Aon and global law firm DLA Piper have reviewed the insurability of risks related to the European Union’s (EU) General Data Protection Regulation (GDPR), finding that fines would typically not be insurable, although associated legal costs could be covered.
The GDPR, which will become effective from 25 May 2018, can fine companies up to €20 million – or, if higher, up to 4% of a group’s annual global turnover – for breaches of data security or non-compliance with regulations.
However, Aon and DLA Piper found that few jurisdictions in Europe permit civil fines or criminal penalties to be covered by insurance, and, even then, there must be no deliberate wrongdoing or gross negligence on the part of the insured.
Of the 30 countries reviewed, just two (Finland and Norway) would allow GDPR fines to be insured, although insurability remained unclear in a further eight jurisdictions, which would review the legality on an individual case basis.
Nevertheless, re/insurance will remain an important component in the risk management strategy of organisations hoping to mitigate costs associated with GDPR non-compliance and resulting business disruption losses.
The review proposed that insurable losses could include legal fees and litigation, regulatory investigation, remediation, costs related to compensation and notification of impacted data subjects, and damage to reputation and market position.
Vanessa Leemans, Chief Commercial Officer, Aon Cyber Solutions EMEA, commented: “GDPR will expose organisations to significantly higher risks related to how they manage and store personal data. Data breaches, and other cyber events, could see businesses face both major fines and extensive costs.
“It is therefore essential that organisations fully understand where their exposures lie. They should work closely with their insurance partners to ensure they have an appropriate risk transfer solution and incident response plan in place.”
Prakash (PK) Paran, Partner and Co-Chair, Global Insurance Sector at DLA Piper, added: “While there are only a few jurisdictions where GDPR fines are insurable, insurance against legal costs and liabilities following a data breach is widely available across Europe and may provide valuable cover to organisations.
“However, corporate groups still need to consider reputational damage and impact on existing customers, the wider market, and their relationships with regulators, all of which may go beyond quantifiable financial losses. Prevention is better than the cure.”