Cyber Risk and Data Privacy
Data Privacy, the GDPR (General Data Protection Regulation) and related security matters have been widely discussed and publicised in recent times. As you are no doubt aware, the new regulation comes into force on May 25th.
Some of the big questions being asked of businesses in advance of GDPR:
- How ready are you for the changes that will arise?
- Have you considered the potential financial risks that you will have?
- Are you concerned that you may not have adequate controls and protections?
- How will you deal with data privacy notifications, data requests and portability?
What happens after May 25th?
Irrespective of what happens after May 25th, the reality is that most businesses, no matter how well prepared and compliant, will remain susceptible to cyber-attacks and to external and internal data breaches. In today’s digital workplace, achieving total security and eliminating all cyber and data handling / storage related risks is virtually impossible. With GDPR, the potential impact of a cyber-attack or data breach to a business, of any size, arising from a related fine, penalty or litigation could be financially greater and potentially highly damaging to reputation.
Our experience of cyber risk and data security.
Glennon have been working with clients in the cyber security and data protection areas for over a decade. This is not a new risk area, however, our work has mainly related to larger companies, whom we have assisted to manage their exposures through specialist cyber insurers with bespoke policies. The companies we have worked with have all had an exposure; the only key variable has been to what extent.
For small to medium and indigenous businesses.
With the increase in the availability and adoption, by businesses of all sizes, of digital tools, cloud based systems and other technologies, the need to plan and provide for cyber related risks and their potential impact, is becoming more prevalent. We also fully expect to see the frequency of claims in this area to increase as GDPR comes into effect, and as data subjects become increasingly aware of their rights.
So, what are the main risks and exposures following a cyber-attack or data breach?
- Reputational Risk – the resultant damage to the business’ reputation in the market and loss of clients.
- Regulatory Risk – the risk of being in breach of the legislation and the resulting fines and penalties associated with the breach.
- Regulator Risk – the risk of negatively coming to the attention of the regulator.
- Regulatory investigation costs – the financial cost in facilitating a regulatory audit.
- Failure to notify affected clients (data subjects) following a personal data breach.
- Risk of a breach of personal data resulting from insufficient data safeguards.
- Failure to notify the regulator following a personal data breach.
- Legal, PR and IT costs – particularly 1st response in the immediate aftermath of a breach. Loss of reputation is a key risk.
- Cost of Identity Theft and Credit Acquisition monitoring – for data subjects following an actual or alleged breach.
- Civil liability arising from a “material” or “non-material” loss suffered by a data subject as a result of a data breach.
- Cyber-attack and extortion costs – investigation and ransom.
- Failure of a third party provider to safeguard personal data which you have provided.
Significant concerns arise from these exposures including:
1. The potential sanctions, financial and otherwise, that can now be imposed by the regulator. There is a view that penalties and fines will be applied to a greater extent than before.
2. Under the current data protection rules it is difficult for a data subject to bring a claim unless they can actually demonstrate “material loss”. Under GDPR data subjects can now bring claims in situations where no “material loss” has been identified. This has potentially serious implications for businesses.
Glennon are working with our clients to assist them in understanding their cyber risk profile and ensuring that any cyber risk insurance solution will meet their specific needs. We would be very happy to discuss your specific cyber risks and concerns with you. Contact us today.