Out-Law News 2 min. read
23 Oct 2017, 4:11 pm
In a speech at a conference hosted by the Association of British Insurers (ABI), Matt Hancock revealed that insurers are in talks with the ICO over gaining access to the information. The proposed data sharing arrangements would take effect after the new General Data Protection Regulation (GDPR) begins to apply on 25 May 2018, according to Hancock.
Cyber risk and insurance expert Ian Birdsey of Pinsent Masons, the law firm behind Out-Law.com, said the information could help grow the fledgling cyber insurance market in the UK.
Under the GDPR, a new data breach notification regime will apply to mandate the reporting of certain data breaches to data protection authorities and affected individuals. Proposed new guidelines on data breach notification were recently published by EU data protection authorities and are open to consultation.
Hancock said: "We have been working with colleagues in the Department for International Trade to consider how we can use the considerable expertise of the UK cyber insurance sector to develop export opportunities across the world. However, I know that the most critical challenge the industry faces is around the availability of robust actuarial data on which to accurately price cyber risk."
"This is an issue that government can play its part in resolving and when the General Data Protection Regulation takes effect from May next year organisations will be required, by law, to report details of cyber breaches that result in the loss of personal data to the information commissioner," he said.
"I understand that conversations are well underway between the insurance industry and the Information Commissioner’s Office around how that information will then be collected and reported to make sure that it is as useful as it can be to insurers for actuarial purposes. We will continue to support the industry in pushing for this while recognising the important role the information commissioner plays as an independent regulator," Hancock said.
An ICO spokesperson confirmed the talks with insurers in a statement issued to Out-Law.com.
"From 25 May 2018 the General Data Protection Regulation will require organisations to report personal data breaches to the ICO," the spokesperson said. "A vibrant market in cyber insurance may encourage organisations to adopt better cybersecurity practices as they look to mitigate the risks arising from a cyberattack, and reduce the cost of premiums."
"We’ve had discussions with the insurance industry in order to understand how aggregated data could help insurers to better understand cyber risks and trends," they said.
The UK's cyber insurance market currently lags behind the US market, but is now developing quickly, Birdsey said.
"The cyber insurance market in the UK is nascent, but developing more quickly. There is, as yet, no meaningful market information built up in relation to breach response in the UK. While more data is available in the US, the market there is subject to a very different environment. In the US, the market is shaped by class actions and different statutory and regulatory requirements, such as the Health Insurance Portability and Accountability Act (HIPAA) in the health sector, for example," he said.
"Mitigating cyber risk is a team-sport. This is true in respect of information sharing, whether about the threat landscape or aspects relating to breach response, so it is little wonder that insurers are keen to access as much data as they can to help ensure they price cyber insurance policies accurately.”