The European Union’s Global Data Protection Regulation (GDPR), the EU’s most high-profile cyber regulation to date, goes into effect May 25, 2018, and is intended to bring a greater degree of data protection harmonization across EU nations.
Why pay attention if you are not running a business in the EU? GDPR applies to every company processing personal data of EU citizens, not just those inside the EU.
A recent publication by Swiss Re breaks down GDPR and compares the consequences of data breaches in Europe with the U.S. and looks at the EU approach to cybersecurity regulation.
The GDPR, EU-U.S. Privacy Shield and the New York Department of Financial Services’ (NYDFS) cybersecurity rules have been indicative of the expanding frontier of cyber regulation in 2017. A recent Advisen paper, The Next Wave of Cyber Regulation, discusses these three massive cyber regulations and provides guidance on working towards operational compliance.
Finally, today, Treasury Secretary Steven Mnuchin said cybersecurity is his biggest concern for the financial sector. At an event this morning hosted by Axios, Secretary Mnuchin went on to say “This is something that requires a coordinated investment across various financial regulators through preparation as well as funding. Even within the budget, a major priority for us is to spend that on technology.” Mnuchin said he plans to use his role as chair of the FSOC to make sure that all the regulatory agencies incorporate cybersecurity in their oversight duties.
What is insurable risk? That’s the key question being explored by international insurance industry think tank, Geneva Association, is a new report on the cyber insurance market.
There are many challenges to insuring cyber risk, the report states, “especially due to a lack of data and modelling approaches, the risk of change, and incalculable accumulation risks.” Additional challenges to insuring cyber risk include information asymmetry, resulting in adverse selection and moral hazards, and coverage limits in the market.
According to a recent CyberScoop article, a lack of actuarial data could have profound consequences after Fitch’s recent warning that it will downgrade credit ratings of “insurance companies that write standalone cyber policies too aggressively, because of the high uncertainty this line of business contains.”
Fortunately, the future is looking bright for the cyber market in the insurance industry and governments have many opportunities to promote it. As the market grows, risk pools become larger and more data will become available. Additionally, increased capacity and more competition will inevitably push prices down and result in more uniform terminology, standardization and pre-coverage risk assessment. The report also recommended that industry and governments collaborate on public-private partnerships when collecting data for cyber incident repositories. Lastly, many experts believe that pre-coverage screening and reporting requirements could alleviate adverse selection effects.
Deputy Secretary General of the Geneva Association and editor of the report, Dr. Fabian Sommerrock commented, “We are very pleased to publish this report which provides an insight into the current level of understanding about cyber risk and cyber risk insurance …This report has been provided to increase understanding of the risk and support the insurance industry’s role in mitigating and managing it for the benefit of individuals, institutions and governments alike.”
The NAIC’s cybersecurity task force released its third and final draft of the NAIC cybersecurity model law in August, which was hoped to be considered for approval. However, “stakeholder feedback made it clear that additional work needed to be done to reach consensus on the draft,” according to Rhode Island Superintendent of Banking and Insurance Elizabeth Dwyer, a member of the task force.
With General John Kelly appointed as Secretary of Homeland Security, Trump’s administration promises to put border security as its top priority. This means that other priorities, especially cybersecurity, could take a back seat at DHS. Current Secretary Jeh Johnson warns the new administration against losing focus on cybersecurity and calls for it to continue as “a top priority on a bipartisan basis.”
Cyence, an economic risk modeling platform for cyber risk, debuted its product last September and since then, has received much attention in the insurance industry. Carrier Management Editor Mark Hollmer had the opportunity to sit down with Cyence Co-Founder and CEO Arvind Parthasarathi to discuss how their cyber analytics platform will allow the insurance industry to look at cyber risk in an entirely new way – in “dollars and probabilities.”
With cybercrime only increasing and traditional network security premiums becoming obsolete, the cyber insurance market is a huge, untapped opportunity for insurers and reinsurers. Mandatory legislation on cybersecurity in several U.S. states has led to more mature and better cyber liability insurance policies. PWC forecasts that annual gross of premiums will increase from $2.5 billion in 2015 to $14 billion by 2022.
The Presidential Commission on Enhancing National Cybersecurity issued a 100-page report with 16 urgent recommendations on ways that President-elect Trump can improve the nation’s cybersecurity, particularly in his first 100 days of office. Main points include creating a cyber nutritional label to help consumers shop wisely and establishing an international cybersecurity ambassador.
Blockchain offers a secure approach to storing sensitive information and performing functions, suitable for exposed environments that demand high cybersecurity. Its use of sequential hashing, cryptography and decentralized structure, which all took decades of research and refining, make it virtually impossible for any outside party to “unilaterally alter data on the ledger.” Bitcoin was the first application of blockchain, launching in 2009.
The National Institute of Standards and Technology (NIST) has released a set of guidelines “aimed at helping researchers better understand the Internet of Things (IoT) and its security challenges.”
Inside the beltway and around the nation this week there has been zero escape from prognostications on what a Trump administration means for every issue imaginable. So, we’ll pile on…what about cyber? Well, we, at The Council, expect cybersecurity to be a significant issue. That statement seems obvious but the Republican platform actually includes a section advocating for “a free market for cyber insurance and makes clear that users have a self-defense right to deal with hackers as they see fit.” While the latter part has many nervous, we could see cybersecurity (and insurance) garner more oxygen than expected in the first 100 days (especially given the highly publicized hackings ahead of the election). On the surface, the President-elect’s cybersecurity stance doesn’t seem to vary much from President Obama’s policies. However, his pro-national security and law enforcement approach to cybersecurity is different and Trump will have to delicately balance between business interests and national security.
As we look to our parochial areas of interest, we are well positioned to effectively represent Council members as things heat up on the hill in 2017. Sen. John Thune is a major cyber player as chairman of the Senate Commerce Committee and we look forward to continuing to work with him on issues stemming from critical infrastructure cybersecurity. The Council supports a single standard for breach notification, and we believe good legislative opportunities will develop there. Lots to unfold so stay tuned. We will skip next week because of the holiday but will be back after. On behalf of The Council, we wish everyone a wonderful Thanksgiving.