GDPR – The implications for cyber and Directors and Officers insurance

With the EU General Data Protection Regulations (GDPR) set to come into place on the 25th of May this year, businesses across the UK and Europe will be wondering about the implications the regulations will have on them and what type of insurance they will need once it’s in place.
GDPR has increased interest in cyber insurance across Europe, particularly when it comes to protection against the insurable elements of the regulation and response support. This article delves into what GDPR is, who is liable, the effects on your current insurance policy and what you can put in place to protect yourself and your business.

GDPR – The implications for cyber and Directors and Officers insurance

The date for implementation of the EU’s General Data Protection Regulation (GDPR) is fast approaching. From the 25th of May, businesses across the UK and Europe will have to adhere to a strict code of conduct when it comes to the use and access of citizens data, or face punishment if they don’t.
New protections include regulations on the public’s right to access their data, the right to have it erased or corrected, and the right to object to profiling and direct marketing.
GDPR will have ramifications for all businesses, particularly if they are not compliant. Organisations could face fines of up to 4% of annual worldwide turnover if they do not meet regulatory standards, that is a huge sum of money that could put many businesses in financial difficulty.
Because of this, companies are now looking at how prepared they are for GDPR, both in terms of their data breach response plans and the personal data they already hold. As businesses look to ensure they are protected once the regulations are implemented, many will be looking at what elements of GDPR are insurable so that they are protected if they are in breach of legislation.

Will cyber insurance cover GDPR?

GDPR has increased interest in cyber insurance across Europe, not just to protect against the insurable elements of the regulations, but also for breach response support. Firms will need to inform customers if they have suffered an attack and been breached and as such, businesses should be looking to purchase well-designed policies that cover IT, legal and PR assistance during a cyber-attack.
For companies with large amounts of personal data, notifying individuals of a breach ‘which is likely to result in a high risk to the rights and freedoms of individuals’ will be expensive and time-consuming. These costs are insurable under a cyber policy, including follow up credit and ID monitoring.
As well as this, standalone cyber insurance will cover fines to the extent they are insurable by law. However, the extent to which insurance proceeds can be used to recoup the cost of regulator penalties under GDPR is a grey area which will need to be tested in the courts.
In terms of liability claims, anyone who suffers damage as a result of a data breach will have the right to receive compensation from the company involved. A cyber policy will cover the defence costs and liability claims resulting from a breach of confidential information.
The financial consequences of a data breach will increase the loss estimates attached to data protection on a company’s risk register. Risk managers should examine the effectiveness of cyber policies already bought, especially indemnity limits. Whereas buyers of cyber policies would start with limits of between £10-20 million, recently new buyers have been starting with cover in excess of £200 million.

Board liability for GDPR

Organisations across the world are becoming increasingly concerned that they can be held personally liable for a cyber breach. For example, four cases have been brought against directors in America for attacks, including large corporations such as Target and Home Depot executives. Although all cases were dismissed and settled out of court, given that data breaches are an established feature of corporate life, cyber related Directors and Officers litigation is expected to continue in the US.
Once GDPR is enforced, the question many European boards will be asking is will this trend be repeated here? The financial impact of a major data breach can be huge, with the average cost of a data breach hitting $4 million according to IBM. Directors are right to be concerned about their fiduciary obligations and should look at what they can do to protect themselves and the organisation should a they be breached.
An effective Directors and Officers policy which doesn’t contain any specific exclusions will cover a such a threat. It’s going to be interesting to see whether there will be any successful Directors and Officers claims as a result of non-compliance with GDPR. Even if a claim isn’t successful, the cover against the cost of mounting a defence will prove useful.
No organisations will be exempt once GDPR is in place, and staff such as Risk Managers should be talking to their boards to educate them about how to ensure they are in line with regulations. If they can show that they take cyber security seriously and have robust defences in place, then they are protecting their personal liability as well as helping keep the organisation secure. One way to demonstrate a commitment to security is through purchasing a robust cyber security insurance policy that will protect the businesses interests going forward.