In a previous post, we mentioned that certain regulations, including the GDPR, assume guilt on the part of a commercial entity, that then has the onus placed upon it to prove innocence in order to avoid severe financial penalties.
Companies may seek to mitigate the risk of punitive fines through insuring against such negative impacts upon the business. However, it is not as clear cut as to whether insuring against this is actually a means that will result the desired management of said risks.
To what extent then, if any, can you insure against the effects of a data breach with the consequent impact of regulatory financial penalties?
In theory, there is value is to be found in cyber policies when it comes to covering for the costs of responding to a data breach or cyber-attack, dealing with related third party claims and complaints and repairing damaged software for example.
However, the vast majority of cyber policies will provide cover for fines and penalties “to the extent insurable by law”. This leaves the question of whether fines imposed by a data Regulator are insurable under the laws of the country concerned and this is by no means clear.
A regulator may impose a fine as a result of criminal conduct on the part of a company and this it will not be insurable. The logical path from this is that where a company is found to have intentionally, recklessly and/or negligently breached the terms of the data protection legislation, it is very likely that any subsequent fine will be uninsurable.
By contrast, it could be argued that in the case of a highly sophisticated, novel (and previously unseen by the security community) cyber-attack the company’s conduct cannot be open to criticism, it is not yet clear whether a resulting fine is recoverable since there has not been a criminally negligent action on the part of the insured.
Loss adjusters may be used, in conjunction with I.T. security specialists, to check that the insured’s systems have been maintained, secured and had the appropriate security patches and updates applied in a timely manner. A failure at this point may cause the settlement to fail entirely or in part.
In the two major UK cases of British Airways and the Marriott hotel group, the Regulator (ICO) imposed the financial penalty due to customer data being “compromised by poor security arrangements at the company”. By contrast, in the Marriott case, it was not a failure of existing operations that was the cause of the fine, but that the company had “failed to undertake sufficient due diligence” when it purchased a company which had suffered the cyber-attack(Starwood Hotel Group). In both instances, the size of the fines was such that the ICO clearly believed the failures were criminally negligent and as such these fines are more unlikely to be insurable under the applicable law in the UK.
If this is the case, then it follows that ICO fines for breach of GDPR are probably uninsurable under English law. Whether this is the case for all jurisdictions is still unclear, given the lack of cases and judicial precedent to provide guidance. Thus, in practice, there are significant obstacles to recovery since there is such a great variation in the legal and insurance position, according to various jurisdictions.
The Global Federation of Insurance Association has requested the OECD for clarity, since “there is international confusion as to the insurability of fines and penalties. OECD work to clarify this issue would benefit consumer and insurer contract certainty”.
It is essential that companies understand fully where their exposures lie and work closely with their risk carrier to ensure there is an appropriate risk transfer solution and to have an incident response plan tested and in place.
While the insurability of GDPR fines may be limited, or even excluded following further clarity on the issue, insurance should form a part of an organization’s risk management strategy in order to mitigate the costs associated with GDPR non-compliance and resulting business disruption losses. Costs may include legal fees and litigation, regulatory investigation, remediation, other costs associated with compensation and notification to impacted data subjects and also for reputational damage requiring PR and increased advertising costs.
In principle, there may be several routes to recovering costs, such as direct indemnity claims under E&O policies, or an indirect claim against professional advisers, directors and/or employees under the respective D&O or E&O policies.
With the current uncertainty and the changes to policy limits and exclusions being ongoing, what is clear is that a comprehensive ability to provide auditable proof of compliance is certainly required of all companies.
Data Risk Foresight can assist through the implementation of our CyCalc software solution. This uses client-specific data, external data and actual threat data to extrapolate and quantify business process financial exposures. It also provides “what-if” capability in order to model scenarios and changes made to systems and processes.
Using CyCalc gives clearly demonstrable intent to comply, through being able to identify those risks and their values. The historic data plots over time your security maturity, further strengthening arguments against negligence.
Knowing risks and their financial values facilitates risk management, risk transfer and mitigation. In this increasingly regulated environment, such data has become of even greater importance.