A major driving force in the uptake of cyber insurance and the practice of effective cyber risk management is regulation. As the world slowly turns into a digital hub of data, legislative bodies are passing laws and guidelines to make sure our personal privacy is protected.
Some countries like the US, Canada and Europe have become quite advanced in their data protection and privacy laws, whereas others are lagging behind. Regulation is “one of the key differentiators” driving cyber insurance uptake in different geographic regions, according to Tim Rees, director of cyber risk solutions, Great Britain, Willis Towers Watson.
“The US has had the HIPAA law and various other privacy regulations in place for some time, so US entities are actually quite mature in respect to their understanding of cyber risk management and risk transfer,” he said. “They’re the biggest buyers of cyber at the moment, with Europe quickly catching up.”
Data privacy and cyber risk has been thrust into the limelight in Europe in the past year thanks partly to the introduction of the General Data Protection Regulation (GDPR), an extra-territorial European law that applies strict regulation upon any company offering goods or services to EU residents or monitoring the behavior of EU residents. The huge media hype around the GDPR and the potentially substantial fines and penalties for companies who violate the law has played a big part in raising awareness around cyber risk management and transfer.
On the other side of the world, the Banking Royal Commission in Australia is making waves by highlighting poor business practices and forcing financial services corporations to think about how they handle data and what they do with it. This enquiry is driving lots of cultural change – a trend which is also important when it comes to corporate cyber resilience, according to Willis Towers Watson.
“One area where regulation is not yet as strong is Asia. Places like China and Hong Kong have very little regulation [compared to the US and Europe], which means there isn’t as much incentive for corporations to carry out such in-depth cyber risk management processes or even to purchase cyber insurance,” Rees told Insurance Business. “There has been some progress in the Asian market. For example, Singapore is starting to mature and is catching up quickly with some of the more advanced markets – a drive partly driven by the huge healthcare data breach they suffered a couple of months ago.”
