GDPR and cyber risk insurance: how can insurers improve their cyber risk products

Written by Emmanuèle Lutfalla, Partner, Mathilde Gérot, Senior Associate and Simon Fitzpatrick, trainee, at Signature Litigation.

Nearly two years after the GDPR became effective, companies of every size now recognise it as a necessary part of doing business. Its requirements, such as data security, have led prudent owners and managers to appreciate the value of obtaining cyber risk insurance. But many dedicated cyber insurance products still fall disappointingly short of what businesses really need. A key lesson from the Covid-19 crisis is how much technology helps them to keep operating, even if the effectiveness of working from home has been patchy so far. To reach its optimum potential, cyber security must be taken seriously while insurers need help in creating bespoke products that can reassure businesses just as their other policies do.

 

Cyber risk insurance exists, but more data is needed to improve insurance products

Most existing cyber risk policies geared towards SMEs are standardised, but insurers need to tailor them specifically to address cyber risks. To do this, large datasets, such as information related to data breaches, are required to calculate the loss/experience ratio. Once this is established by actuaries, insurance carriers can then draft their protection provisions and bring them to market.

Cyber risk policies typically offer three major guarantees: civil liability coverage, damage protection and support guarantees. In most contracts, the support also includes crisis management, covering the fees associated with notification requirements, third-party losses and operating losses. The advantage of these policies is that they can provide invaluable support to the insured before a data breach occurs. They may also offer invaluable insight for the insured to enhance their data security. Indeed, according to Article 32 of the GDPR, insured must, in their capacity as controller or processor, “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. 

But for actuaries to do their calculations, they need information regarding quantifiable losses at an early stage. When an insured makes a claim on their policy, the insurer will dispatch experts to quantify the damage and determine whether or not this is covered under the terms. Actuaries collate this information to quantify potential risks and to help improve their models. Once information is compiled, insurers are then able to determine which risk is insurable and for what amounts, thereby allowing for better guarantees in reflecting adequate insurance premiums.

 

GDPR’s notification requirements provide useful information, but more data must be made available

Article 33 of the GDPR establishes a legal requirement that data controllers and processors notify the supervisory authority within 72 hours of a data breach. They must provide the following information: the nature of the breach, i.e. whether the confidentiality, integrity and/or availability of the personal data is concerned; the categories and approximate number of affected data subjects; the categories and approximate number of affected categories of personal data; the number of records that were breached; the likely consequences of the breach; the measures taken to remedy it and, where appropriate, to limit its negative consequences. During a four-month period in 2018, France’s Data Protection Authority (CNIL) recorded 742 data breach notifications.  The minimal information provided to the French public about notifications is probably insufficient in helping insurers to tailor their products and provide sufficient guarantees.

One problem with revealing more is that the information contained in a data breach notification may also be considered as personal data under GDPR, which defines it as: “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” 

This is one reason why the data breach notification database provided in open source mode by the CNIL does not go into much detail. Indeed, uncertainty still exists regarding what constitutes personal data under GDPR, such as whether anonymised datasets are personal data or not. Also, due to the negative publicity surrounding data breaches and the potentially large amounts of money that could quickly become involved, businesses are reluctant to share data breach information with their insurance carriers. 

While we applaud CNIL’s efforts in sharing information, there must be a better way to allow insurers to access the necessary data. As an example, CNIL makes the names of data protection officers available. It is also becoming increasingly public about its activities with regards to sanctions and public warnings about misuse of data subjects’ personal data. Providing more information about the technical aspects of a data breach, while completely anonymising the data subject’s personal data seems to create a balanced approach that could lead to better cyber risk insurance and data security practices.

 

It is an invaluable actuarial tool, but tension exists between AI and GDPR

Data is the lifeblood of AI. The European Commission confirmed as much when recently announcing its new EU data strategy with the publication of two papers, admitting that “the availability of data is essential for training artificial intelligence systems […] without data, there is no AI.”. However, GDPR restricts the uses of personal data, and therefore hampers the development of AI in the EU. In particular, it creates friction with machine learning. For example, several of its core principles, including purpose limitation and data minimisation, restrict the creation of large datasets. So even though the GDPR contains special exemptions on data usage for statistical purposes, their definitions are ambiguous. 

The Commission should clarify how GDPR’s personal data processing operations for statistical purposes can be used to facilitate innovation in machine learning.

Since statistics form the basis of actuarial work, they would benefit from an innovation-friendly interpretation of the GDPR’s provisions. AI, and in particular algorithms trained on the basis of large datasets, may help actuaries develop more accurate models and create the bespoke policies that the insurance market needs.

Conclusion

Recent events have taught us that major changes can occur at great speed creating a fallout that is very difficult to manage if we are unprepared. Taking a proactive approach with regards to cyber insurance appears to fall into this category. An invaluable safeguard, insurance also delivers peace of mind. Offering cyber risk policies is therefore an excellent starting point to help meet the challenges of data security. But as emerging threats become more prevalent, cyber risk insurance needs to adapt. 


Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/