Technology companies rush for cyber cover in European Union's GDPR regime

Crisis communication, non-breach related fines top management concerns

The European Union’s (EU) General Data Protection Regulation (GDPR) may have increased the complexity level of businesses operating in the EU, but it has certainly brought more business for insurance companies as technology and data centric firms turn to them for cover. 

Contractual obligations to clients remain the prime reason for companies for GDPR-ready policy covers.

“Companies are really trying to understand what changes for them when they process data for an EU based company or they process data for a global company using EU citizen data, and how does it affect their liability? Also, data breaches are a serious threat to company’s reputation as well as their customers and these are major concerns that these firms are seeking insurance for,” said Anup Dhingra, President, FINPRO and Private Equity M&A.

He said IT/ITeS firms have been early adopters of cyber insurance to fulfill their contractual obligations and to cover their exposures around cyber liability. Next in line was the BFSI sector with all major private and public sector banks, insurance companies, fintech firms and others. “We have noted demand for cyber insurance from manufacturing firms to prevent cyber induced business intelligence losses and regulatory actions.” 

ALSO READ: Information technology companies slam brakes on fresh investment

While businesses with an EU footprint are certainly seeking cover, analysts feel the lack of a strong regulation in India, pending the outcome of the final Sri Krishna committee report, has not encouraged other businesses to look for cover yet. Some feel that it might take a major data breach for Indian businesses to realise the need. 

“Indian companies’ response towards availing cyber insurance is still tepid. However, we have recently seen that the IT-ITeS sector is relatively more receptive to avail cyber insurance with GDPR being a factor as compliance failures can result in penalties. Indian regulations do not mandate a cyber insurance policy but purchasing one can mitigate future risks,” said Mukul Shrivastava, Partner, Fraud Investigation & Dispute Services, EY India.

Companies are seeking cover for security incidents such as data breach, subcontracted or vendor work for clients, public/ private clouds, infrastructure services and data carrier services from telecommunications majors to software and IT services. They are also seeking cover for ransom and events beyond data breach like external audits, risk mitigation and the penalty for non-compliance.  

Under Scanner 

Contractual obligations to clients remain a reason for companies for GDPR-ready policy covers

Over the past 24 months, there has been two to threefold rise in insured limits subscribed by Indian tech and telecos

Firms are seeking cover for data breach, subcontracted or vendor work for clients, public/ private clouds, infrastructure services and data carrier services from telcos to software 

Analysts feel the lack of a strong regulation in India has not encouraged other businesses to look for cover yet

Among the top technology companies of the country, the senior management is particularly concerned about fines on discovery of unintentional security lapses as well lapses by individual employees apart from large scale crisis communication in the face of loss of trust from customer base. 

Over the past 24 months since GDPR was announced, there has been a minimum of two to three-fold increase in the insured limits subscribed by many large Indian technology and telecom majors, said Marsh India. Smaller companies and start-ups are also likely to go for a combination of various available insurance options to optimise their insurance spend.
 

 ALSO READ: Retailers, technology firms join hands to ward off 'Amazon Effect'
 

Among the more notable incidents, a British compliance agency last year had fined a telecommunications major TalkTalk for the leak of customer data which was being handled by IT major Wipro. 

“Since the GDPR regulations have been announced, we have seen at least a 15 per cent rise in companies looking for coverage with respect to cyber security. The GDPR regulation is on top of our clients’ mind during the discussions regarding renewal of the policies due to their contractual obligations with their EU clients,” said Sasikumar Adidamu, chief technical officer, Bajaj Allianz General Insurance.