of countries are following its lead.

Multinational Cyber Risk and Solutions Are EvolvingCanada and Australia, for example, are strengthening their privacy rules, having introduced mandatory data breach regimes in 2018.

California and Brazil have also drafted new privacy rules, which are expected to introduce GDPR-like privacy rights in 2020.

According to Chubb, the direction of travel is clear: multinational companies should expect increased regulation and scrutiny into the way they handle and manage data, with harsher penalties for breaches.

Cross Border Reach

Given that data can easily flow across borders, data protection and privacy laws often have international implications. The GDPR, for example, has an extraterritorial reach and applies to any company processing personal data on an EU citizen, regardless of whether the processing takes place within the EU.

As more personal data is processed internationally, companies need to ensure that they protect the cross-border transfer of information; especially where national data protection laws require the outbound transfer of personal data to receive a standard of protection comparable to that offered by the originating country.

Many national data protection laws cover the transfer of data overseas, although a growing number of bilateral agreements additionally allow for reciprocal recognition of data protection regimes.

For example, the EU-US Privacy Shield protects the rights of citizens whose personal data is transferred from the EU to the US, while the EU recently approved a reciprocal recognition agreement with Japan.

Expert Assistance

Staying ahead of the “evolution curve” in cyber liability will be challenging for multinational companies, according to Chubb. Risk managers should maintain engagement with key stakeholders throughout the business to map out future cyber-related exposures.

Technology and commercial realities often outpace rules and regulation, and present a challenge to risk management. Global organisations therefore need to access a multidisciplinary team of experts to analyse the evolving threat landscape and regulatory regimes.

Subscribe to our latest News & Insights Sign up to our latest  news & insights

For example, engaging with multinational insurers and brokers can provide unique insights into the types of events causing cyber claims globally. Chubb encourages multinational companies to collaborate with an insurer and broker with international expertise, product knowledge, and servicing capabilities, as well as with internal and external IT and compliance expertise.

Global Response

A good understanding of the evolving threat landscape and regulatory regimes is also the starting point for building an effective cyber insurance programme.

Given the fast pace of technology and regulatory change, companies and their risk managers need to consult with a broad spectrum of internal and external experts who can counsel and direct how to structure a robust and flexible cyber insurance programme.

The insurance industry is working to create international cyber insurance solutions, although this remains an evolving area. Insurers continue to expand their footprint with regards to local cyber underwriting and claims, as well as international breach response capabilities. However, companies will need to seek out the solution that best meets their needs.

A global cyber insurance solution is likely to be highly bespoke, combining appropriate indemnification with cross border incident response services. Many organisations have good internal incident response capabilities and access to a network of external consultants. The key is to work out which services and coverages need to be provided locally, and which are best provided globally.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 3394 0486.

  • For more articles like this, download our Cyber Decoder

    Share this article