GDPR to test cyber policies in Europe

The insurance sector has been hoping that the European Union’s General Data Protection Regulation (GDPR) would boost the demand for cyber insurance as the cover has largely been sold as protection against data breaches. But how the market will be affected will depend on the severity of the enforcement actions taken by the EU and UK supervisory authorities, says Alex Jomaa, cyber underwriter at Tokio Marine Kiln.

From May 25, 2018, the new GDPR regulates the collection, storage, processing, access, use, transfer and erasure of personal data. It establishes responsibilities for the "controllers" and "processors" of personal data. In case of infringements, penalties can reach up to €20 million or up to 4 percent of the company’s worldwide annual turnover, whichever is higher.

“Until precedent is established it will prove tricky for the [cyber] market to affirmatively respond,” Jomaa explains.

At the end of 2016, global premium volume in cyber insurance was thought to be in excess of $4 billion, with around 80 percent coming from the US, according to Munich Re data. The other 20 percent was split between Europe and Asia, where the product is still catching up. Premium volume in Europe is expected to rise from $300 million in 2016 to $900 million in 2018 – a growth rate of 200 percent in two years, according to Munich Re estimates.