Product Family

First published in  POST Magazine

New rules on data protection will come into force in Europe next year. Sergio Pierro is a Professional Indemnity underwriter for International Financial Lines at XL Catlin, based in Paris, and focuses on cyber among other insurance coverages. He explains how companies can get ready for the changes ahead.The General Data Protection Regulation will come into force in May 2018. What are the implications for European companies?Firstly, because the regulation will apply consistently across the whole of Europe, it will mean that all data will need to be treated in a uniform way. All types of companies, even SMEs that handle any form of personal data will fall under the scope of the new rules. To be compliant, most companies must designate a Data Protection Officer (DPO).  Many larger companies, it should be noted, already have a DPO. In cases of data breach, the potential sanctions are onerous - companies may be fined up to 4% of their annual worldwide turnover or up to 20 million Euros, whichever is greater. Furthermore, companies will be required to notify their country’s supervisory authority without delay (and where feasible within 72 hours of having become aware of a breach). One of the main changes that the regulation will introduce is the concept of the right to erasure, which will allow individuals to request the removal of their data under certain circumstances, and rights on data portability. Because the regulation is designed to protect the data rights of EU citizens, once a company holds the data of an EU citizen – even if it itself is not based within the EU - then it will need to comply with the new rules. For example U.S. companies also will be impacted by the General Data Protection Regulation (GDPR) and will need to be up to speed with the law and how it concerns the EU data they hold.What are companies doing to get ready for the new rules?We have been seeing increased interest in data encryption especially, for example, when data is transmitted from one office to another. We also are seeing increased use of separate data centres, and more interest in the physical security of places where personal data are stored. In addition, clients are asking questions about the way data is accessed – and whether that access could or should be restricted. Companies also are reviewing the security access to IT systems and are strengthening, for example, their login access policies as well as their virtual private networks access.Is there increased interest in cyber coverage?The impact of the regulation already is being felt, and companies are more and more interested in buying coverage for their cyber risks. Until a couple of years ago, many companies were simply investigating how much cyber coverage would cost. But in the past 18 months, we have been receiving many more requests for cyber programs. This increased interest is due in part to the upcoming GDPR but also to recent high-profile cyber-attacks which have alerted many clients to the potential of this coverage. The European market is beginning to catch up with the U.S. market where cyber insurance has been on offer for more than 15 years and where breach reporting requirements have, up until now, been stricter. The crisis management element of the cyber policy is the area that interests many clients the most. Cyber coverage allows clients to benefit from the expertise of IT forensics or legal counsellors when there is a breach or in the case of cyber extortion, for example. This coverage is usually granted with no sublimit or deductible within a pre-approved period of time.What do clients need to be aware of when considering cyber coverage?The key word here is education: brokers need to spend time with clients to discuss the risks and on what it is at stake. They need to help them understand their exposure, regardless of the size or the activity of the company. Cyber coverage can be a standalone policy or an extension to existing policies. In many cases, standalone coverage is likely to be more suitable so that policy sublimits are not exhausted.

About the author

Sergio Pierro is a Professional Indemnity Underwriter at XL Catlin. He can be reached at



More Articles

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.