The cyber insurance industry would not exist if there were no malicious players in the cyber space. The state of the cyber insurance market is therefore dependent on the number of cyber-attacks and their cost. According to research conducted by the University of Maryland, computers in the US are attacked once every 39 seconds, amounting to 2,224 attacks a day.

Listed below are the top regulatory trends impacting the cyber insurance industry, as identified by GlobalData.

General Data Protection Regulation (GDPR)

The EU’s GDPR came into force in May 2018. Firms that do not comply with the regulation can face fines of up to €20m or up to 4% of the company’s annual global turnover (whichever is higher). Non-compliant businesses should not expect their insurance to cover the associated fine unless they are located within Norway or Finland.

If the fines associated with GDPR were insurable then the regulation would undoubtedly be playing a greater role in driving growth in the cyber insurance market. However, GDPR will help increase uptake of cyber insurance policies.

California Consumer Privacy Act (CCPA)

The CCPA came into force on January 1, 2020, giving more control to consumers about how their data is used by organisations. The CCPA affects any company that receives, buys, sells, or shares data on more than 50,000 Californian residents, households, or devices. Under this law, organisations must disclose what they are doing with consumer data. Consumers can also request that organisations do not sell their data to third parties, and can also request that companies delete all their personal data.

Companies that fail to comply with the CCPA could face fines of up to $7,500. While this is a small amount, consumers are also able to bring lawsuits against companies. These fines will drive the demand for cyber insurance for companies operating in California or any international companies that hold Californian data.

Mandatory breach notification laws

Laws have been passed in a number of countries and regions whereby organisations must notify different entities whenever there is a security breach that relates to sensitive data.

All US states must notify residents of a security breach involving sensitive data like Social Security numbers, financial account numbers, health or medical information, online account credentials, and biometric data, among others. When more than 500 individuals are affected, notice must also be provided to credit bureaus.

Under the GDPR, personal data breaches must be reported to the supervisory authority of that entity. More serious data breaches must also be reported to affected parties.

In Australia, entities regulated by the Australian Privacy Act are required to notify any individuals affected by a data breach that is likely to cause serious harm.

Cyber insurance providers should look to regions that are in the process of implementing such laws and provide their knowledge and expertise to potential new customers.

This is an edited extract from the Cyber Insurance – Thematic Research report produced by GlobalData Thematic Research.

Download the full report from
GlobalData's Report Store

View full report

GlobalData is this website’s parent business intelligence company.