You may be paying for cyber insurance that will not cover the most significant cyber risks faced by your business.
Recent studies call into question whether a company can insure against the unprecedented huge fines for violating the complex and vague EU privacy law, the General Data Protection Regulation (GDPR), or whether such insurance would cover liabilities arising from the new class action suits available under the GDPR. Companies with international exposure should check their cyber insurance policies to determine coverage of EU fines.
According to an analysis conducted this summer by Aon, GDPR fines were found to be insurable in only two countries – Norway and Finland – out of the 30 European countries surveyed. In fact, in 20 of the 30 jurisdictions, including the UK, France, Spain and Italy, GDPR fines would specifically NOT be insurable. The other eight jurisdictions were less clear, and may depend on whether a GDPR fine is classified as civil or criminal.
Cyber insurer Marsh released a new report this month finding, “The question of insurability of GDPR fines and penalties in EU countries seems to depend largely on EU member state laws and ensuing judicial determinations; however, in the US, domicile may influence the ability to recoup fines and penalties.” Marsh observes that, in the U.S. market, most cyber policies are triggered by cyber incidents and cover legal advice, forensics and data subject notifications, and these policies were not written to “provide coverage for fines and penalties pertaining to organizational privacy practices and compliance” without an breach trigger.
The Marsh report writers observe, “Some carriers provide coverage for GDPR fines only on a case-by-case basis; others do so more broadly. Similarly, some require interested insureds to fill out additional underwriting questions or provide other supplementary information. The scope of coverage also varies, and negotiations regarding additional exclusion waivers or policy rewording may be required to ensure the policy responds as intended.” If you are uncertain which category your cyber insurance falls into, you should review the policy now before you need to use it.
This questions is not academic, as the GDPR provides for fines that could reach the greater of 20 million Euro or 4% of your gross annual global revenue. Further, as discussed in this recent article in Business Law Today (also written by Ted Claypoole), the GDPR includes unprecedented extraterritorial enforcement provisions, some of which are specifically designed to catch and penalize U.S. companies. The article also explains how all of the most significant rules of litigation are tilted against data holding companies where an EU regulator or EU data subject sues. The field is slanted so that there is almost no way to defend yourself.
Cyber insurance may be vital in such a situation. Womble Bond Dickinson will assist its clients by reviewing cyber insurance policies upon request and/or by speaking to your company’s insurer on your behalf.
This week, a spokeswoman for the British Information Commissioner’s Office refused to commit to whether their fines could be covered by insurance, and she admonished a Law360 reporter for even asking the question, saying “There is nothing in the GDPR which either permits or prohibits insurance cover against fines. A focus on insurance rather misses the point, and organizations should be looking to recognize the benefits of good information rights practice to their efficiency, reputation and competitive edge.”