GDPR already influencing cyber insurance buying

04 July 2017

As companies struggle to prepare for the EU’s General Data Protection Regulation (GDPR), European companies are increasingly turning to cyber insurance.

We have experienced a noticeable up-tick in demand for cyber insurance from European companies ahead of the GDPR. And the prospect of stricter data protection laws has also seen a move towards higher limits, especially among first time buyers.

Previously, buyers of cyber insurance would often test the water with limits starting at 10 to 20 million, but we have recently observed new buyers starting out with programs as large as GBP 275 million.

Material Fines

From 25 May 2018, the GDPR will place a raft of data protection requirements on organisations and increase the powers of data protection regulators. Penalties for breaching data protection laws will rise significantly while companies will be required to notify regulators and consumers of significant data breaches.

For serious breaches, firms will have to pay fines of up to 4% of their global annual turnover, or EUR 20 million, whichever is the greater. This suggests that companies can expect much larger fines under the new regime. For example, TalkTalk was fined GBP 400,000 for its October 2015 data breach. Under the GDPR the fine could have been more like GBP 59 million.

According to analysis by Oliver Wyman, FTSE 100 companies could face fines of up to GBP 5 billion for breaches of the GDPR. Had the regime been in place for the past five years, the top listed UK companies could have been fined GBP 25 billion, it said.

A separate survey from Consult Hyperion predicts that GDPR fines could cost European banks USD 5.2 billion in the first three years (not including compensation, lost business and damage to reputation). The company expects to see 120 breaches resulting in million-euro-fines, with several fines in triple digits.

Finding Solutions

The insurability of fines for breaches of the GDPR has been a key focus for many of our cyber insurance clients.

Standalone cyber insurance will cover fines to the extent they are insurable by law. However, the extent to which insurance proceeds can be used to recoup the costs of regulator penalties under the GDPR is a grey area and one that will need to be tested in the courts.

One strategy adopted by some companies has been to shift some of their excess cyber insurance capacity to the Bermuda market. Since the Bermuda regulators do not prohibit payment of fines and punitive damages, insureds have a greater chance of recovering such fines from their Bermuda-based insurers. The cost tends to be only incrementally higher, and the capacity functions just as it would on an excess basis if purchased in the insured’s home country.

Compliance Challenge

Recent surveys paint a mixed picture of GDPR readiness. Some companies may not be taking the GDPR seriously enough, even those that are finding compliance challenging. 

Three quarters of organisations surveyed by Varonis Systems say they will struggle to meet the May 2018 deadline. The survey of IT decision makers in the UK, Germany, France and the US also found that 42% do not even view compliance with the GDPR as a priority.

Half of those surveyed say they are struggling with ensuring the security of information while one third of respondents had not yet conducted a data impact assessment in order to determine who has access to personal data.

In March, a survey from Crown Records Management found that one in four UK businesses have cancelled all preparations for the GDPR on the mistaken belief that it will not apply after Brexit. Worryingly, 44% of those surveyed said they didn’t think the regulation will apply to UK business after Brexit.

This is despite warnings from the Information Commissioner’s Office that it intends to implement the GDPR in the US by the deadline, and that UK data protection laws after Brexit will be aligned to those of the EU.

Download Cyber Decoder – June 2017

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on