Insurers cash in on new European data privacy rules

[LONDON] Data privacy rules coming into force this week are giving Europe's fledgling cyber insurance market a boost as they make companies more aware of the risks caused by customer information breaches.

Europe's General Data Protection Regulation (GDPR), which takes effect on Friday, has been billed as the biggest shake-up of data privacy laws since the birth of the web.

It aims to give EU citizens more rights over their online information and threatens fines of up to 4 per cent of a company's annual revenue for serious infringements.

The latter will include failure to notify regulators of breaches within 72 hours.

The law brings Europe more closely into line with the United States, where many states have for several years required firms to notify regulators about data breaches.

Insurers say the directive, together with major cyber attacks like last year's WannaCry and NotPetya viruses, is driving demand in Europe for cyber insurance - a sector seen as relatively profitable.

Cyber cover can pay for anything from the repair of IT systems after a data breach, to compensation for lost business, legal costs and even for a public relations firm to patch up damaged reputations.

The number of syndicates offering cyber insurance in the giant Lloyd's of London commercial insurance market jumped by more than 20 per cent last year to over 70. Lloyd's Chief Executive Inga Beale told Reuters by email that gross written premiums for European cyber insurance could total more than US$2 billion annually by 2020, partly as a result of the new directive.

Major players in the sector include insurance giants AIG and Zurich, and Lloyd's insurers Beazley and Hiscox.

However, less than one tenth of annual premiums in the US$2.5 billion global cyber market are for Britain and the rest of Europe, according to Betterley Risk Consultants.

Paul Merrey, a partner at KPMG focusing on insurance, said the difference in take-up was mainly due to different legal frameworks between Europe and the United States.

"GDPR significantly closes this gap," he said.

AIG says its European cyber business has risen by 50 per cent this year compared with a year ago. The firm declined to give a figure.

"We are seeing a lot more interest in cyber coverage," said Mark Camillo, head of cyber for EMEA at AIG.

AIG said its European business accounted for 25 per cent of its global cyber portfolio at the end of 2017, up from just five per cent three years previously.

Insurers typically do not break out their cyber revenues in their annual results, but several told Reuters their business had increased and they expected further growth.

Insurance firm CFC Underwriting has seen a "huge surge" in enquiries about cyber insurance from outside the United States, said Graeme Newman, CFC's chief innovation officer, with its UK cyber business growing by 150 per cent in the last year.

Broker JLT said enquiries about insurance at its UK cyber business had risen by 50 per cent in the last 12 months due to GDPR.

A policy typically costs US$1,000 to US$3,000 for US$100,000 of cover, though cyber insurance policies can cover hundreds of millions of dollars, insurers say.

One factor which may drive demand is the possibility of using insurance to cover the risk of the onerous fines under the new law.

Lawyers and insurers are currently debating the likelihood of this being permitted in countries such as Britain.

"It's definitely a grey area," said Prakash Paran, partner at law firm DLA Piper.

A report last week by the law firm and insurance broker Aon found that only two countries in the European Economic Area - Finland and Norway - were likely to allow GDPR fines to be insurable. The decision is up to local regulators.

A spokesman for Britain's data regulator said firms should concentrate on being compliant.

"There is nothing in the GDPR which either permits or prohibits insurance cover against fines which may be issued by the ICO (Information Commissioner's Office) for breaches of the GDPR," the spokesman said by email, but added:

"A focus on insurance rather misses the point."

The directive makes it easier for groups of individuals to lodge class action-style claims for non-compliance, which could encourage the purchase of policies with higher pay-out limits.

Cheryl Martin, partner at EY, said financial services firms in Britain were focusing on this, after paying out US$40 billion in redress since 2007 to customers mis-sold debt repayment insurance policies.

Companies' immediate priority is to ensure they are compliant with GDPR, which means Europe's cyber insurance market may see gradual growth rather than a spike following introduction of the new law, said Julia Graham, deputy chief executive of British insurance buyers' association Airmic.

"I don't think insurance is top of mind," she said.

REUTERS