Professions and Financial Lines Brief March 2021: cyber insights
A roundup of recent global cyber-related developments, including the introduction of mandatory data breach notification requirements in Singapore, the digitisation of insured businesses and resulting risks to insurers, the Bermuda Cyber Underwriting Report, corporate forum shopping for favourable data protection laws and the New York launch of the Cyber Insurance Risk Framework.
Singapore introduces mandatory data breach notification requirements
Mandatory data breach notification rules are fast gaining popularity across Asia-Pacific. Singapore became the eighth jurisdiction to introduce these regulations in the area with Thailand, India and Hong Kong to shortly follow suit.
While these rules are becoming more common across Asia-Pacific, they are entirely new to Singapore businesses, and we expect that there will be a learning curve. It is important that organisations realise that they now have legal obligations in relation to data security incidents that they may previously have regarded as purely technical issues.
Business in the days of COVID-19: digital confrontation with the “new normal”
With the increase in the number of people working from home with personal devices, the volume of cyber attacks has risen across the board. Generally, small businesses and home users do not have the same robust computer systems as large businesses and they naturally become easy targets for cybercriminals. The pandemic has therefore accelerated the exposure to potential cyber lawsuits.
Against this background, the need for the insurance industry to take a proactive approach towards its policyholders has increased. Many insurers are preparing, with the assistance of brokers and tech companies, to try to resolve crises as early as possible, and reduce damages before these intensify and become significant claims.
The insurance industry will likely be required to guide, monitor risks and undertake proactive processes to reduce damages in the event of cyber attacks. We are likely to see a number of changes in insurers approach to risk including sharing risk with insured entities and requiring a much more thorough assessment prior to risks being taken on.
Cyber underwriting report released by Bermuda Monetary Authority: And it may remind you of another regulator’s recent report
On 18 February 2021, the Bermuda Monetary Authority (BMA) released its annual Bermuda cyber underwriting report. The publication outlines statistics, findings and general recommendations regarding cyber underwriting and operational cyber resilience.
In short, the BMA expects insurers to evaluate both affirmative and non-affirmative cyber exposure as a critical process in their “overall governance and risk management framework”. It also expects insurers to address several areas with adequate policy and procedures measures.
What this means: regulators are taking a clear direction as to how they expect insurance carriers (both cyber and non-cyber) to assess, evaluate, and manage cyber risk in their underwriting procedures as policyholder exposures continue to expand in frequency, complexity and severity.
Potential insurance issues arising from corporate forum shopping for favourable data protection laws
In February and December 2020, Google and Facebook respectively announced that post-Brexit, they will transfer the legal responsibility and obligations for UK users’ data from Ireland to the United States. Both companies cited the UK’s departure from the European Union as the reason for the decision. After this change, UK residents will no longer have recourse to the EU GDPR and will generally lose the protection of EU law.
Data privacy in the US is governed by a constellation of state and federal laws. Some states are strengthening their privacy laws; other states’ laws are less restrictive than the EU GDPR and we might expect Facebook and Google to choose low-regulation states to house user data.
Insureds could benefit from a more relaxed regulatory scheme, and that would in turn be beneficial to insurers. However, compliance with the laws of various 50+ US jurisdictions, the reach of the GDPR plus federal oversight of health and banking data among other things, complicates matters.
Breaking down New York’s Department of Financial Services’ new cyber insurance framework
On 4 February 2021, the New York Department of Financial Services (NY DFS) issued its Cyber Insurance Risk Framework (the Framework) to provide insurance carriers what it deemed an outline of “best practices for managing cyber insurance risk”.
The Framework was inspired by the ever-growing ransomware attacks. NY DFS cites a 180% increase in ransomware insurance claims and labels ransomware attacks as a US$20 billion problem. The Framework itself can inspire competing reactions as it signals incoming mandates that hover on the horizon without offering much substance as to how to accomplish them.
Perhaps the biggest question implicated is how long will it be before these “best practices” become expectations and standards? This question and development surrounding it are worth watching.
Contact: Joshua Mooney