Regulation to drive increased cyber purchasing

31 January 2017

Changes to data protection rules and increased regulatory scrutiny of cyber exposures are set to drive cyber purchasing in 2017 and beyond.

In particular, the European Union’s General Data Protection Regulation (GDPR) is likely to prove to be a big deal when it comes into force on 25th May, 2018.

The introduction of costly notification requirements and financial penalties for data breaches under the GDPR will drive demand for specialist cyber insurance, potentially doubling the cyber insurance penetration rate from 10% to 20% this year.

Increased penalties

The GDPR will bring the EU more in-line with the US, where data breach notification requirements and substantial penalties have been driving the cyber insurance market for a number of years. 

The new rules represent a significant break from the past for Europe. It introduces public breach notification requirements across the EU for the first time while data controllers and processors will face maximum fines of up to 4% of global turnover or €20m whichever is greater for breaches of data protection law – in the UK the maximum fine is currently just £500,000.

Companies will need to carry out a significant amount of work to comply with the GDPR. This should include a full risk assessment to establish where gaps and issues lie, while a well-documented incident response plan will be essential to ensure compliance.

Cyber insurance

With increased liabilities under the GDPR, companies are increasingly looking to have cyber insurance in place before the regulation incepts.

The surge in demand is putting additional pressure on the cyber insurance market, where expertise is still in relatively limited supply. Where underwriters would once have gone out of their way to guide firms through the buying process, the onus is increasingly on the insured to be pro-active and provide quality submissions.

Current market conditions favour buyers of cyber insurance that work with specialist brokers, and that put time and thought into their submissions. Experience has shown that this approach results in broader and more cost effective cover. 

Silent cyber

Regulation will also influence cyber insurance purchasing as supervisors and insurers look to get to grips with their cyber exposures.

In November the Prudential Regulation Authority signalled a new phase in the regulation of cyber risk, a move that should see insurers across the board take steps to review the extent of cyber cover they offer in property/casualty insurance.

In its consultation paper CP39/16, the regulator expressed its concerns for so-called silent cyber exposures in the insurance industry. Typically these are property policies that include implicit cyber exposure within ‘all risks’ wordings and liability insurance policies that do not explicitly exclude cyber risk.

The PRA also proposed a new supervisory statement that sets out its expectations for how insurers manage insurance contracts exposed to losses arising from cyber attacks. It expects insurers to be able to identify, quantify and manage the risks emanating from underwriting cyber insurance, both in terms of affirmative and ‘silent’ cover.

Market changing

The PRA’s intervention is likely to prompt insurers to introduce more exclusionary language in traditional coverages, which in turn should result in an increase in purchasing of standalone cyber cover.

In a competitive market, some traditional property and casualty insurers could develop specific additional cyber coverages and extensions. While the standalone cyber insurance market will need to innovate and expand cover to include bodily injury and property damage.

For more information please email

contact Sarah Stephens
Head of Cyber, Content and New Technology Risks