To facilitate the development of the EU cyber-insurance market, insurers should have access to anonymised data collected under the EU’s General Data Protection Regulation (GDPR) and Network Information Security Directive.

Insurance Europe has developed a template for breach notifications under the GDPR. It is easy to use and allows the information to be compared across sectors. The data gathered would be anonymised but sufficiently granular to be of use to insurers.

One obligation under the GDPR is for companies to notify (personal) data breaches to their supervisory authority.

Insurance Europe has developed a template that could make it easier and quicker to report breaches. And the standardised format could enable supervisors to share incident data across borders and to better detect trends in cyber threats.

The template is set up in such a way that the information can be shared without the need to be anonymised or aggregated, as it will not be possible to identify the company through the information submitted.

Currently, the lack of available information on cyber events hampers efforts to defend against cyber attacks. For example, lack of data limits insurers’ ability to offer cyber-risk cover and related services. This could change if insurers were granted access to the (anonymised) data gathered by supervisory authorities.

How it works

The template has three sections:

1. Personal details and information on the affected company (not to be shared with third parties).
2. Details on the data breach incident to be sent to the national supervisory authority, where feasible, within 72 hours (as per Article 33 of the GDPR).
3. A section to be completed following the 72-hour period when more information is available on the data breach.

The multiple choice answers or numerical fields in sections 2 and 3 aid comparison of the information between companies and sectors, and ensure anonymity.