Technology and cyber
In this chapter of our Annual Insurance Review 2018, we look at the main developments in 2017 and expected issues in 2018 in the technology and cyber sector.
Key developments in 2017
A number of cryptolocker ransomware attacks frequently made news headlines in 2017. Examples of high profile ransomware include the WannaCry, Not Petya and Bad Rabbit malware variants. These incidents had a global impact, with ransomware deployed on a mass scale.
Ransomware is not just limited to high-profile global incidents. The threat of ransomware attacks to businesses is highlighted by the increased number of notifications of attacks being made under cyber policies through our breach response service, ReSecure, over the past 12 months. Ransomware represents a day-to-day threat to all sizes of business across all industries, with the ransomware variants mentioned above, and many others, affecting 17% of all businesses in the UK in the past year.
Attacks can present a huge burden to businesses and usually prevent them operating while the attack is underway. The length of disruption and the loss of work product will depend on the robustness of the response to the incident and the extent to which the insured’s data has been backed up. Delays in notifying incidents to cyber insurers and triggering breach response services can increase losses to the insured.
We are also increasingly dealing with incidents where ransomware causes the insured to discover there has been a potential data breach, either as part of the same attack or caused by the same underlying vulnerability to its systems. This puts further pressure on the insured, as it must then consider notifying data subjects and regulators.
What to look out for in 2018
Businesses will have increased obligations to safeguard data in the event of cyber attacks once the European General Data Protection Regulation (GDPR) comes into effect in the UK from 25 May 2018. GDPR is a comprehensive and fundamental overhaul of EU data protection law that introduces an accountability principle, whereby data controllers and processors will be responsible for complying with data protection principles.
To become GDPR-compliant, businesses will need to ensure that data controllers are aware of their new responsibility to report personal data breaches to the relevant supervisory authority within 72 hours and to inform data subjects for which the breach will pose a high risk.
Failure to comply with the new notification timescales could result in substantial regulatory fines of up to the higher of 2% of global turnover or €10m. Such a fine could potentially apply even if there had been no other breach of the requirements in the GDPR. Simply failing to notify within the prescribed time is itself a breach. Indeed, breaches of other parts of the GDPR could lead to even higher maximum fines.
The key challenge for those affected by data breaches will be to have information within 72 hours to assess whether a notification is needed and, if so, what it should contain. The time limit is extremely tight and,in practice, is likely to be a challenge for even the most efficient breach recovery plans. Breach response services, and the cyber insurance policies that fund them, are likely to be a vital source of assistance in meeting this challenge.
Download our full Annual Insurance Review 2018 for more insights.