Adrian Scott's blog: What has GDPR got to do with cyber insurance?
GDPR (General Data Protection Regulation) is undoubtedly the hot topic in insurance at the moment, closely followed by cyber breaches (by breaches we mean cyber-attacks, but we also mean errors by employees that lead to customer data being exposed). But what has one got to do with the other?
How can cyber insurance help your client’s business to comply with GDPR?
Over the last few months, every SME broker in the UK has had to quickly become knowledgeable on all-things GDPR, so we’ll take it as read that you know that:
- GDPR is a new EU regulation which updates outdated privacy and data protection laws for the digital age.
- Among the changes are: the right to be forgotten, to access any data held about you and harsher penalties for organisations who fail to properly protect data.
- Enforcement starts 25 May, 2018 (for further information visit the website of the Information Commissioner’s Office.)
We also know that brokers have been doing all they can to help SMEs to undertake preparations for GDPR advising on sales practices, digital data security and much much more. But what if your client has done everything they can and something still goes wrong? Like personal information going missing (employees or customers), or confidential information published on social media, or even data lost while housed by third party storage providers?
Does your client think it won’t happen to them?
You may not realise it (because, in general, newspapers focus on cyber attacks on big businesses) but the reality is that SMEs are at high risk of cyber-breaches, both accidental and due to crime.
For example, in 2016, 66% of small firms were victims of cyber-crime and on average, SMEs will fall victim to four cyber-crimes every two years*. While 14% of small businesses think their plan to avoid cyber risks is highly effective – that means 86% do not.**
Lack of a confident plan for cyber breaches related to customer data is where GDPR can become a problem for small businesses.
Under the new GDPR ruling, every business is subject to fines and penalties for failing to secure digital data. Small businesses aren’t immune from large fines: they could be hit with a fine of up to €20 million or 4% of annual global turnover – whichever is greater.
If your clients’ data becomes exposed, would they know what to do? Would you know what to advise them?
Think about this. If a cyber breach affects your clients’ data then they’ll need to notify the Information Commissioners’ Office within 72 hours, and likely have to tell anyone who is potentially affected, while at the same time identifying and rectifying the source and extent of the breach.
This may seem straightforward but it can be a complex and convoluted process. How do you assess who has been “affected” for example? And if the business makes the wrong judgement call then it could be subject to further fines. Plus a PR team may be needed to navigate the reputational damage and an IT team to attempt to recover and/or restore the data. All of which will need finding, negotiating and implementing – a task your client could definitely do without when time is against them. In the longer term your client may have to deal with 3rd party litigation from individuals impacted by the breach. More resources, more time and, of course, more cost.
Taken all together, the fines, penalties and time lost to fulfilling the requirements of GDPR after a cyber breach can be an expensive process.
Even if the breach was caused by an employee error, malicious employee, hacker or other factor outside your control your client could still be held liable, opening them up to litigation for financial loss and emotional distress.
Many SMEs do not have the time or resources to investigate and report a breach, leaving them open to reputational and financial harm. Trying to handle the problem themselves can also expose them to further issues. The majority of small business owners are not technical experts, nor are they PR gurus or IT specialists or cyber legal experts (and not a mix of all of them!). A cyber policy can outsource these issues, giving your client access to specialist knowledge which could help them to avert a PR crisis and a significant fine, as well as getting their business back up and running.
A cyber policy can cover these bases for your client, leaving their problem in the hands of knowledgeable specialists who deal with these types of issues every single day and know how to get a fast resolution.
GDPR isn’t going away, but a cyber policy can help ensure that your clients’ businesses keep trading with minimal financial and reputational damage.
That’s why we created our cyber policy~
Pen’s cyber insurance covers all of these issues and offers a 24-hour hotline response. We’ll cover up to £100,000 of costs in the first 72 hours, so that your client can immediately start to put things right with our help.
Our policy is more than just calculating loss and signing a cheque, instead we are offering our specialist knowledge and delivery of a service that will help you mitigate the problems surrounding cyber breaches with the right focus. When you look at how much each individual component i.e. PR, IT, could cost on its own and how long it could take to find each company individually, the value of cyber insurance becomes clear. In short, it could solve a problem that your client is unlikely to be able to or afford to tackle on their own.
*Federation of Small Businesses (FSB): Cyber Resilience Report 2016
**(2016 Ponemon Institute “Cost of a Data Breach)”
~Policy limits and exclusions may apply, please see policy wording for full terms and conditions.