As regulators enact legislation that’s shaping data protection standards – namely GPDR, but also the New York Department of Financial Services’ cyber security regulations and Canada’s mandatory breach notification rules – the cyber strategies of companies are in turn improving, according to one expert in this field.
“There’s a wide spectrum of insureds that we see – Fortune 500 companies down to mom-and-pop stores – and of course, as you might expect, different levels of sophistication within that range, but absolutely, there’s more awareness of the issues,” said Jason Glasgow, vice president and practice lead of technology, privacy and network security professional liability for Allied World US.
“Sometimes, there’s just not enough time and resources within a company to deal with some issues, so we try to help them with some of our vendor partners, but, absolutely as a whole, the industry is becoming more aware of what they need to do, and the regulatory environment has helped with that.”
Enforcement actions have been an important motivator to get companies to comply, added Glasgow, with organizations updating their cyber security measures so that they don’t fall under the critical eye of regulators, whose presence is expanding, and have to pay fines or suffer other consequences as a result of coming up short.
“Here in the States at least, we’ve seen a fairly steady increase in regulatory presence, so whether that means legislation or enforcement or both, that has increased over the last 15 years,” explained Glasgow. “That environment has helped push not only the insurance market, but better privacy and network security hygiene.”
Added regulatory pressure doesn’t, however, mean that cyber incidents and claims related to them have been quashed.
“Ransomware and phishing are still that top level of what’s driving claim counts, the number of claims. They don’t tend to be huge claims, but they’re not inexpensive and they drive the claims. Hackers are [also] still a major threat. If a hacker gets in, those are more expensive claims,” said Glasgow, adding that there is nonetheless more awareness about cyberattacks, thanks in part to the work of insurance professionals. “The broker community, as well as the insurer community, has done a really good job educating people of what these exposures are and what they can do about it upfront, rather than waiting for something to happen and having to respond to it.”
One concern that sometimes comes up in discussions around cyber security rules is that technological advancements have the potential to outpace regulations. Glasgow points to blockchain as a technology that’s caused some issues for regulators since the records of data on this digital platform can’t be altered. In this case and others, insurers and regulators need to keep reaching across the aisle to find solutions that protect the interests of businesses and consumers.
“That conflicts directly with some of the GDPR regulations around scrubbing the data and the right to be forgotten,” said Glasgow. “So when there’s a direct conflict with the technology and the regulatory scheme, I think it’s incumbent on the regulators to reach out and say, how can we address this issue without being in direct conflict?”