LONDON–Sweeping legislative change in Europe will oblige board directors to understand their company’s cyber exposures and stop “sweeping them under the carpet”, panelists said at the Advisen European D&O conference here this week.
The General Data Protection Regulation (GDPR) is the most comprehensive–and most lobbied–reform of privacy rules since 1995, according to conference panelist Neil Arklie, senior cyber underwriter at Swiss Re Corporate Solutions.
It is expected that the GDPR will be passed by the European Commission later in 2015, with full implementation across the region by 2017. The GDPR will bring uniformity on data protection and privacy issues across Europe in a single law.
Notable proposals include a maximum of 72 hours to notify a data breach, prescriptive security measures including the appointment of a dedicated data protection officer and fines & penalties for non-compliance will be up to EUR100 million or 5 percent of global revenue.
The new regulation will increase the need for directors in Europe to understand their company’s cyber risk profile and measures taken to mitigate the risks, according to Barbican underwriting manager, Geoff White. “Directors can no longer sweep problems under the carpet, they can’t ignore their obligations,” White said.
Julia Graham, chairman of European risk management association FERMA and risk manager at law firm DLA Piper, concurred.
“Directors need to embrace that cyber is not an IT risk, but an enterprise risk,” Graham said. “Risk assessments need to include HR for employee data, marketing on use of social media and finance on security of financial records.”
Graham warned that the proposed legislation was the first step towards information security standards across Europe. “Information security standards are coming. The board of directors needs to understand the new regulations and the real implications – this won’t be a tick-box exercise,” Graham said.
Cristiana Baez-Safa, head of European financial and specialty markets at QBE Europe, noted that Directors’ and Officers’ (D&O) insurance carriers in Europe are experiencing claims related to cyber liability issues.
Noting that legal recourse is less prevalent than in the US, Baez-Safa said that cyber litigation does occur “if people are angry enough”. She used the example of Vodafone in Iceland, whose directors were sued under their D&O policy following a data hack that exposed the text messages of its Icelandic customers.
“Cover for cyber issues is available under a number of different insurance products,” Baez-Safa said. “We don’t want D&O insurance to become the ‘catch-all’ for cyber risks, especially for a failure of directors to buy cyber insurance.