The European Union’s looming General Data Protection Regulation (GDPR) will require mandatory notification of serious data breaches and potentially massive fines for failure to comply. That’s the bad news.

The good news is that the GDPR, to be rolled out in May 2018, likely will create a marked growth in cyber insurance revenues and “a shot in the arm” for the non-U.S. cyber market, said A.M. Best in a new report.

The ratings agency admitted there is still uncertainty about the insurability of administrative penalties issued under the new regulation.

However, stricter reporting of data breaches will increase transparency and spread risk awareness from major corporations to small and medium sized enterprises (SMEs), which will create higher demand for insurance protection, said the report, titled “GDPR: Implications for European Insurers and the Cyber Insurance Market,” published on July 6.

This growth trend is being reinforced by high-profile cyber breaches such as the WannaCry and Petya ransomware attacks, which spread across the globe in May and June of this year, A.M. Best continued.

Indeed, demand for cyber insurance increases after every reported breach, said the ratings agency, quoting a report it published on June 22, titled “Cyber Line Expected to Be One of the Leading P/C Growth Areas.”

Coverage is estimated to increase to US$20 billion by 2020 from the current level of US$7.5 billion, said A.M. Best.

Rising Cyber Insurance Supply

“In the medium term, as more and more reliable data becomes available, with positive implications for pricing models, insurance supply should gain momentum,” said the report.

Re/insurance companies expect new products to make an appearance, such as liability cover for new technology and connectivity risks, but a far greater role is expected to be played by existing products, A.M. Best said, explaining that industry observers indicate that carriers currently have untapped capacity in cyber insurance.

“Interestingly, some market participants suggest that insurers will refrain from inserting additional exclusion clauses in their policies as a result of the GDPR, as new entrants increase competitive pressures in the cyber insurance market,” said the report.

Source: A.M. Best