GDPR to test cyber policies in Europe

From May 25, 2018, the new GDPR regulates the collection, storage, processing, access, use, transfer and erasure of personal data. It establishes responsibilities for the "controllers" and "processors" of personal data. In case of infringements, penalties can reach up to €20 million or up to 4 percent of the company’s worldwide annual turnover, whichever is higher.

“Until precedent is established it will prove tricky for the [cyber] market to affirmatively respond,” Jomaa explains.

At the end of 2016, global premium volume in cyber insurance was thought to be in excess of $4 billion, with around 80 percent coming from the US, according to Munich Re data. The other 20 percent was split between Europe and Asia, where the product is still catching up. Premium volume in Europe is expected to rise from $300 million in 2016 to $900 million in 2018 – a growth rate of 200 percent in two years, according to Munich Re estimates.

However, the cyber insurance market has yet to find out which aspects of GDPR current cyber policies will respond to. “Much of the focus has been around mandatory notification for loss of third-party data and the corresponding fines, which the cyber market has traditionally provided cover for,” Jomaa says.

But the scope of fines under GDPR will also extend to compliance-related issues such as erasure or export/import of data, and most cyber policies are worded to respond only to regulatory actions triggered by security or privacy events, Jomaa explains.

“Much of the discussion within the market has conflated all aspects of GDPR and may lead to brokers and their clients expecting coverage more akin to a regulatory indemnity policy, rather than specific regulatory action cover. Care should be taken when advising clients on the extent to which a cyber policy will respond to GDPR provisions that are not related to security of data,” he says.

Insurers have been writing cover for insurable losses on other lines, such as pollution liability or bodily injury cover, which attract attention from related regulatory bodies with the capability to issue fines, Jomaa notes.

However, “on none of these policies do we see coverage for fines or penalties in the same way as we see on cyber policies. The inclusion on the latter is a symptom of cyber wording templates being taken from the more commoditised US market, where coverage for fines or penalties is more prevalent, and applied in the wider international insurance market,” he says.

“Cyber policies have carried cover for regulatory fines and penalties for some time, but also carry exclusions for fines or penalties which are not insurable by law; such language is necessary as the insurability of such fines in the European Union is still unclear,” Jomaa explains.

GDPR fines only insurable in few countries

There are currently only a few jurisdictions in Europe where civil fines can be covered by insurance and, even then, there must be no deliberate wrongdoing or gross negligence on the part of the insured, according to Aon and DLA Piper research. Criminal penalties are almost never insurable. GDPR administrative fines are civil in nature, but the GDPR also allows European member states to impose their own penalties for personal data violations, the report notes.

In 20 out of 30 reviewed jurisdictions GDPR fines would generally not be regarded as insurable, including the UK, France, Italy and Spain, the report states. In eight of the jurisdictions it is unclear whether GDPR fines would be insurable, Aon and DLA Piper note. In these jurisdictions, specific details around individual cases, for example, the conduct of the insured and whether the fine is classed as criminal, will need to be considered. GDPR fines are only insurable in Finland and Norway, according to the research.

"While there are only a few jurisdictions where GDPR fines are insurable, insurance against legal costs and liabilities following a data breach is widely available across Europe and may provide valuable cover to organisations,” Prakash Paran, partner at DLA Piper, commented in the report.

Whilst the insurability of GDPR fines may be limited, insurance forms a key component of an organisation’s risk management strategy to manage costs associated with GDPR non-compliance and resulting business disruption losses, the report noted. Such costs could include legal fees and litigation, regulatory investigation, remediation and other costs associated with compensation and notification to impacted data subjects.

Vanessa Leemans, chief commercial officer Aon Cyber Solutions EMEA, warned in the report: “GDPR will expose organisations to significantly higher risks related to how they manage and store personal data. Data breaches, and other cyber events could see businesses face both major fines and extensive costs. It is therefore essential that organisations fully understand where their exposures lie. They should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place.”