The EU General Data Protection Regulation (GDPR) is one of the most significant developments in data protection policy and regulation for years. The IT security profession is slowly starting to recognise its full extent for the processing of personal data secured ahead of GDPR coming into force in 2018.
2. Cyber InsuranceCyber Insurance
THE GDPR – A NEW CHALLENGE FOR
THE IT SECURITY PROFESSION
The EU General Data Protection Regulation (GDPR) is one of the most
significant developments in data protection policy and regulation
for years. The IT security profession is slowly starting to recognise
its full extent for the processing of personal data secured ahead of
GDPR coming into force in 2018.
Symantec and research firm Coleman Parks, conducted a study into
how UK & Ireland organisations are prepared for this wide-ranging
legal framework by questioning 260 CISOs from organisations with
1,000+ employees.
Readiness Findings
Cyber Risks Insurance
Cyber Insurance Planning
When a Breach Occurs
Why Cyber Insure?
The Five Steps to Prepare
3. Cyber InsuranceCyber Insurance
UKI ORGANISATIONS FACE NON-COMPLIANCE RISKS LIKE NEVER BEFORE
• 37% are fully-equipped to detect, report, remedy and recover organisationally from a breach.
• A further 37% while being able to report in the allocated timeframe, do not feel able to recover within 72 hours.
• 20% whilst able to report the breach, could not do so today within the mandated three days.
• Worst, 4% will improvise in a breach situation and 1% are confident they would not suffer a data breach.
37%
20%
37%
1%
4%
We are fully equipped to detect, report, remedy and
recover from data breaches
We should be able to report the breach within 72
hours’ notification requirement that applies to
notifying regulators in the GDPR
We should be able to report the breach but not with
72 hours’ notification requirement that applies to
notifying regulators in the GDPR
We will improvise as and if the situation presents itself
We don’t expect to suffer a data breach at all
Given the risks involved one traditional answer is to get insured, notably against the financial damage a data breach would cause.
4. Cyber Insurance
.
CYBER INSURANCE – THE REALITY
What is your experience of trying or actually insuring against Cyber risks?
No experience, we have never done it
We couldn’t get insured
We are insured but not comprehensively covered
We are fully covered
Although many Cyber Insurance policies are written out of Lloyd’s of London according to “What Every CISO Needs to Know
About Cyber Insurance” whitepaper, only a third of UK and Ireland organisations are currently fully covered against Cyber risks. Is
this because of a lack of awareness of the Cyber Essentials scheme launched in 2014?
Surprisingly, the Hospitality (57%) and Education (50%) sectors are the most covered while almost a third of the Financial Services
and Manufacturing organisations couldn’t get insured.
31%
35%
15%
20%
5. Cyber InsuranceCyber Insurance
CYBER INSURANCE – THE PLANNING
Set to triple in the next five years from $2.5 billion in 2015 to $7.5 billion by 2020 according to PwC, the Cyber Insurance market is one of the
highest-growth areas.
However, the study found EU regulation is something 75% of UK and Ireland organisations are not planning to insure against the GDPR as soon as it
comes into effect.
Is the risk of GDPR something your organisation is planning to insure against ?
Insured on time Likely not insured on time
25% 34%
Insured when the GDPR
comes into effect
Insured 6 months to 2
years after GDPR comes
into effect
41%
Insured 2-5 months after
GDPR comes into effect
6. Cyber Insurance
CYBER INSURANCE - WHEN A BREACH OCCURS
Despite only 26% of respondents stating their Cyber Insurance covers government compliance penalties, 82% would benefit from a pay-out.
For UK and Ireland organisations between 5,000 and 9,999 employees, 100% would be recompensed, compared to 59% for smaller organisations
of 1,000 to 4,999 employees.
How well would a pay-out under Cyber insurance recompense your business in the event of a breach?
82%
79%
76%
75%
71%
70%
80%
Government compliance penalties
Reputational loss
Data loss
Blackmail pay-outs
Financial loss to the business
Remediation via third party incident response
Operational downtime
The respondents did, however, stated they would expect to get on average 55% of their total loss back.
7. Cyber InsuranceCyber Insurance
CYBER INSURANCE – THE BENEFITS
Cyber attacks can massively impact brand, reputation, and business operations. Proactively planned Cyber Insurance can cover goods, intellectual
property (IP) and other digital assets moving through the organisation by:
Symantec has partnered with key Cyber Insurance thought leaders to shed light on essential Cyber Insurance tenets and reviewing the
frequently asked questions asked by organisations globally. The business relevance of Cyber is here to stay. Working with a provider,
such as Symantec can strengthen Cyber defence and reduce premiums.
1
32
Closing the gap between
traditional coverage and
current needs
Helping cope with
unexpected costs,
notably those from
data breaches
Providing the
necessary
resources for Data
Breach Responses
8. Cyber Insurance
FIVE STEPS TO GET READY FOR THE GDPR
For more insights, click here: http://www.symantec.com/en/uk/data-privacy/
Treat GDPR compliance as a board-level issue for organisations. Form a governance group
under the direction of the CISO, CIO and Data Protection Officer and make sure they are
involved in Cyber Insurance decisions too.
Understand and map the data you collect and process, directly and via third parties. Devise
and test the mechanisms to delete data with confidence.
Assess your organisation’s current policies and whether the level of security offered by and
procedures offers adequate protection against unauthorised processing and/or data loss.
After doing so, re-evaluate whether you are purchasing the right types of Cyber Insurance
coverage, not only the right amount.
Take a ‘Privacy by Design’ approach to re-engineer processes and policies which involve the
processing of personal data to ensure compliance happens by default. New insurance tools
and offerings should also be fully considered at this stage.
Urgently review your breach notification processes to assess whether your organisation
can investigate the extent of any compromise within the 72-hour notification deadline. If
not, review your Cyber Insurance coverage once again, or be ready to pay large fines.
1
2
3
4
5
In addition to getting insured against GDPR, Symantec recommends to follow these steps: