Are GDPR non-compliance fines insurable or not?

Complying to the EU General Data Protection Regulation (GDPR), effective from 25 of May 2018, is currently one of the most challenging issues for many organizations. Even in the absence of a personal data breach incident, companies may face regulatory assessments resulting in fines and penalties. Moreover, companies operating on several territories, including the EU, may encounter situations interesting several jurisdictions with different legislation. How much can insurance help organization to manage this kind of operational risks?

While technological evolution enables companies to gather and manage huge volumes of information about their existing or potential customers, personal data have become a new, but very important class of assets in many businesses. Coincidentally, with GDPR, EU regulation concerning the personal data protection not only got extended scope and stronger provisions, but also provides for significantly increased enforcement powers to regulators. Shortly put, although data protection rules existed also before the GDPR, fines for a data breach were of considerable smaller values and enforcement actions infrequent.

Aon and the law firm DLA Piper have jointly released a report entitled "The price of data security - A guide to the insurability of GDPR fines across Europe". "GDPR fines can reach up to EUR 20 million, or up to 4% of a group's annual global turnover if higher," points out the report's introductory pages, adding that the "scale of these fines has understandably generated concern in boardrooms."

That being said, insurance coverage for the GDPR related financial risks that organizations face would be more than interesting and desirable. Typical cyber insurance policies - underlines the report -, only insure fines when "insurable by law", and stipulate that the insurability of fines or penalties shall be determined by the "laws of any applicable jurisdiction that most favors coverage for such monetary fines or penalties."

The Aon and DLA Piper report presents an overview of the European countries from the insurability and data regulatory tightness, as well as a series of case studies revealing the complexity that the international cyber scenarios may reach.

Source: DLA Piper

The current status: there is not a full superposition between the potential "GDPR risk" exposure and most of the insurance policies which are often triggered by privacy or security incidents; moreover, GDPR violations may be identified also without an actual privacy or security incident occurring (non-compliance, for example). In fact, one of the main questions arising is if GDPR non-compliance fines are insurable or not.

The answer varies from country to country, as legal rules governing insurability are often derived from public policy principles. Also, in international cases, it depends very much on the jurisdiction of choice, especially that not always parties' choice will prevail on other legal considerations.

According to the Aon and DLA Piper report, among the 30 European countries under consideration, only in Finland non-GDPR fines are insurable; in 19 countries they are non-insurable while in another 10 countries the situation is unclear.

GDPR fines are insurable in Finland and Norway, while in 20 countries such fines are clearly uninsurable. On the other hand, legal costs, other costs and liabilities following a data breach are insurable almost everywhere, except for Bulgaria and Poland, where the report's authors have market the current situation as unclear. Only 4 countries have a data regulatory environment which can be defined as "moderate": Bulgaria, Croatia, Lithuania and Malta.

In fact, in many countries where the GDPR fines were marked as uninsurable, insurance contracts covering administrative or criminal fines are not expressly prohibited, meaning that also GDPR fines may be theoretically covered by an insurance contracts. Yet, there is a high risk that contracts insuring against those fines will be unenforceable if "it is considered that the parties' intention was to avoid administrative or criminal sanctions. It is a condition of insurability that the loss was caused by circumstances beyond the control of the insured."

In conclusion, at least for the time being, insurance industry's potential contribution to managing GDPR related risks is somehow limited, especially when it comes about the non-compliance issues. On the other hand, GDPR enforcement is only in its infancy, leaving space for future developments. Lawyers will certainly have a word to say.

Last hour: At the latest AIRMIC Conference in Liverpool, Bermuda was mentioned by several sources as a potential extra-European choice for those looking for a jurisdiction where a policy might be used to pay out if a multinational were to be fined under GDPR by a European regulator. Singapore or Latin American countries as Mexico and Colombia are also possible destinations for placing this type of risk. Yet, although Bermuda is already "in use" as an underwriting jurisdiction for insuring the punitive fines issued by US state regulators, there is no guarantee that the experience may be replicated also in the European GDPR fines' case. As emphasized at the AIRMIC Conference, the GDPR legislation is too new to allow other than speculations over the real dimensions of the fines and any outcome of the legal procedures.

Access here the full "The price of data security - A guide to the insurability of GDPR fines across Europe" report by Aon and DLA Piper

Share |

Related articles



Such a reading is also the most recent report of the GENEVA Association (details on them, HERE), suggestively titled "Understanding and Addressing Global Insurance Protection Gaps". Summarily, the material analyzes and seeks solutions for the so-called insurance protection gap. The phenomenon of under-insurance, on a global scale.


Lloyd's: Cyber-crime, interstate conflicts or market crashes yearly costs may reach USD 320.1 billion

Man-made risks like cyber-crime, interstate conflicts or market crashes are a bigger threat to economic output than natural disasters, putting an estimated USD 320.1 billion of global GDP at risk on average each year, according to Lloyd's City Risk Index. Built in collaboration with Cambridge University, the study measures the impact of 22 threats on 279 cities' projected economic output.


Swiss Re's 2018 SONAR Report: re-emerging or new risks - mostly related to new technologies or lifestyle trends - pose the largest challenges for the re/insurance industry

"While our trust in assistance systems remains unbroken, and their usage increases, humans are still held accountable and are expected to be able "take over the wheel" any time. While the law treats drivers mainly as it used to, actual driving practice and alertness are decreasing. The consequent widening skills gap not only impacts insurance risk, but also operational risks." This is just one of the risk evolving trends identified by the Swiss Re's 2018 SONAR report.


Challenges and opportunities of agricultural risks transfer

Despite the rapid movement of the modern world towards digitalization, high technology and process sophistication, the longtime existing agricultural industry remains important for satisfying the primary needs of humanity in food and basic material. In parallel with all technological development people are returning to forgotten principles of sustainable nutrition. Can agricultural industry support this trend? Which challenges agricultural industry experience itself in the era of climate change? We have discussed these and other questions with Olena SOSENKO - International expert in agricultural risk management.


CEE, FY2017: GWP and paid claims increased at the same pace: 11.5%

The CEE insurance market saw a 11.5% y-o-y growth in 2017, statistical data gathered by XPRIMM show. Overall, GWP amounted to EUR 36.12 billion. With a similar increase, paid claims reached almost EUR 22 billion. The forthcoming issue of the XPRIMM Insurance Report for FY2017, to be launched on May 14, will present in depth information in this regard.


SERBIA: New Law on Compulsory Traffic Insurance announced

By 2020, Serbia should adopt new regulation in the field of insurance, which would follow the requirements in the process of European integration. The biggest challenge will be the adoption of the new Law on Compulsory Traffic Insurance, to replace the current Law adopted in 2009.


Europe's future may lie in its pensions

The EU is set to introduce an entirely new class of pension products, according to a proposal by the European Commission currently under debate. Here comes the... PEPPs.


Allianz Risk Barometer 2018 - Business Interruption and cyber-related incident, top threats for companies globally; NatCat risks return on the top risk agenda

Evolving nature of risk, and rise in cyber-related incidents, means business interruption ranks as top threat for companies globally, according to 1,900+ risk experts from 80 countries, the latest Allianz Risk Barometer shows. On the other hand, while the economic state of the global economy seems to arouse less concern, the strong wave of Nat Cat events brought by the second half of 2017 has placed once again natural catastrophes and climate change up on the risk agenda.



Three new appointments at XL Catlin insurance operations

XL Catlin insurance operations announced on 4 June three appointments: Donnacha SMYTH as President Global Excess Casualty Insurance; Carla GREAVES as Chief Underwriting Officer, Global Excess Casualty; Aurelie FALLON SAINT-LO as Senior Underwriter, Environmental and Client & Distribution Leader for Western France.



LIVE: BAKU: "Insurance in Azerbaijan: New perspectives" Conference

The annual and most important insurance event within the Caucasus region - "Insurance in Azerbaijan: New perspectives", started today, in Baku, organized by XPRIMM and Azerbaijan Insurers Association, with the official support of the Financial Market Supervisory Authority of Azerbaijan.


5th Annual Insurance Business Forum "Challenges of the Year 2018"

will take place on September 17-21, 2018 in Sochi
The upcoming Forum, supported by the All-Russian Union of Insurers (ARIA), will logically continue a detailed discussion of the most pressing issues previously raised at ARIA events in 2018: Insurance and Reinsurance International Congress in Moscow and Insurance International Conference in St. Petersburg.


See all