Mandatory cyber insurance backed to improve incident response

Out-Law News | 28 Feb 2019 | 9:51 am | 2 min. read

Making cyber insurance compulsory would help improve the way businesses respond to cyber attacks and data breaches, a cyber risk expert has said.

Freya Ollerearnshaw of Pinsent Masons, the law firm behind Out-Law.com, said, though, that a benchmarking exercise would need to be conducted before policy makers move to mandate take up.

Ollerearnshaw was commenting after the idea of compulsory cyber insurance was mooted by Gabriel Bernardino, chairman of the European Insurance and Occupational Pensions Authority (EIOPA), at a fintech conference in Brussels on Tuesday.

Bernardino said: "Cybersecurity and cyber risk are at the forefront of the concerns of economic operators and public authorities. The insurance sector has an important role to play in establishing good risk management practices and the associated coverage. The innovation and efficiency brought with the use of new technologies and high volumes of information will only become a reality if we find collective solutions to deal appropriately with cyber risk. As cyber-insurance markets mature, we should start to discuss if cyber insurance should also be mandatory. This would provide a further level of security for companies and consumers in the digital world."

Businesses that take out cyber insurance have an advantage over those that do not when major cybersecurity incidents occur, Ollerearnshaw said.

"As well as providing financial protection against the costs associated with cybersecurity events, cyber insurance policies offer policyholders immediate access to a panel of experts to help them manage and respond to incidents quickly," Ollerearnshaw said. "These experts can include forensic IT specialists, and PR and legal advisers."

"In our experience, data breaches and other major cyber incidents are managed more effectively where the business has been able to call upon the panel of experts' immediate assistance instead of having to coordinate external help from scratch themselves. Often the latter approach can delay business' response to incidents, risking non-compliance with the strict incident reporting requirements stipulated in law – notably the General Data Protection Regulation (GDPR) – as well as a public and media backlash should customers affected by an incident feel they have not been notified promptly," she said.

"Despite cyber risk growing as a boardroom issue, budgets often do not extend to cyber insurance – businesses are therefore not taking up cyber insurance as often as they should. Mandatory cyber insurance would be a positive step to address that, but it is unclear how it would be implemented in practice," Ollerearnshaw said.

The global commercial cyber insurance market has been estimated to be worth $6.4 billion, but the market is still in a nascent state in the UK compared to the US where it is more developed.

Ollerearnshaw said that cyber insurance policies can vary in relation to the cover they provide, including both the limits of the policy and the types of workstreams that are covered.  As such, further work is needed before businesses are forced to take up such policies, she said.

"Policy makers and regulators will need to determine the baseline requirements for mandatory cover if they are serious about imposing cyber insurance take up on businesses," Ollerearnshaw said.