What is GDPR’s impact on cyber insurance?

Experts say that the EU’s General Data Protection Regulation (GDPR) is pushing up the demand for cyber insurance – a trend that may increase as GDPR-style rules are adopted around the world.

The US accounts for the greatest market for cyber insurance, where premiums grew 8% through last year to hit $2 billion, according to a recent study published by Fitch Ratings Inc.

The research found that GDPR and the risk of financial penalty that the new laws bring, is turning more executives’ heads towards cyber management and coverage.

Speaking at at the National Association of Insurance Commissioners’ International Insurance Forum in Washington, D.C this week, Matthew McCabe, New York-based senior VP at Marsh Inc. said:

“There’s no question that the GDPR has created interest and purchasing around cyber insurance. I was a little surprised the take-up wasn’t immediate, but we’re starting to see increased purchasing in the EU.”

“The EU had data regulation before the GDPR took effect, but “we’ve really seen that hammer come down,” he added.

Gareth Truran, head of London market supervision, PRA Insurance Directorate, Bank of England, said:

“It is relatively early in terms of seeing the consequences flow through the system in terms of penalties and enforcement actions and so on.

“We see mimic regimes popping up all over the world and within the United States and they’re not always compatible.

“If I’m in the private sector and I’m looking at the GDPR and I’m aware of how onerous or complicated that might be to comply with, I now have regime B that has an overlap but it’s not exact and now that’s going to exist in seven or eight of my major locations around the world.

“It’s a really, really complex question for businesses that’s going to pose a lot of traps. To work that back into cyber insurance, if you know that traps out there, you better have that assessment of what (is) the financial impact of falling into that trap and you better have an answer for how you’re going to approach that impact.”

Around 33% of the UK’s biggest companies has bought cyber insurance, but the buy-in for smaller companies is much lower, even though SMEs are arguably more dependent on the resources of insurers should a breach occur.

Mr Truran said:

“Although it’s easy sometimes to focus on the challenges for larger companies, which are obviously in some ways more difficult because of the size of the operations, they do also tend to have a better level of cybersecurity, a better understanding, better preparation. Take-up rate among smaller companies is an area where we’d expect to see over time that change.”


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.