General Protection Data Regulation – why the clock is ticking to put Cyber Liability insurance in place.
The Queen’s Speech has confirmed that the General Data Protection Regulation will form part of UK law following the country’s withdrawal from the European Union. The Speech noted, “Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”
What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
Why is it important?
The UK Government revealed its legislative programme for the next two years. It has confirmed its intention to bring the EU General Data Protection Regulation (the “GDPR”) into UK law, ensuring the country’s data protection framework is “suitable for our new digital age, allowing citizens to better control their data.”
This could have a huge effect on Britain’s businesses and organisations, and it means that companies need to make sure that data protection is taken seriously if not the fines and potential loss of reputation are substantial.
How can businesses be fined?
Administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”. There are two tiers of administrative fines:
- Breaches related to the controller and processor obligations, certification body obligations or monitoring body obligations: Up to 10,000,000 EUR or 2% of total worldwide turnover, whichever is the greater (GDPR Article 83(4))
- Breaches related to the basic principles of processing, content, data subject rights, transfer of data, non-compliance: The highest fine states up to 20,000,000 Euros or 4% of total worldwide turnover, whichever is the greater (GDPR Article 83(5))
This is the most significant change in the last few decades in EU data protection, the regulations sets out the principles and rules on data protection across all EU Member States, therefore requiring them to review national data protection laws, amending or repealing those that overlap with the GDPR.
According to a report from the Information Commissioner’s Office (ICO), it could be the public sector that will feel it most fiercely (it is currently the least compliant, according to the report).
These regulations will affect all organisation, not just Public Authorities or large organisations, and with the size of the fine, this will hurt most companies, and in some cases lead to their failure.
All organisations need to make sure that they have an up to date business continuity plan, that it is tested. The plan should also cover all of the potential risks, including Cyber-attack.
Lloyd’s of London has warned that a serious cyber-attack could cost the global economy more than $120bn (£92bn) – as much as catastrophic natural disasters such as Hurricanes Katrina and Sandy.
Published two months after a ransomware cyber-attack that hobbled NHS hospitals and hit nearly 100 countries, a 56-page report from the world’s oldest insurance market says the threat posed by such global attacks has spiralled and poses a huge risk to business and governments over the next decade.
The most likely scenario is a malicious hack that takes down a cloud service provider with estimated losses of $53bn, according to Lloyd’s. This is the average estimate, but because of the uncertainty around calculating cyber losses, it estimates the figure could be as high as $121bn or as low as $15bn.
As part of the compliance, organisations will have just 72 hours to report a breach to the regulator and its customers.
This highlights the scale of the problems and explains why companies are also now looking at Cyber Liability Insurance to reduce their risk.
With a timescale of 72 hours there is no option of a quick fix, there is a real risk to the organisation’s reputation and a financial threat that will demand immediate attention. This means that the Chief Technology officers, Finance Directors and other members of the board, charity trustees and any organisation that holds data must take action.
Cisco’s annual cybersecurity report stated that today’s average large enterprise could face as many as 70,000 security events per week. The WannaCry attack has shown how devastating malware can be, and how quickly an issue can spread to affect the entire world in a matter of hours.
These threats are more than individuals are, businesses are and governments can tackle alone. The success of the cybercriminals is in part down to the lack of awareness of attack methods and in parallel, how to secure systems. Nevertheless, a key takeaway from the recent attacks has to be that a large number of organisations were not affected and managed to rebuff the assault.
While the overwhelming majority of IT security professionals are aware of GDPR, just under half of them are preparing for its arrival, according to a snap survey of 170 cyber security staff by Imperva.
What does Cyber Liability Insurance cover?
Cyber liability insurance protects organisations from Internet-based risks and more generally from risks relating to information technology infrastructure and activities.
Coverage may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others.
The policy may also cover fines that come as a result of cyber-attacks (for example fines for data breaches – although this is still a grey area as so far no organisation has made a claim for data breach fine) .
The clock is ticking – time for companies to act now.
For more information on continuity planning, cyber-insurance or counter terrorism audits and training contact Peter Collins on 01702 200222 or email him at firstname.lastname@example.org
Bespoke Risk Solutions Limited are an Appointed Representative of Leisureworld (GB) Ltd who are authorised and regulated by the Financial Conduct Authority (Financial Services Register No. 749920) You can check these details by visiting www.fca.org.uk Bespoke Risk Solutions Ltd are registered in England and Wales No. 07292153. Registered office: Victoria House, 50 Alexandra Street, Southend-On-Sea, England, SS1 1BN Leisureworld (GB) Ltd are registered in England & Wales No. 02663024. Registered office: 1422/24 London Road, Leigh On Sea, Essex, SS9 2UL.