News

Partner Emmanuèle Lutfalla, Senior Associate Mathilde Gérot and trainee Simon Fitzpatrick discuss the use of General Data Protection Regulation (GDPR) in cyber risk insurance, in ITProPortal and PrivSec Report.

Emmanuèle, Mathilde and Simon’s article was published in ITProPortal, 26 March 2020, and PrivSec Report 27 March 2020 and can be found here and here respectively. Their article was also published in Actuarial Post, April 2020, and can be found here.

Just shy of GDPR’s two-year anniversary, businesses, from large multinationals to the corner store, must consider data protection in their operations. Faced with new requirements, such as data security, prudent owners and managers are seeing the true value in obtaining cyber risk insurance. Unfortunately, many of the existing cyber risk insurance products on the market are inadequate to respond to their clients’ cyber needs. One of the many lessons that we have learned from the recent Covid-19 experience is that technology has helped businesses keep operating. But the slapdash transition to working from home demonstrates that cyber security needs to be taken seriously and insurers need help in creating the bespoke products that can reassure businesses in the same ways that their other policies do.

Cyber risk insurance exists, but more data is needed to improve the insurance products

Of the existing cyber risk insurance policies, those that are geared towards small and medium sized businesses are standardised offers. But in order to better tailor these policies to cyber risks, insurers need to be able to update their models. For this purpose, insurers need large datasets, such as information related to data breaches so that they may properly calculate the loss/experience ratio. Once the actuaries may establish the ratio, the insurance carriers are able to draft their protection provisions and bring them to market.

Generally, cyber-risk policies offer three major guarantees: civil liability coverage, damage protection and support guarantees. In most contracts, the support includes crisis management and covering the fees associated with the notification requirements, third-party losses and operating losses. The advantage of these policies is that they may provide invaluable support to the insured before a data breach occurs. They may also provide invaluable insight for the insured to better adapt their data security. Indeed, according to Article 32 of the GDPR, insured must, in their capacity as controller or processor, “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

But, in order for actuaries to do their calculations, they need information regarding the insured’s quantifiable losses at an early stage. When an insured makes a claim on its policy, the insurer will dispatch experts in order to quantify the damage and to determine whether or not the damage is covered under the policy. Actuaries take this information in order to quantify potential risks and help improve the models. Once the information is compiled, insurers are then able to determine which risk is insurable and to what amounts. Thus allowing for better guarantees at reflecting adequate insurance premiums.

GDPR’s notification requirements may provide useful information, but more data must be made available

GDPR’s Article 33 establishes a legal requirement that data controllers and processors notify the supervisory authority within 72 hours of a data breach. The data controller or processor must provide the following information about the breach: the nature of the breach, i.e. whether the confidentiality, integrity and/or availability of the personal data is concerned, the categories and approximate number of affected data subjects, the categories and approximate number of affected categories of personal data, the number of records that were breached, the likely consequences of the breach, the measures taken to remedy the breach and, where appropriate, to limit the negative consequences of such breach. During a four-month period in 2018, France’s Data Protection Authority (the CNIL) recorded 742 data breach notifications. For France, minimal information is provided to the general public about the notifications, but this information does not seem likely to be sufficient in helping insurers better tailor their products and provide sufficient guarantees.

Part of the problem with revealing more information is that the information contained in a data breach notification may also be considered as personal data under GDPR. Personal data is defined as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” It is one of the reasons why the data breach notification database provided in open source mode by the CNIL does not go into much detail. Indeed, there is still uncertainty regarding what constitutes personal data under GDPR, such as about whether anonymised datasets are personal data or not. Also, due to the negative publicity surrounding data breaches and the potentially large amounts of money that could become quickly involved, businesses are reluctant to share data breach information with their insurance carriers.

While we applaud CNIL’s efforts in sharing information, there must be a better way to allow for insurers to have access to the necessary data. Using CNIL as an example, CNIL makes the names of data protection officers available and is becoming increasingly public about its activities with regards to sanctions and public warnings about misuse of data subjects’ personal data. Providing more information about the technical aspects of a data breach, while completely anonymising the data subjects personal data seems to be a balanced approach that could lead to better cyber-risk insurance and data security practices.

AI is a necessary tool for actuaries, but there is tension between AI and GDPR

Data is the lifeblood of AI. This was recently reaffirmed by the European Commission, while announcing its new EU data strategy with the publication of two papers, admitted that “the availability of data is essential for training artificial intelligence systems […] without data, there is no AI.”. However, GDPR restricts the uses of personal data, and is therefore hampering the development of AI in the EU. In particular, GDPR creates friction with machine learning. For example, several of its core principles, including purpose limitation and data minimisation, restrict the creation of large datasets. Therefore, even though the GDPR contains special exemptions on data use for statistical purposes, their definitions are ambiguous.

The Commission should clarify how GDPR’s personal data processing operations for statistical purposes can be used to facilitate innovation in machine learning.

Since statistics form the basis of actuaries’ work, they would benefit from an innovation-friendly interpretation of the GDPR’s provisions. Indeed, AI, and in particular algorithms trained on the basis of large datasets may help actuaries develop more accurate models and create the bespoke policies that the insurance market needs.

Conclusion

Recent events have taught us that major changes can come swiftly and the fallout may be difficult to manage if one is not prepared. Taking a proactive approach with regards to cyber-insurance seems to fall into this category. Insurance is an invaluable security, not only financial, but also for peace of mind. Offering cyber-risk policies is an excellent beginning to the challenges of data security. But as emerging threats to data security become more common, cyber-risk insurance needs to adapt.