If your business involves gathering, maintaining, disseminating or storing private and sensitive information, you probably wonder to what extend you can rely on your computers, servers, clouds and software to keep all that data safe and secure.
Our dependency on ICT has never been so high and there is no doubt it will increase even further. The smallest technical problem is likely to cause delays, business interruption and damages to third parties, especially when private data is involved. At the same time, cyber criminality is becoming more and more sophisticated. Examples of remote access hacking, distributed denial of service attacks (DDoS) or ransomware are in newspapers and newsletters every single day.
With the recent approval of the GDPR (General Data Protection Regulation), which will be applicable in Luxembourg as of 25th of May 2018, Europe has come up with a stricter data protection compliance regime. In case of loss of private data, companies are now exposed to important liabilities and severe penalties (up to EUR 4 % of the global gross revenues, with a maximum of EUR 20m).
GDPR compliance is a mandatory requirement and many entities covered by the regulation will need to introduce serious structural changes. Consultants and lawyers are ready to scan your operational systems and procedures to get you there. You will probably also consider an upgrade of your IT infrastructure and security tools to protect against cyber-attacks and system failures.
Although mandatory, compliance with the law will not be able to prevent cyber-attacks and the devastating effects it may cause on your reputation and liability. Even the best and most robust security tools in place will never guarantee a 100% security for the personal information you manage.
To help you mitigate those risks and add a layer of corporate protection, you would be well served to consider a “cyber insurance” policy.
Cyber insurances exist for more than fifteen years in the USA, where some states like California were subject to similar regulation. More recently, a cyber insurance market has also developed in Europe, with insurers now offering a variety of solutions to all type of companies at affordable prices.
Cyber insurances are comprehensive policies that include end-to-end risk management solutions for cyber-related events.
In the first instance, the policy will provide an immediate “first response” ICT and legal support straight after a security failure or privacy breach. In practice, insureds have access to dedicated specialists (ICT, consultants & lawyers) via a call center to look at the issue, provide the necessary support and prevent any aggravation of damage.
The policy further pays the various costs incurred in dealing with the issue: costs of notifications (including to the Data Privacy Authority, in compliance with the requirements of the GPDR), public relations to mitigate the reputational loss, and other services to assist in investigating, managing and mitigating a cyber incident.
Forensic investigations, legal consultations and identity monitoring costs for victims of a breach are all included.
The insurer will also pay the necessary costs and expenses incurred to recreate lost data held by the insured.
The liability section of the policy shall cover claims introduced against the company as a result of the failure of the insured’s network security or a failure to protect data. That includes responding to regulatory actions and investigations as well as the payment of defense costs and damages of third parties (such as customers or employees).
In some instances, the policy reimburses the lost income and operating expenses consequent to a material interruption of your business operations caused by a network security failure.
Finally, the cyber theft & extortion section responds to the threat of intentional security attacks against a company by an outsider attempting to steal or extort money, securities, or other valuables.
Cyber insurance policies will intervene in excess of a self-insured amount (a deductible). As regards business interruption in particular, coverage will be triggered after a waiting period. Both the deductible and the waiting period are a matter of negotiation with the insurers.
The insurance sections and exclusions vary significantly from one insurer to the other. We point out the following ones in particular :
– losses resulting from electrical or mechanical failure of infrastructure other than IT (such as optical fiber, satellite disorder or power outage);
– damages to tangible property (i.e. other than data) and physical injuries (a carve back to this exclusion is nevertheless available to exposed industries);
– infringement of intellectual property.
ABIL is a Luxembourg based company specialized in risk management, advisory and insurance brokerage services, focusing in particular on companies active in the financial, advisory and technological sectors, as well as on large multinationals.
You may count on ABIL to tailor your cyber policy to your specific needs. In order to avoid gaps, reduce overlaps and minimize insurance costs, ABIL performs a comprehensive review of your other policies such as the Directors & Officers Liability, Professional Liability, Crime, Kidnap & Ransom, Property or General & Product Liability.
We are at your disposal to address your questions on the matter and respond to any request for quotation.