Companies banking on cyber insurance to protect themselves against the harsh penalties due under GDPR could be in for a shock, amid claims that many legal firms believe that the monetary penalties will be impossible to cover.
According to CFC Underwriting, the ‘fear factor’ of a costly cyber attack drove UK adoption of cyber insurance up 50% in 2016 and globally the market is currently worth over $2.5bn – a figure which is expected to rise significantly as firms wake up to the reality of life under GDPR.
But a panel discussion on cyber risk held at the Reactions London Market Re/Insurance Conference, heard there are still considerable “grey areas” about using insurance for GDPR fines.
Under new regime, there will be a two-tiered sanction regime. Lesser incidents will be subject to a maximum fine of either €10m (£7.9m) or 2% of an organisation’s global turnover (whichever is greater), while the most serious violations could result in fines of up to €20m or 4% of turnover (whichever is greater).
Speaking at the event, Gavin Lyons, leader of the corporate account handlers at insurance giant JLT, said that privately most law firms say they think GDPR fines are uninsurable. “They’re not willing to put that in writing, of course, but they are waiting for a test case,” he added.
And Mark Camillo, head of cyber insurance in Europe at AIG and head of its CyberEdge product, agreed, citing the fact that, as criminal proceedings can be brought against those businesses affected, the insurance could be void.
Not that fines are the only thing that cyber insurance covers; most policies also include provisions for crisis management, such as expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, and legal costs.
They also cover third-party damages, including defacement of website and intellectual property rights infringement, extortion liability cover, and network security liability.
However, there is also the matter of how much insurance firms are willing to cover; according to Camillo the largest standalone cyber policy placed by AIG in Europe currently has a £400m limit, a figure which would not even scratch the surface of the costs for some multinationals which have global turnovers of tens of billions of pounds.
For instance, the recent data breach at The Hutchison Whampoa-owned Three Mobile, could have triggered an eye-watering fine of $2.2bn (£1.8bn) based on its parent company’s global turnover of $53bn (£43bn).
Three would face whopping £1.8bn fine under GDPR
TalkTalk could have faced £70m fine under GDPR
John Lewis and HSBC slam ‘ambiguous’ GDPR guidance
Lack of GDPR guidance fuels fears over bombardment
GDPR countdown fuels warning of 4,500% rise in fines
84% of UK SMEs have still not heard of EU data reforms