Share this post on

A little GDPR fatigue can be forgiven now that the new Data Protection Act 2018 has finally arrived, but just as you might have thought it safe to relax, food for thought arrived in my Inbox from American International Group, Inc (AIG), currently the largest Cyber insurance provider.

AIG’s Cyber insurance report is based on claims received in 2017, and points to many reasons why data protection must remain in management sight:

• AIG received as many cyber claims in 2017 as they had for the previous four years.

• Claims were notified at the rate of one a day, which may not seem a lot, but many will have involved significant disruption and cost to the businesses affected.

• Ransomware attacks make up the largest single cause of cyber claims at 26%. Other Insurers in the cyber market echo this.

• Human error is a significant factor in cyber breaches.

• Professional and financial services contributed 36% of all AIG cyber claims.

• Solicitors and accountants databases are very attractive to cyber criminals.

• Ransomware attacks are increasingly commoditised with creators offering revenue sharing agreements to partners.

• Much of the business interruption caused by ransomware, encrypting data and other attacks was uninsured, despite it causing financial loss.

Insurers are expecting a surge in data breach claims and litigation following GDPR, and the Morrisons case could create a costly benchmark along with fuelling a rise in similar claims. Claims against directors could also be on the increase so check that your Management Protection or Directors & Officers Liability cover does not have a data breach exclusion (most don’t at the moment, but we’ll be happy to review your policy without obligation if you are unclear).

If anyone has not yet completed their Data Breach Response Plans, or is being asked for guidance by clients, we can supply you with a template plan. We used this to create our data breach response and found it helpful, although it must be tailored to your unique circumstances. The 72-hour breach notification rule does not apply to all information losses. However, where a notification is required, meeting the deadline could be a real challenge. We recommend businesses buy a good quality Cyber insurance policy that supply 24/7 Data Breach Response Support services which will help where a notification is required, particularly where the expertise is not in-house.  The alternative is to source expertise if a breach occurs, often at eye-watering rates.

For accountants, ‘Making Tax Digital’ will mean clients sharing even more data with you. PII will protect you against claims from clients for data breach, but not all of the financial losses that can arise such as:

1. the costs of breach rectification,

2. notification expenses,

3. business interruption,

4. loss of own funds, and,

5. reimbursement of any ICO fines (currently uninsurable in the UK).

If you would like to discuss any of the issues raised here please feel free to contact me. For a copy of the full AIG report or our Data Breach Response Plan template, please contact Jennifer.Knight@ntegrity.co.uk or call 01454 800 842.

Tel: 01454 800 844