Too many French firms – even the big ones – have only recently begun preparing for GDPR 

Xavier leproux w

Too many companies in France – even the big ones – have only recently begun their preparations for the incoming General Data Protection Regulation (GDPR), insurance company Chubb warned StrategicRISK. Meanwhile the clock is ticking to 25 May for the enforcement of the new regime.

“Preparedness is low, even today,” revealed Xavier Leproux (pictured), senior underwriter for technical lines at Chubb, who leads the insurer’s cyber risk practice in Paris.

“Some firms are only just starting to think about important GDPR issues, such as setting up dedicated databases, with a dedicated person in charge,” Leproux warned.

Chubb has offered cyber risk insurance for the past 20 years. Research carried out by the insurer last year revealed that a lack of communication between various departments – particularly financial, risk and IT personnel – was stymieing good practice in cyber risk management.

“There is a tendency for risk management to think that IT risks are well managed by the IT department. The IT team is, naturally, very aware of cyber risk, but GDPR readiness should be reviewed by financial and HR functions,” said Leproux.

“The IT people are very focused on defending against malware and viruses, but they are rarely asked by senior management to think in terms of the financial losses or consequences of a cyber event that breaks through their defences. As far as the risk management team is concerned, it’s not their responsibility to consider the consequences of an IT event. So, it’s not a surprise that there has been poor communication,” continued Leproux.

When asked what he looks for, from an underwriter’s perspective, at a would-be client, Leproux highlights this communications issue. “Certainly, you expect IT to have the right security tools, the software, outsourcing, and business continuity plans. Those are all very important, but preparedness and communication between departments of insured is vital – risk management, IT, human resources and the chief information security officer (CISO) role,” he said.

While who “owns” the risk may vary from company to company, but it should not be left to IT. Senior management and the risk function need to help coordinate effective planning and awareness, he suggests.

“Preparedness for GDPR starts at the top and should cut across the whole business. IT and the risk function are important but so too is HR and many other departments because in one way or another they all deal with data and are therefore all responsible so they must coordinate together.”

He divides insurance solutions for cyber risk into two categories: one that covers property damage and business interruption (BI) costs arising from denial of service, outages or their effects down the supply chain; and the other, for insuring liability losses, such as lawsuits, settlements and compensation costs, that can arise from cyber-attacks.

High profile attacks such as WannaCry and NotPetya caused financial losses for many companies, prompting many new buyers – particularly manufacturing firms – to seek cyber risk insurance for their BI and liability risks, Leproux suggests.

“What keeps our clients awake at night is the unavailability of their IT systems, causing manufacturing systems to stop,” he warns, suggesting that while the liability costs of a huge data breach are important, BI is perceived by some as the real potential business killer.

Leproux explains that some big companies have increased the size of their towers of cyber insurance, with claims limits rising from a typical €10m a few years ago, to be in the hundreds of millions of euros. Down the scale, small- and medium-sized enterprises (SMEs) are buying limits up to around €1m. “The next step is for the much-smaller companies to buy up to €100,000 limits,” he added.