The Courier & Advertiser (Angus and Dundee)
Nezrwle neAoio wrAoCein’ortAot to hel’ ConBAt CyBer eCwrity
Fihital security
As Brexit looms, there is a misconception amongst UK businesses that the EU General Data Protection Regulation (GDPR) rules will change once the UK has left Europe.
Research by Crown Records Management in March 2017 highlighted that 28 per cent of firms have cancelled preparation for the regulation and 44 per cent think the regulation will not apply post-Brexit.
The GDPR becomes effective on May 25, 2018, and aims to safeguard the personal data of EU citizens relative to organisations that process such data. It signifies a substantial change in personal data protection and privacy regulation as organisations that use personal data will be held more accountable for their data collection, storage and use.
The regulation provides enhanced rights for individuals and increased scrutiny by regulators.
The UK has played an integral role in the development of this regulation and it will apply to all businesses in the UK as well as any country wishing to interact with counties within the EU.
The regulation will apply regardless of Brexit. If an organisation fails to comply with GDPR it can be fined up to four per cent of global turnover or €20million.
Acting as a catalyst, the GDPR will likely accelerate the purchase of Cyber and Data Breach insurance as businesses become more focused on their cyber and data security and the costs of a breach.
Robust defences against cyber intruders and strong internal processes for eliminating careless or rogue staff behaviours are key to business continuity and consumer trust. Without investment in prevention, detection and awareness training, firms will be left exposed.
Whilst insurance is not a replacement for effective preventative measures, should the worst happen it can be the difference between a business surviving or failing.
It is important to understand that traditional insurance policies may not provide cover for many cyber/IT/ data-related exposures, as they rely on physical triggers or outcomes. For example: • Professional Indemnity - Likely to be tied to the provision of your professional services and even further tied to an act of negligence. • General Liability - Covers only bodily injury and tangible property. Property/Business Interruption Courts have held that data isn’t property and direct physical loss requirements are not satisfied. Note, some insurer wordings are evolving to include “data” in the definition of property. • • Crime – May require to be able identify the perpetrator. Covers only money, securities and tangibles. Traditional policies were not designed or intended to respond to the new and evolving cyber risks.
In view of the above we would recommend businesses consider a standalone cyber solution, which can provide cover for first party losses (own), third party liability losses and 24/7 incident response support services including a breach coach, forensics to diagnose the source, legal and public relations to mitigate reputational damage.
With this in mind, you should be able to find a comprehensive cyber programme designed to meet your business requirements.