The Global Federation of Insurance Associations (GFIA) has now provided its feedback to the Organisation for Economic Cooperation and Development (OECD) on cyber issues and the cyber insurance project. The GFIA has suggested that the OECD Insurance and Private Pensions Committee (IPPC) should consider reviewing the broader cybersecurity landscape to determine how policy and regulation can support open market penetration through greater cyber risk awareness and sharing of data and information.
One topic that it focused on was the international confusion regarding the insurability of fines and penalties. In the US, the FTC has explicitly stated that fines are not insurable, while in Europe there is nothing in the GDPR which either permits or prohibits insurance coverage for regulatory fines. The GFIA encouraged the OECD to clarify this issue in order to benefit consumer and insurer contract certainty.
In a statement on the topic, the UK Information Commissioner’s Office (ICO) said: “We are aware that there is insurance available against cyber risks and data breaches, but we are not aware whether insurance is available to provide cover against fines which may be issued by the ICO for breaches of the GDPR. However, our view is that a focus on insurance rather misses the point, and organisations should be looking to recognise the benefits of good information rights practice to efficiency, reputation and competitive edge.”
According to the GFIA, the cyber insurance market is an important resiliency tool with many ancillary benefits. Each year, the market continues to grow responsibly as insurers innovate and address consumer needs and market demands. Whether or not fines are insurable in different jurisdictions, it is clear that organisations need to be focused on digital ethics: good information rights practice to drive efficiency, reputation and competitive edge, as well as adequate protection in the form of both cyber insurance and crisis management cover.
A year ago the OECD released a report that set out to provide ‘a series of policy recommendations aimed at enhancing the contribution of the cyber insurance market to managing increasingly prevalent risk’.
The report discussed issues such as data confidentiality, system malfunction, data integrity and availability and what happens when there is malicious activity. It also looked at the cyber insurance market as a stand-alone market as well as coverage for cyber-related losses in existing (traditional) policies.
The report also addressed market challenges as well as discussing how to support the cyber insurance market through better policies and regulation.
The key findings were:
The full report is available for download here.