Cyberattacks have gradually become one of the most imminent threats to businesses. They may not only severely disrupt business processes or lead to substantive losses but can also cause irrevocable damage to companies´ reputation.
Last month saw the deadline for member states to incorporate the EU Directive on network and information security (“NIS”) into local law. The NIS requires companies in key sectors to have minimum cybersecurity measurements in place. The Czech Republic was ahead of the curve and transposed the NIS into law, effective from 1 August 2017. Companies in strategic sectors – including utilities, banking, healthcare and others – will need to actively deal with cybersecurity and prevent any security risks. In addition, security attacks will need to be assessed and reported to the authorities as soon as possible. A breach of duties may result in a fine of up to five million Czech crowns (EUR 200,000).
One way to help meet the requirements under law is to take out specialised cybersecurity insurance. Although the benefits of such product are clear, with the change of Czech legislation almost reaching its first anniversary, the options for obtaining such insurance on the Czech market remain limited.
Cybersecurity insurance is a novel product for which continuous innovation is vital, alongside the fast growth rate and complexity of cyber-crime. It is designed to give the insured the much needed access to lawyers, risk management specialists, IT experts and other professionals who will adequately structure both a solid strategic prevention plan as well as an incident response action plan for cases in which a cyberattack actually occurs. Risk assessment for the purposes of individual insurance schemes should reflect factors such as the area of business activity, geography, internal information services, data protection, and network security. The insurance should therefore be custom-built per enterprise.
Despite the number of cyberattacks being lower in the Czech Republic in comparison to other CEE countries, there is a growing demand for the development of proper cyber-liability insurance products. The damages of cyberattacks are exacerbated with the GDPR coming into effect on 25 May 2018, and in many cases need to be addressed immediately.
At this point, only a handful of companies in the Czech Republic offer such services and most products still have a very narrow scope, focusing on insuring natural persons rather than companies. The introduction of the GDPR serves as an incentive for insurers to fill the gap in the cyber market. Consequently, insurance products related to GDPR risks, which are essentially cybersecurity insurance products specific to data protection, are starting to emerge.