The U.S. and Europe have very different approaches when it comes to motivating organisations to protect customer data
In its typical free-market fashion, the U.S. relies more on litigation than regulation to impose penalties on breached companies. Meanwhile, in Europe, which is more attuned to government regulation, we have General Data Protection Regulation (GDPR) as the mechanism for delivering penalties and deterring companies from not adhering to security standards.
The fear of litigation, along with losses caused by ransomware, IP theft and other issues, has caused the U.S. cyber insurance industry to flourish, growing to more than $2.1 billion (~£1.61 billion) in premiums in 2017. However, Europe has been slower to adopt cyber insurance, with Lloyd’s reporting it is not expected to cross the $2 billion (~£1.5 billion) premium threshold until 2020.
GDPR was expected to cause a massive increase in cyber insurance spending. It is unclear whether or not GDPR penalties would be covered by insurance, so that increase has yet to occur.
As a result, we’re currently witnessing two very contrasting markets. In the U.S. – where the most onerous penalties come from litigation and cyber insurance has made greater traction, and in Europe – where the biggest fines come from GDPR.
To become truly mainstream, the cyber insurance industry needs to grow up.
Get with the times
Insurance policies vary widely across both geographies. Often, they are simply folded into existing business liability policies, while on other occasions they are standalone. Sometimes insurance policies analyse customer risk profiles to provide customised coverage, or they could even be a simple “one size fits all” policy.
With such an abundance of policies causing utter confusion, insurance carriers need to take a modern approach to policy creation.
Policies should be based on assessments of customer risk and security practices, similar to how they are based on customer age, driving record and model for car insurance. This will enable carriers to improve loss ratios while simultaneously giving customers better policies aligned with their specific business risk.
Establish best practices
In order to modernise cyber insurance policies, particularly in Europe, there needs to be best practices established for accomplishing GDPR compliance.
This enables insurers to confidently provide policies that cover GDPR penalties – if the customer adheres to the best practice guidelines and gets fined anyway, the fines would be covered. This ability would finally trigger the GDPR cyber insurance market expansion in Europe.
In the U.S., best practices would also serve as a foundation for evaluating customer processes and their risk profiles. This would enable policies to match overall customer risk profiles, enabling more thorough and relevant coverage while improving insurer loss ratios.
Litigation has clearly driven cyber insurance growth faster than regulation. However, this is due more to the immaturity of the cyber insurance industry than it is the potential market for cyber insurance policies.
By blending best cybersecurity practices from both Europe and the U.S., insurance carriers will have the guidelines they need to create more relevant and profitable policies.
If you take car insurance into account again, insurers can profitably offer car insurance policies because they understand the guidelines for driving a car: you need a license, there are speed limits, there are laws against drinking and driving, certain age groups are riskier than others, and there are government mandates for purchasing automotive insurance. From this, they can create risk pools for policies.
These same guidelines need to be developed for cybersecurity, with insurers conducting assessments in customer infrastructure, operations and overall risk profile.
At that point, we will see the evolution of cyber risk pools, and cyber insurance can become a standard part of the business liability insurance portfolio.
Former Vodafone CTO
Current director of strategy and technology Europe