We recently spoke with Joseph Carson, the Head of Cyber Security at ESC Global Security and Head of Product at Arellia, to discuss the current state of data protection as well as the evolution of cyber insurance.
In this third installment of our four-part series, Carson shared his thoughts on the changes to EU customer privacy protection laws and their potential impact on the cyber insurance market.
The General Data Protection Regulation—Making Companies More Accountable for Breaches
The right to privacy isn’t a new phenomenon for the EU. Back when the Internet first made waves in customer protection regulation, this led the EU to implement the Data Protection Directive in 1995.
While these guidelines sufficed in the 1990s and early 2000s, the rapid sophistication of cyber attackers and booming volume of data breaches made it clear to the European Commission that changes were necessary.
In 2012, the European Commission proposed an update to the Data Protection Directive—the General Data Protection Regulation (GDPR). With the goal of putting customers back in control of their personal data, the proposal aimed to make companies more accountable for increasingly common data breaches.
According to Carson, “The expectation we’re driving towards is that with the new regulations and enforcement of data protection and data privacy, we’re seeing companies now have a direct financial risk associated with data breaches,”
“With the updated European Commission data protection regulations, if you experience a cyber breach, the requirement is to notify the national Supervisory Authority within 72 hours and affected parties without undue delay,” he continued.
“If a company is found out of compliance, the European Commission can fine the company up to 100 million euros or 4% of global sales. What this means is companies who deal with personal data now have a regulation they must adhere to—and actual financial penalties exist if they don’t.”
Adapting Cyber Insurance for Better Coverage in the Wake of New Regulation
While these new regulations will protect data for EU citizens as the changes reach mass adoption in 2017, they will create major challenges for companies that previously relied on inefficient cyber insurance and a cyber captives market.
The current cyber insurance model doesn’t promote adoption—companies have a difficult time finding necessary coverage, and purchasing coverage is a risk scenario all on its own as companies pay for risk and may never experience a breach.
Cyber captives are a more flexible way for companies to create a piecemeal layer of cyber coverage - but outside of high frequency and high value use cases, they prove ineffective.
The new data protection regulations will drive changes in the cyber insurance market for data breach coverage. Carson shared his insights on this, remarking, “I want to change cyber insurance as it is from a risk portfolio to an investment portfolio,”
“This will change the way you look at cyber insurance. Moving it to an investment portfolio means that while you put money into cyber insurance, if you don’t have a data breach at the end of the year, you’ll actually receive bonuses back on that risk coverage. This is how natural disasters are insured today—I don’t see why we couldn’t evolve and use that model for cyber insurance.”
Meeting Compliance Requirements—Do You Have the Necessary Data Protection Measures?
After reporting the breach within 72 hours of discovery to the European Union Computer Emergency Response Team (CERT) or to the national Supervisory Authority, a forensics audit will be conducted to determine whether or not a breached company had the necessary security measures in place for compliance and root cause analysis.
You may have firewalls or intrusion detection systems in place - but the better your cyber security defenses, the higher the likelihood of avoiding major penalties.
With a deception technology solution such as illusive networks'® Deceptions Everywhere® architecture in place, you can supplement basic security measures and help ensure that you won’t have to deal with heavy penalties from the new GDPR.