Are GDPR non-compliance fines insurable or not?

Complying to the EU General Data Protection Regulation (GDPR), effective from 25 of May 2018, is currently one of the most challenging issues for many organizations. Even in the absence of a personal data breach incident, companies may face regulatory assessments resulting in fines and penalties. Moreover, companies operating on several territories, including the EU, may encounter situations interesting several jurisdictions with different legislation. How much can insurance help organization to manage this kind of operational risks?

While technological evolution enables companies to gather and manage huge volumes of information about their existing or potential customers, personal data have become a new, but very important class of assets in many businesses. Coincidentally, with GDPR, EU regulation concerning the personal data protection not only got extended scope and stronger provisions, but also provides for significantly increased enforcement powers to regulators. Shortly put, although data protection rules existed also before the GDPR, fines for a data breach were of considerable smaller values and enforcement actions infrequent.

Aon and the law firm DLA Piper have jointly released a report entitled "The price of data security - A guide to the insurability of GDPR fines across Europe". "GDPR fines can reach up to EUR 20 million, or up to 4% of a group's annual global turnover if higher," points out the report's introductory pages, adding that the "scale of these fines has understandably generated concern in boardrooms."

That being said, insurance coverage for the GDPR related financial risks that organizations face would be more than interesting and desirable. Typical cyber insurance policies - underlines the report -, only insure fines when "insurable by law", and stipulate that the insurability of fines or penalties shall be determined by the "laws of any applicable jurisdiction that most favors coverage for such monetary fines or penalties."

The Aon and DLA Piper report presents an overview of the European countries from the insurability and data regulatory tightness, as well as a series of case studies revealing the complexity that the international cyber scenarios may reach.

Source: DLA Piper

The current status: there is not a full superposition between the potential "GDPR risk" exposure and most of the insurance policies which are often triggered by privacy or security incidents; moreover, GDPR violations may be identified also without an actual privacy or security incident occurring (non-compliance, for example). In fact, one of the main questions arising is if GDPR non-compliance fines are insurable or not.

The answer varies from country to country, as legal rules governing insurability are often derived from public policy principles. Also, in international cases, it depends very much on the jurisdiction of choice, especially that not always parties' choice will prevail on other legal considerations.

According to the Aon and DLA Piper report, among the 30 European countries under consideration, only in Finland non-GDPR fines are insurable; in 19 countries they are non-insurable while in another 10 countries the situation is unclear.

GDPR fines are insurable in Finland and Norway, while in 20 countries such fines are clearly uninsurable. On the other hand, legal costs, other costs and liabilities following a data breach are insurable almost everywhere, except for Bulgaria and Poland, where the report's authors have market the current situation as unclear. Only 4 countries have a data regulatory environment which can be defined as "moderate": Bulgaria, Croatia, Lithuania and Malta.

In fact, in many countries where the GDPR fines were marked as uninsurable, insurance contracts covering administrative or criminal fines are not expressly prohibited, meaning that also GDPR fines may be theoretically covered by an insurance contracts. Yet, there is a high risk that contracts insuring against those fines will be unenforceable if "it is considered that the parties' intention was to avoid administrative or criminal sanctions. It is a condition of insurability that the loss was caused by circumstances beyond the control of the insured."

In conclusion, at least for the time being, insurance industry's potential contribution to managing GDPR related risks is somehow limited, especially when it comes about the non-compliance issues. On the other hand, GDPR enforcement is only in its infancy, leaving space for future developments. Lawyers will certainly have a word to say.

Last hour: At the latest AIRMIC Conference in Liverpool, Bermuda was mentioned by several sources as a potential extra-European choice for those looking for a jurisdiction where a policy might be used to pay out if a multinational were to be fined under GDPR by a European regulator. Singapore or Latin American countries as Mexico and Colombia are also possible destinations for placing this type of risk. Yet, although Bermuda is already "in use" as an underwriting jurisdiction for insuring the punitive fines issued by US state regulators, there is no guarantee that the experience may be replicated also in the European GDPR fines' case. As emphasized at the AIRMIC Conference, the GDPR legislation is too new to allow other than speculations over the real dimensions of the fines and any outcome of the legal procedures.

Access here the full "The price of data security - A guide to the insurability of GDPR fines across Europe" report by Aon and DLA Piper

Follow XPRIMM Publications on LinkedIn, for more data on the insurance and financial industry.

Share |

Related articles

WEF's global Top 5 most concerning trends 2019: changing climate, cyber dependency and increasing social disparities and national sentiment

Rising geopolitical and geo-economic tensions are the most urgent risk in 2019, while environmental degradation is the long-term risk that defines our age, with four of the top five most impactful global risks in 2019 related to climate. Rapidly evolving cyber and technological threats are the most significant potential blind spots; we still do not fully appreciate the vulnerability of networked societies. These are some of the main conclusions of the World Economic Forum's Global Risks Report 2019.


Global economic growth is solid but slowing, and emerging Asia will continue to power the insurance market, sigma says

Global premiums are forecast to grow by around 3% annually in 2019 and 2020, mostly driven by the high growth rates in emerging Asia which may be as by three times more than the global average. The economic power shift from west to east will drive insurance sector development to 2020 and beyond. Expanding the boundaries of insurability for corporate intangible assets will be another main growth area for insurers


Insurance, a key player in building resilience

"The frequency of natural disasters is increasing, and the damage they cause will be greater as the world population becomes more urban and concentrated in areas prone to catastrophe," one of the latest analysis published by Aon under the Global Insurance Market Opportunities titles sates.


The Insurance Business in Transition to the Cyber-Physical Market

What we generically call "Cyber risk" is, in fact, a family of risks and it is worth observing if there is a commonality in the perception - thus management - of the risk in the academic, risk management, insurance and policymaking communities. The present study found that cyber breach is perceived as "critical" due in part to its own nature and, importantly, in part to the weak understanding of its impact and our preparedness.



AZERBAIJAN: Azer ALIYEV re-heads Azerbaijan Insurers Association

Azer ALIYEV has been appointed the new chairman of the Azerbaijan Insurers Association (ASA). Association's ex-chair Mustafa ABBASBEYLIi has been assigned advisor to Labor & Social Protection Minister Sahil BABAYEV, as analytical and news agency FINEKO and ABC.AZ wrote.


ALLIANZ announced three executives appointments

German insurance Group ALLIANZ announced three senior leadership appointments at ALLIANZ DIGITAL Health, ALLIANZ Private Krankenversicherung and Allianz Global Corporate & Specialty SE.



Inclusive insurance on the agenda of the second CEE & SEE - Regional Actuarial Insurance Conference in Skopje, Macedonia

Insurance should be accessible to all social classes, regardless of their wealth and income status. Products offered today are conventional insurance products, largely inspired from the developed markets as "one-size-fits-all" solutions, affordable to only middle- and high-income clients in the Eastern Europe's emerging & developing markets. The low insurance penetration rates across the region show the need for another approach.


Reducing the risks in agriculture by using insurance means, discussed in Skopje

On November 1st, an Agricultural insurance conference took place in Skopje, Macedonia, organized by the Insurance Supervision Agency in cooperation with the Ministry of Agriculture, Forestry and Water Economy. Drawing attention to the necessity of reducing the risks in agriculture by using insurance was the event's main purpose.


IIF 2018 - Insurance in a DIGITAL WORLD

Emmanuel DJENGUE, Innovation Director, Europe - RGAX, Spain is the Keynote Speaker at IIF 2018 - Insurance in a DIGITAL WORLD Conference in Bucharest, on November 27.


See all