Friday, 6 July 2012
EU report calls for kick-start to cyber insurance market
ENISA suggests government-backed cyber pools may be needed and stresses need for mandatory breach reporting. Danger of market focusing on consequences not front line effects of cyber failings. Adrian Ladbury reports from Brussels.
Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner
The European Network and Information Security Agency (ENISA) has called on the insurance market to rise to the fast-emerging cyber risk challenge and develop a vibrant market to help European business cope with this critical risk.
ENISA published a report at the start of this month that suggested that there may be a role for national governments within the European Union to set up cyber risk pools similar to those created for natural catastrophes and terror risk to help foster the development of a vibrant market .
In an exclusive interview with Commercial Risk Europe, ENISA’s Executive Director, Professor Udo Helmbrecht, said that the EU body believes that other actions needed to overcome the barriers to the formation of a proper cyber risk insurance market in Europe are: the collection of empirical data on cyber insurance in Europe, an examination of incentives for firms to improve their data security to help reduce their risk and financial liability if they breach data protection regulations, and the establishment of agreed frameworks to help firms put a measurable value on their information.
The ENISA man has been invited to present at CRE’s Risk Frontiers Cyber Risk seminar in Brussels on September 27 along with senior EC officials and leading cyber insurers and brokers, organised in partnership with Belrim, the Belgian risk management association.
Mr Helmbrecht told CRE that he is keen to increase dialogue with the risk management community as well as the insurance market that suggests that the door is open for Ferma and national risk management associations to become involved in this potentially significant development from the start.
Professor Helmbrecht said: “This new ENISA report indicates that there is potential for Europe’s cyber security policies and legislation must be complemented by a prevention-focused cyber insurance market. As well as providing reassurance that proper cover was available, a developed market in this area would help to improve levels of cyber security by putting a true cost on cyber incidents and showing the benefits of implementing good security practices.”
The European cyber insurance market is relatively immature compared with the US market. Research among leading European risk managers carried out for our annual Risk Frontiers survey, published in September and sponsored by XL and Willis, confirms that part of the reason for this is the absence of a coherent regulatory and legislative framework to help focus minds and deliver more information.
The US has adopted rules that ensure that companies have to report cyber incidents and so the government and other agencies have built a body of data and experience that is helping the insurance market assess the risk and come up with usable products, according to experts.
The EC is mindful of this and is fast catching up. ENISA explained that in November of 2010 EU Directive 2009/140/EC amended existing directives on telecommunications networks and associated facilities.
Article 13a within the directive introduced a requirement for providers of public communications networks to take measures to ‘guarantee the security and integrity of these networks and to ensure continuity of services provided over these networks’, explained the body.
Paragraph 3 of the directive states that providers need to report ‘significant’ security breaches and losses of integrity to the National Regulatory Authorities (NRAs). Summary reports should be sent to ENISA and the European Commission on an annual basis.
“The aggregated analysis of the incident reports will describe the current trends and provide knowledge and information to NRAs and operators,” stated the ENISA report.
The body also pointed out that recent announcements from the EC about the reform of the EU’s legal framework that governs privacy and data protection that breach disclosure reporting (with possible fines) has the ‘potential to play into the market communication of risk’.
In January of this year, EU’s Justice and Fundamental Rights Directorate General disclosed that breach notification would be proposed to apply to certain internet businesses that ‘control or process’ personal data. This is in line with the EU Data Protection Directive 95/46/EC.
ENISA explained that the proposed law would require such businesses to inform a regulator within 24 hours of becoming aware of an attack and data subjects ‘as soon as reasonably feasible’.
During a speech in Munich in December Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, said: “We currently have a real patchwork of data protection laws in Europe. Companies in Europe have to deal with 27 often conflicting data protection laws with data protection authorities that apply the law in different ways. Legal uncertainty and legal fragmentation are a burden for those companies—both small and large—that want to do business in Europe's Single Market. This fragmentation of data protection laws in Europe is not only an extra cost for business, but it also holds back economic growth and innovation.”
Ms Reding continued: “In addition, companies very often are burdened with red tape: cumbersome and costly notification requirements for processing data without bringing a feeling of safety to the citizens. On the contrary, privacy concerns are one of the most frequent reasons why people don’t buy goods and services online. This needs to be changed.”
Ms Reding said that, to address these challenges, she would propose a comprehensive reform of the data protection rules with two legislative texts to accomplish these goals.
First, a regulation to ‘enhance opportunities’ for companies that want to do business in the EU's internal market, while ensuring a high level of data protection for individuals.
Second, a directive to ensure a smoother exchange of information between member states' police and judicial authorities in the fight against serious crime while at the same time protecting people’s fundamental right to data protection.
ENISA stated that the directive may persuade firms to focus on secondary losses and invest in management of the reputational ‘fallout’ from a loss of personal data rather than primary losses, that is the direct and immediate costs of the loss.
The body added that in the short time scale proposed the rules may further incentivise the affected firm to consider secondary rather than primary losses. “It may thus be seen that incentives and barriers of the cyber insurance market in Europe…like many other areas of regulatory intervention, it addresses the symptoms and not the cause of cyber-security problems,” stated ENISA.
It also suggested that a ‘flourishing’ market could therefore develop that is not aimed at remediation of the vulnerability that causes the loss but rather ‘reputational management’ for firms to reduce (if they can choose to disclose) secondary losses.
“This may lead one to draw the conclusion that what is currently labelled as cyber-insurance is not for cyber-attacks, but instead for secondary losses (eg reputational damage),” stated ENISA, echoing the thoughts of many of the risk managers interviewed for this year’s Risk Frontiers survey and also brokers for our annual Risk Distribution survey that is to be published in October.
More generally ENISA said that obstacles to the development of an effective cyber insurance market include lack of actuarial data on the level of the risk and uncertainty about what type of risk should be insured against. To address these issues, ENISA made four recommendations. These are:
- Collect empirical data on cyber insurance in Europe that looks at types of risk insured, premiums paid and levels of payouts to determine future trends. The action could be taken by insurance underwriters, firms or regulatory authorities, said ENISA.
- Examine incentives for firms to improve their data security to help them reduce their risk and financial liability if they breach data protection regulations. Fact finding with the European Commission would be a first step to understanding this area.
- Establish ‘agreed frameworks’ to help firms put a ‘measurable value’ on their information. “The work could be assisted by privacy and information security advisors, underwriters and the European Commission. ENISA could also provide further support,” stated the body.
- Explore the role of governments as an insurer of last resort, ‘following other models where policy intervention is in evidence when catastrophic risk is involved.’ ENISA said that this could be investigated by EU member state governments and the European Commission.
The study was commissioned and managed by ENISA with specialist services provided by RAND Europe.
- More information about ENISA and its work can be found at www.enisa.europa.eu. For further information about CRE’s Cyber Risk seminar in Brussels on September 27 organised in partnership with Belrim and supported by Chartis please contact Annabel White—email@example.com. Attendance is free for registered risk manager readers of CRE.