GDPR and Cyber Insurance- Change has arisen
On May 25th, 2018, the General Data Protection Regulation(GDPR) came into effect. As a result, the rights of individuals and their data were expanded, thus placing greater obligations on organisations that process personal data. This lead to the worry that GDPR and Cyber Insurance would now have to be a consideration of every single company that processes data.
So why mention GDPR and Cyber Insurance in the same breath?
As cyber-related requirements become more stringent under GDPR and directors and officers(D&O’S) shoulder more liability than ever before, industry experts are wondering whether D&O’s will soon be held liable for cyber breaches. D&O’S who disregard their responsibility to ensure an organisation-wide commitment to the GDPR and Cyber compliance could end up facing legal battles after a data breach. To date, there have actually been four cases brought against directors in the US for cyber attacks; this including Target and Home Depot executives.
Protect your directors:
In order to ensure that your organisations’ directors are prepared for the new responsibilities placed upon them by GDPR, some revisions should be considered:
- Ensure your D&O liability policy does not contain any specific exclusions about data breaches.
- Prioritise cybersecurity at the highest levels of your organisation by building cyber-governance into your organisational structure.(This could be aided by a Cyber Insurance policy). Furthermore, it must be emphasised that cybersecurity and GDPR compliance is the entire organisation’s concern.
- Review your organisation’s process for collecting the client’s consent. Whatever your process may be, it must provide an active opt-in. Additionally, keep well-organised records that clearly outline what individuals have consented to, what they were told, and when and how they consented.
A little bit worried?
Unfortunately, the introduction of GDPR seems to have fazed even the biggest of companies. So much so that in 2017, JD Wetherspoons deleted every single customer from their mailing list, ON PURPOSE! However, as long as companies take the necessary precautions in relation to new laws, the relationship between GDPR and Cyber Insurance should result in many peaceful nights.
What about silent exposures from cyber-attacks?
Cyber-crime makes up nearly half of all reported crime in the UK according to the annual crime survey of England and Wales. Whilst awareness of the various types of cyber-attacks has grown, there is still one aspect which seems to be relatively unknown:
‘Silent Cyber Exposure’
Silent cyber exposure refers to potential cyber-related losses claimed on insurance policies that not specifically designed to cover cyber-risks.
For example; your organisation becomes infected with malware, causing a lift to fail that leads to multiple casualties and injuries. Such silent cyber exposures are malicious. To protect yourself, it is vital that your organisation is proactive and reassess its cyber insurance policies. Consequently, this is to ensure that you are appropriately covered for events that may occur due to cyber-risk.
Be prepared for the issues posed by GDPR and Cyber Insurance:
Although it may seem nearly impossible to predict and prevent silent exposures from occurring, there are measures that your organisation can take to ensure they are prepared.
- Hire experts to asses which area of your business could be vulnerable to a cyber-attack. Find out whether or not cyber-related losses would be covered under your insurance policies.
An astonishing 68% of organisations boards have not received any training on how to deal with cyber incidents.
‘Experts claim that 80% of cyber attacks are preventable’ National Crime Agency
To help ensure that your organisation is able to prevent as many cyber-threats as possible. It is important that you regularly update your network security, and install anti-virus and anti-malware software on all your organisations computers. This should be done in conjunction with providing your employees with cybersecurity training.
Some password advice
The National Cyber Security Centre has issued its own password creation guidance. They advise that your organisation changes all default passwords to a random collection of words and store them in a password manager such as ‘last pass’.
Some Final Advice:
Separate GDPR fact from fiction with ICO’S blog series.
Some of the current posts cover data breach reporting, data protection, and consent. In terms of keeping compliant with GDPR and CyberCrime- these blogs are definitely worth keeping an eye on.