The European Union’s General Data Protection Regulation (GDPR) was adopted in 2016 to strengthen data protection procedures and practices.
All companies established or operating in the EU must comply, causing companies to evaluate their data security standards to meet compliance by the May 25, 2018 deadline.
Cyber insurers are also anticipating a shift in both coverage demand and long-term incident reporting.
As EU and U.S. companies reevaluate their data security posture to prepare for the new regulations, and assess the hefty fines attached to GDPR laws, having a cyber insurance policy has become more attractive, says BitSight Technology’s Vice President Jake Olcott.
In a conversation with PropertyCasualty360.com, Olcott offered insight into the long-term impacts of GDPR on cyber insurers and underwriters, both in the EU and here in the U.S.
Olcott says the reason why GDPR is such a big deal is because of the fines. It will be much more expensive than existing regulations, as the maximum fine for not complying with the GDPR is €20,000,000 (roughly $23.7 million US) or 4 percent of a company’s worldwide revenue (not profit), whichever is greater.
The concern is cyber insurance policies as they are written today won’t cover GDPR fines. Olcott says for carriers and brokers, the question is, “What does this new regulation mean?”
Coverage for fines?
“It means there are a lot more companies that will be focused on cyber insurance and buying cyber insurance policies, which is great. But there is a concern that policies the way they are written today may not allow insurance companies to cover GDPR fines.”
Olcott recently penned a blog post on how and why U.S. businesses should prepare for the GDPR, and in a separate write-up, provided an 8-part checklist of tasks to prepare for compliance to the pending regulation.
BitSight Technology is a security ratings company that offers data analytics and security software, helping companies manage third party risk, underwrite cyber insurance policies, benchmark security performance & assess aggregate risk. BitSight offers guidance on GDPR compliance with their report “A Risk Manager’s Guide to the General Data Protection Regulation (GDPR).”
Olcott says certain industry sectors are more prepared for the GDPR than others. In this Risk Manager’s Guide, BitSight lists 6 ways companies can prepare for the GDPR.
6 proactive ways to prepare your organization for the GDPR
1. Find technology solutions and helpful resources that will help you solve GDPR-related issues.
2. Create an in-depth plan for third-party risk.
3. Modulate your GDPR program.
4. Begin your GDPR compliance program by addressing the vast majority of the GDPR that is clear — not the small minority of it that is not.
5. Ensure you have appropriate security controls in place for your data.
6. Use quality metrics to support your decisions and demonstrate your progress.
You can read about these 6 steps in detail in BitSight’s Risk Manager’s Guide to the General Data Protection Regulation (GDPR).