Cyber risks are evolving fast, and the situation is especially acute for multinational businesses.
Multinational companies are increasingly exposed to large, complex cross-border cyber risks through their supply chains, third-party vendors, and increasing levels of regulation, as highlighted in Chubb's recent report, Managing Tomorrow's Cyber Risks and Multinational Insurance.
As this risk continues to evolve, companies will not only need bespoke risk transfer, they will also need expert support to identify emerging risks and respond globally to cyber events, the whitepaper says.
Multinational businesses need to keep pace with a rapidly evolving, complex patchwork of privacy and data protection laws.
The EU’s General Data Protection Regulation (GDPR) holds global companies to account over the processing, control, and aggregation of data across national boundaries. A growing number of countries are following its lead.
Canada and Australia, for example, are strengthening their privacy rules, having introduced mandatory data breach regimes in 2018.
California and Brazil have also drafted new privacy rules, which are expected to introduce GDPR-like privacy rights in 2020.
According to Chubb, the direction of travel is clear: multinational companies should expect increased regulation and scrutiny into the way they handle and manage data, with harsher penalties for breaches.
Cross Border Reach
Given that data can easily flow across borders, data protection and privacy laws often have international implications. The GDPR, for example, has an extraterritorial reach and applies to any company processing personal data on an EU citizen, regardless of whether the processing takes place within the EU.
As more personal data is processed internationally, companies need to ensure that they protect the cross-border transfer of information; especially where national data protection laws require the outbound transfer of personal data to receive a standard of protection comparable to that offered by the originating country.
Many national data protection laws cover the transfer of data overseas, although a growing number of bilateral agreements additionally allow for reciprocal recognition of data protection regimes.
For example, the EU-US Privacy Shield protects the rights of citizens whose personal data is transferred from the EU to the US, while the EU recently approved a reciprocal recognition agreement with Japan.
Staying ahead of the “evolution curve” in cyber liability will be challenging for multinational companies, according to Chubb. Risk managers should maintain engagement with key stakeholders throughout the business to map out future cyber-related exposures.
Technology and commercial realities often outpace rules and regulation, and present a challenge to risk management. Global organisations therefore need to access a multidisciplinary team of experts to analyse the evolving threat landscape and regulatory regimes.
For example, engaging with multinational insurers and brokers can provide unique insights into the types of events causing cyber claims globally. Chubb encourages multinational companies to collaborate with an insurer and broker with international expertise, product knowledge, and servicing capabilities, as well as with internal and external IT and compliance expertise.
A good understanding of the evolving threat landscape and regulatory regimes is also the starting point for building an effective cyber insurance programme.
Given the fast pace of technology and regulatory change, companies and their risk managers need to consult with a broad spectrum of internal and external experts who can counsel and direct how to structure a robust and flexible cyber insurance programme.
The insurance industry is working to create international cyber insurance solutions, although this remains an evolving area. Insurers continue to expand their footprint with regards to local cyber underwriting and claims, as well as international breach response capabilities. However, companies will need to seek out the solution that best meets their needs.
A global cyber insurance solution is likely to be highly bespoke, combining appropriate indemnification with cross border incident response services. Many organisations have good internal incident response capabilities and access to a network of external consultants. The key is to work out which services and coverages need to be provided locally, and which are best provided globally.