Documente Academic
Documente Profesional
Documente Cultură
8 MARCH 2019
AGENDA
Quantification & the need for Monitoring Risk – Burgess Cooper, E&Y
JLT is a global organisation of specialists and one of the world’s leading providers of insurance, reinsurance and employee benefits related
advice, brokerage and associated services.
Our collaborative approach enables us to share knowledge, solve problems and deliver the best solutions for our clients. We have the freedom
to take on new challenges, think creatively and capture opportunities that others may not. We always aim to do what is right for our clients, our
colleagues, our trading partners and our shareholders.
Focusing and growing in specialist areas where we offer distinctive products, services and independent choice, such as:
£100bn 60%
CONSTRUCTION SPECIAL RISKS
JLT’s London construction team JLT has been broker to over 60%
manages the insurance of the world’s biggest sporting
requirements for projects globally events over the last decade
with a value in excess of £100bn
40% 50%
AEROSPACE REAL ESTATE
Representing 40% of the world’s Broker to more than 50% of all
airline operators with 10 or more commercial properties in the City
aircraft in service of London
UK’sNo.1 30%
EMPLOYEE BENEFITS ENERGY
JLT is the UK’s largest JLT handles in excess of 30% of
administrator of private sector the world’s mobile drilling rig fleet
pensions
A data and security breach can have serious operational, financial, legal and reputational implications for an organization.
Costs associated with a privacy breach and a security breach
Identification Management
Notification &
Extortion
Response Public Relations Forensic Experts Legal Experts
Specialist
Consultants
Establishing Response to
Notification Call center Ransom
the extent of third party
letters support Negotiation
the breach liability claims
Payment of
Mailing and Setting up e- Forensic
settlements Ransom
other support examination
and court Payment
transmission mechanism costs
judgements
Aadhaar Data Breach Largest in the World, Says WEF’s Global Risk Report
• Privacy has been recognized as a fundamental Constitutional right by the Supreme Court.
• Ministry of Electronics and Technology committee - The B.N. Sri Krishna Committee released the Draft Data
Protection bill.
Modeled on EU GDPR and China regulations the act maintains similar fines for non compliance and holds organizations
responsible. – proposed fine of 2 - 4% of worldwide turnover OR INR 5 cr to INR 15cr, whichever is higher
This if and when passed should act as the one comprehensive legislation encompassing all industry specific cyber laws.
• The Ministry of Health and Welfare - Digital Information Security in Healthcare Act ("DISHA" Establish National
eHealth Authority ("NeHA") ;
Cybersecurity Program Management Framework aligns with information security frameworks such as ISO 27001/2, NIST,
SANS, PCI DSS 3.0 and industry leading practices and regulations which help assess and improve your security posture
and program. These are also some of the things insurers look at while evaluating your risk.
19
EY CYBER PROGRAM MANAGEMENT ASSISTS WITH..
20
MATURITY RATINGS
Optimizing
► Advanced capability is in place that is leading-edge technology and tools for
5 all key resources and people; consistent process across regions and
business units; effective governance is in place
(accountability/responsibility/continual monitoring for improvement).
21
MATURITY ‘SPIDER GRAPH’ RATING
FOR ILLUSTRATION PURPOSE ONLY
Domain
Domain name Client Sector
category Cyber Program Maturity Ratings
Govern Governance and organization 1.2 1.8
Governance and
Strategy 1.4 1.7 organization
Awareness 3.5 Strategy
Policy and standards 1.1 1.0
3 Policy and
Incident response
Complicate Architecture 1.4 1.4 2.5
standards
Legend: Better than peers in Diversified Worse than peers in Diversified At par with peers in Diversified
Industrial Products (DIP) Industrial Products (DIP) Industrial Products (DIP)
22
EVOLVING
REGULATORY
SCENARIO
CURRENT REGULATORY CLIMATE
GLOBAL CHANGES WITH RESPECT TO NOTIFICATION/ FINES
EUROPEAN UNION
The General Data Protection Regulation has given data protection wider territorial scope, harsher sanctions (max
fines of EUR 20M or 4% of global turnover); broader investigative and corrective powers (on-site data protection
audits and public warnings/orders for remediation processes); and it has made it easier for individuals to claim
compensation.
The other changes resulting from GDPR include;
• A bigger variety of data covered by the regulations due to the broader definition of “any information relating to
an identified or identifiable natural person (data subject).”
• Suppliers and processors are now being directly regulated for the first time
• Controllers are now responsible for ensuring that the data protection principles are complied with (need clear
processes to help them meet tightened protocols for data collection)
• The legal requirements for data processing are now more difficult for companies to meet, so they need to be
more vigilant with processing checks
• Increased focus on international information transfers by the media and regulators
• Compulsory notification to supervisory authorities and victims within 72 hours of breach alerts and “without
undue delay” for high risk cases
• More transparency is required with the introduction of subject access rights (affecting individuals). Data subjects
now have the right to require information about the data being processed concerning them; access to data in
certain circumstances and the ability to correct inaccurate data.
• Companies now have to be more accountable, with thorough evidence of their compliance available for regular
inspection and appointed data protection officers
EU member states retain the right to introduce their own laws, so companies need to stay on top of all the territorial
differences to see if the various laws impact their processing activities.
USA
Privacy and data protection regulation varies from state to state and can also be dependent on
industry. All individual state regulations address notification procedures, but some add further
requirements like developing formal information security programs (MA) and encrypting payment
card information in transit (NV). The industry-specific legislation for data regulation includes;
• Health Insurance Portability and Accountability Act
• Gramm-Leach-Bliley Act (finance)
• Children’s Online Privacy Protection Rule
• Fair Credit Reporting Act
• Payment Card Industry Data Security Standard (retail)
Insurers are increasingly wary of providing broad cover for all US privacy regulations. As the amount
of resources allocated to privacy and data protection increase, the amount of investigations and
resulting penalties are expected to rise. California has recently passed its own version of Europe’s
GDPR, known as the California Consumer Privacy Act, which will come into effect in January
2020. The act applies to all companies that hold data on over 50,000 people and imposes fines of
USD 7,500 per violation.
The Federal Trade Commission (FTC) is the only body with the authority to investigate broad
violations of privacy or perceived misleading trade practices nationwide and Attorney Generals have
the same authority at a state level. The FTC step in to enforce the rules predominantly when
companies have unlawful access to personal consumer information and use it in an illegal way.
They continue to engage with the global community and authorities to increase US company
awareness of the correct privacy and data protection practices, ensuring their compliance.
AUSTRALIA
Data privacy and protection consists of both Federal and State/Territory legislation. The Federal
Privacy Act 1988 and Australian Privacy Principles (APPs) apply to the private sector that earn at
least AUS 3 million annually and all Commonwealth Government and Capital Territory Government
agencies. The Australian Senate passed a bill establishing mandatory notification to the Privacy
Commissioner and victims of ‘eligible’ breaches, which came into effect in February 2018. The bill
affects the same people as the Privacy Act, plus foreign companies that deal directly with Australian
consumers and companies sending personal information offshore. Failure to comply could result in
maximum fines of AUS 1.8 million for serious and repeated offences. The bill has similar insurance
considerations as GDPR, but less extensive.
ASIA
The APEC Privacy framework published in 2005 compliments regional approaches to personal data
privacy, but these are only principles that aren’t as enforceable as the GDPR. Recent law changes in
Singapore, Malaysia, China and South Korea show that regulation is becoming more of a priority
across the continent. Chinese data protection has advanced significantly, and South Korea, the
Philippines, Indonesia and Japan also have mandatory reporting requirements. As Asia’s economies
increasingly deal with the global community and trade across borders, they are increasingly reliant on
technology, so their regulations are likely to tighten. Hong Kong’s Privacy Commissioner for personal
data has announced a study of GDPR with a view to implementing something similar in the coming
years. The same incident response considerations as Europe and Australia apply. In Asia, it is also
customary to offer small amounts of compensation to consumers after a breach, so insurers may
consider extending cover for voluntary ‘settlements’ or ‘costs to proactively compensate consumers.’
CANADA
There is a patchwork of 28 different privacy laws on a federal and provincial level, which govern issues
like the protection of personal information, collection of data, online privacy and behavioural advertising.
The overarching federal law is the Personal Information Protection and Electronic Documents Act
(PIPEDA). In September 2017, regulations were also added to mandate breach reporting under
PIPEDA. There is increasing pressure for broader privacy laws to mirror GDPR, as there is currently
only an ‘adequate’ level of data protection during information transfers. Incident response coverage and
privacy violation considerations are the same as in Europe, but the wording should be as vague as
possible to encompass the patchwork of laws and to ensure that definitions aren’t too restrictive for
personal information.
LATIN AMERICA
Data protection and privacy rules across LatAm consist of both federal and local legislation. The
countries with specific data protection laws include; Columbia, Brazil, Argentina, Mexico, Peru, Chile,
Nicaragua, Costa Rica, Panama, Uruguay and Paraguay.
The EU traditionally sets the bar for data protection regulation around the world and some obligations
can be applied in non-EU countries. Countries in regions outside of Europe can also decide to follow
GDPR obligations for the potential monetary benefits of being considered “adequate” for data transfers
from Europe. For this reason, the introduction of GDPR has had a knock on effect in Latin America, with
their regulations becoming stricter and new bills being proposed that mirror some features of the
European legislation in Brazil, Argentina and Chile. This is bringing a new level of consistency to the
global community’s data protection and privacy laws, but companies should still be aware of the
different regional wording and requirements.
Cyber Extortion
Outsourcing Liability
• Antitrust
• Intellectual Property
• Securities Claims
• Terrorism / War
• Uninsurable Loss
Recent Enhancements
• Network Security coverage
Disclaimer: Insurance is the subject matter of solicitation. The information contained in this publication is based on sources we believe are reliable however we do not
guarantee its accuracy. This information provides only a general overview of subjects covered; is not intended to be taken as advice regarding any individual situation or as
legal, tax, or accounting advice; and should not be relied upon as such. Recipients of this publication should consult their own legal and other advisors regarding specific
coverage and other issues.
For more details on risk factors, terms and conditions please read sales brochure carefully before concluding a sale.
Authorised and regulated by the Insurance Regulatory and Development Authority of India (IRDAI). An associate of the
Jardine Lloyd Thompson Group. JLT Independent Insurance Brokers Private Limited, +91 22 4510 5900,
www.jltindependent.com