As companies are being fined tens of millions of pounds for breaches of GDPR regulations, it is essential to check your data security systems, says Simon Viney, Financial Sector Cyber Consulting Lead, BAE Systems Applied Intelligence.
Data has always been important, and now misuse or negligent treatment of peoples’ data is, in Europe at least, something that will cost organisations dearly. The UK’s Information Commissioner, responsible for upholding privacy rights in that country, has said it will fine British Airways £183 million and Marriot International, Inc. £99 million respectively for data breaches at both organisations that were caused by malicious cyber attacks.
These aren’t the first fines, or even the first big fines (France has just hit Google with EUR50 million fine), but they are the first to make big headlines, and the first, arguably, to attract the attention of the public – they will have a material impact on both organisations.
Whilst the final value of the fines which will be levelled against British Airways and Marriott has not been finalised, and details of the reasons behind the level of fine have not yet been disclosed (they will be, once the Monetary Penalty Notice is published by the ICO), these proposed fines represent a sea-change in the penalties organisations face for being subject to a cyber attack that results in a breach of personal data.
Many firms have turned to cyber insurance to provide cover against losses should they be subject to a successful cyber attack. Cyber insurance policies typically state they provide cover against GDPR fines, but it should be noted that what is legally insurable in this case has yet to be tested.
If the recent news of large penalties by the UK’s ICO marks the start of a new chapter of significant fines for organisations subject to breaches as a result of cyber attack, insurers could find themselves liable for significant claims that far exceed those seen previously in respect of either data breaches or cyber attacks.
Additionally, should a cyber attack target or impact multiple organisations simultaneously, leading to significant fines under GDPR, insurers could face having to pay multiple large value claims in relation to the same event, potentially exceeding their expected claim losses.
INSURERS NEED TO DO BUSINESS, BUT PROTECT THEMSELVES FROM CYBER ATTACKS
Insurers will need to become more specific regarding the level of cyber protection they require organisations to have in place before deciding on the level of cover they will offer – and working out what is ‘enough’ protection is notoriously difficult. And we shouldn’t forget another problem for insurers: as the holders of vast amounts of personal data themselves, they’re also likely to be targets.
Before anyone decides this is simply all too awful to contemplate, however, it is worth noting that these two problems hold the key to the solution; in the act of creating, maintaining and testing their own defences, insurers are also in an excellent position to ask the right questions about what makes a diligent defensive state against cyber attack.
GDPR is a legitimate response to the concerns about personal privacy; a regulatory drive vindicated by recent events. It’s up to us to work with the new reality, and understand how it affects our businesses for better and for worse.
This article is sponsored content, produced in association with BAE Systems