French and British initiatives are taking the role of insurance for cyber risks into account in their national strategy for cybersecurity.
In June 2014, the UK Government launched a joint initiative with some major British insurers to increase the level of IT security in UK companies. Called the Cyber Essentials scheme, it is based on certificates and will ensure that certified organisations have a certain amount of security measures in place. Cyber Essentials has been developed in close consultation with the insurance industry and is backed by AIG, Marsh, Swiss Re, the British Insurance Brokers’ Association (BIBA) and the International Underwriting Association (IUA).
Some insurers committed to incorporate the “cyber essentials” in their risk assessment processes and to offer incentives to businesses to become certified, such as preferential rates for new cyber insurance policies. On 23 March, the British Government and Marsh released a report “UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk”, based on input from 13 London insurers and a number of large companies. It confirms a desire by the UK insurance sector to lead the management of growing cyber threats. The full report is available here: https://www.marsh.com/uk/home.html.
With a bit of delay, France is now catching up with the UK and has started to assess the use of insurance against cyber risks as a catalyst to increase the overall resilience of French industries. The Ministry of Finance has launched an initiative, and a report is expected in April.
FERMA received in February two representatives from the ministry and shared the experience and priorities of risk managers as corporate clients of cyber insurance products.
The interest of governments in cyber insurance is guided by the idea that a large take-up of such insurance products would ultimately contribute to reinforcing the cybersecurity of private organisations.
As with previous initiatives with the European Commission, FERMA is always willing to share the point of view of risk and insurance managers, who are first in line as corporate insurance clients, about the latest development of the European cyber insurance market. This is work to be conducted with major national risk management associations like Airmic or AMRAE.
The biggest drivers for the cyber insurance market are likely to be regulatory, as shown previously in the US when data breach notifications have become mandatory in most states over the last decade. Future EU Data Protection is also likely to boost demand in the next five years to cover such notification costs.
The new EU regulation is still in discussion among member states at the Council of the EU; they struggle to find an agreement on key points like the form of the consent that the data subject (citizen, patient, client) must give before an organisation is allowed to store private data, or the right to be forgotten (right to request erasure of personal data).
Member states with a large digitalised administration, as in the Baltic countries, are pushing for flexible requirements. Others, traditionally attached to a high level of privacy protection like France or Germany, are demanding stronger formalities to collect consent from data subjects.