Are GDPR non-compliance fines insurable or not?

Complying to the EU General Data Protection Regulation (GDPR), effective from 25 of May 2018, is currently one of the most challenging issues for many organizations. Even in the absence of a personal data breach incident, companies may face regulatory assessments resulting in fines and penalties. Moreover, companies operating on several territories, including the EU, may encounter situations interesting several jurisdictions with different legislation. How much can insurance help organization to manage this kind of operational risks?

While technological evolution enables companies to gather and manage huge volumes of information about their existing or potential customers, personal data have become a new, but very important class of assets in many businesses. Coincidentally, with GDPR, EU regulation concerning the personal data protection not only got extended scope and stronger provisions, but also provides for significantly increased enforcement powers to regulators. Shortly put, although data protection rules existed also before the GDPR, fines for a data breach were of considerable smaller values and enforcement actions infrequent.

Aon and the law firm DLA Piper have jointly released a report entitled "The price of data security - A guide to the insurability of GDPR fines across Europe". "GDPR fines can reach up to EUR 20 million, or up to 4% of a group's annual global turnover if higher," points out the report's introductory pages, adding that the "scale of these fines has understandably generated concern in boardrooms."

That being said, insurance coverage for the GDPR related financial risks that organizations face would be more than interesting and desirable. Typical cyber insurance policies - underlines the report -, only insure fines when "insurable by law", and stipulate that the insurability of fines or penalties shall be determined by the "laws of any applicable jurisdiction that most favors coverage for such monetary fines or penalties."

The Aon and DLA Piper report presents an overview of the European countries from the insurability and data regulatory tightness, as well as a series of case studies revealing the complexity that the international cyber scenarios may reach.

Source: DLA Piper

The current status: there is not a full superposition between the potential "GDPR risk" exposure and most of the insurance policies which are often triggered by privacy or security incidents; moreover, GDPR violations may be identified also without an actual privacy or security incident occurring (non-compliance, for example). In fact, one of the main questions arising is if GDPR non-compliance fines are insurable or not.

The answer varies from country to country, as legal rules governing insurability are often derived from public policy principles. Also, in international cases, it depends very much on the jurisdiction of choice, especially that not always parties' choice will prevail on other legal considerations.

According to the Aon and DLA Piper report, among the 30 European countries under consideration, only in Finland non-GDPR fines are insurable; in 19 countries they are non-insurable while in another 10 countries the situation is unclear.

GDPR fines are insurable in Finland and Norway, while in 20 countries such fines are clearly uninsurable. On the other hand, legal costs, other costs and liabilities following a data breach are insurable almost everywhere, except for Bulgaria and Poland, where the report's authors have market the current situation as unclear. Only 4 countries have a data regulatory environment which can be defined as "moderate": Bulgaria, Croatia, Lithuania and Malta.

In fact, in many countries where the GDPR fines were marked as uninsurable, insurance contracts covering administrative or criminal fines are not expressly prohibited, meaning that also GDPR fines may be theoretically covered by an insurance contracts. Yet, there is a high risk that contracts insuring against those fines will be unenforceable if "it is considered that the parties' intention was to avoid administrative or criminal sanctions. It is a condition of insurability that the loss was caused by circumstances beyond the control of the insured."

In conclusion, at least for the time being, insurance industry's potential contribution to managing GDPR related risks is somehow limited, especially when it comes about the non-compliance issues. On the other hand, GDPR enforcement is only in its infancy, leaving space for future developments. Lawyers will certainly have a word to say.

Last hour: At the latest AIRMIC Conference in Liverpool, Bermuda was mentioned by several sources as a potential extra-European choice for those looking for a jurisdiction where a policy might be used to pay out if a multinational were to be fined under GDPR by a European regulator. Singapore or Latin American countries as Mexico and Colombia are also possible destinations for placing this type of risk. Yet, although Bermuda is already "in use" as an underwriting jurisdiction for insuring the punitive fines issued by US state regulators, there is no guarantee that the experience may be replicated also in the European GDPR fines' case. As emphasized at the AIRMIC Conference, the GDPR legislation is too new to allow other than speculations over the real dimensions of the fines and any outcome of the legal procedures.

Access here the full "The price of data security - A guide to the insurability of GDPR fines across Europe" report by Aon and DLA Piper

Follow XPRIMM Publications on LinkedIn, for more data on the insurance and financial industry.

Share |

Related articles

The Insurance Business in Transition to the Cyber-Physical Market

What we generically call "Cyber risk" is, in fact, a family of risks and it is worth observing if there is a commonality in the perception - thus management - of the risk in the academic, risk management, insurance and policymaking communities. The present study found that cyber breach is perceived as "critical" due in part to its own nature and, importantly, in part to the weak understanding of its impact and our preparedness.


Hail and windstorms cause multi-billion global economic loss in June; draught may be this summer's nightmare for European farmers

Overall, extreme weather events led to a multi-billion dollar economic toll, of which insurers have to pay more than USD 3 billion in claims for US losses alone, the latest edition of Aon's monthly Global Catastrophe Recap report shows. Economic losses in the Central and South-Eastern Europe amounted some hundred million USD, but weather continued also in July, adding extra costs which may also amount to significant sums.


Swiss Re's sigma: The global insurance market slowed down in 2017; emerging markets and the US strengthening economy will lead future growth

Global insurance premiums increased 1.5% in real terms1 to nearly USD 5 trillion in 2017, after rising 2.2% in 2016, the latest sigma report reads. Growth in both the life and non-life sectors slowed. According to Swiss Re Institute next years will see the life insurance segment's premiums improving driven by the strong growth in the emerging markets, especially China, while the strengthening economy of the US will lead the non-life global market's development.


MENA: Fast growing insurance business outpacing economic growth min the region

Insurance markets of the Middle East and Northern Africa (MENA) are expected to continue outgrowing the region's GDP over the next 12 months. Personal lines business remains the key growth driver, with primary insurers benefiting from compulsory insurance requirements as well as regulatory actions supporting rates, the latest edition of the MENA Insurance Pulse reads.



Public insurers appoint Achim Bosch to reinsurer board

The supervisory bodies of Deutsche Ruckversicherung AG and the Association of German Public Insurers decided today, to appoint Achim Bosch (53) to the executive board of the two reinsurers, where he will be responsible for non-life reinsurance.



HOEPKE, Munich Re: I expect at least a stable renewal round in 2019

After severe storm damage in Japan and the United States, Munich Re is looking with a little more optimism to the next renewal season. "I expect at least a stable renewal round in 2019," Board member Doris HOEPKE said in Baden-Baden. Until recently the reinsurer's expectations were leaning towards a stagnant season.



Five new XPRIMM insurance reports on the Baden Baden stands

Five new titles are available this year on the XPRIMM Baden-Baden press stands opened in the Kurhaus Casino and in Baden Baden main locations, presenting the latest statistical data and comprehensive analysis for the CEE, SEE and CIS insurance markets.


See all