Blog

 

Is your Cyber Insurance GDPR-ready?

Published: 10/04/2018

The new General Data Protection Regulation brings a duty to report data breaches, with widespread implications and new financial risks:

  • 72-hour breach reporting deadline 
  • Fines of up to 4% of turnover or E20m 
  • Personal data leaks likely to trigger follow-on claims 
  • Footing the bill for costly breach investigations

Don’t make the mistake of assuming your Directors & Officers insurance will pick up the tab if you fall foul of this regulation or suffer a data breach. It’s highly unlikely an off-the-shelf policy will protect a typical innovative or disruptive business in the Cambridge hub. Cyber insurance is a complex area and is something that needs to be tailored to your particular risk exposures – based on your business plan.

Last year’s major cyber security incidents include:

  • The “WannaCry” ransomware attack (losses of $8bn worldwide)
  • The data of 87m Facebook users being shared with Cambridge Analytica, without their knowledge
  • The “Petya” infection of a major law firm’s global IT network
  • Hundreds of thousands of customer details being seized from Wonga and Three Mobile amongst others

Increased Risks under GDPR:

  1. Mandatory reporting of data breaches is likely to put businesses at greater risk of enforcement and civil litigation after a cyber security incident - whether resulting from malware, rogue employees or poor security of third parties holding their data.
  2. Investigation costs: with a massively expanded workload as breach reporting spirals upwards, the ICO is likely to outsource part of its investigative role to the companies reporting data breaches. Businesses may be called upon to assist the ICO and other law enforcement agencies to investigate the nature, source and ramifications of cyber security incidents.
  3. Reliance on data: as the volume of data increases, so too does the value (and vulnerability) of holding data for business. 
  4. Cyber security threats are multiplying daily
  5. Reputational risk is a significant threat to balance sheets and to building trust with your market.  
  6. Larger fines: to date, the largest fine imposed by the ICO was £400,000 on TalkTalk, in August 2017. Under the GDPR, the fines can reach up to 4% of annual turnover. 
  7. Civil follow-on claims: as well as regulatory enforcement, civil claims may be brought against businesses as a result of cyber security incidents. The climate of transparency is likely to increase the frequency of such follow-on claims.

Civil Claim Case study:

The recent judgment in Various Claimants v VM Morrisons Supermarket plc marked the first data leak collective action in the UK and may have been the tip of the iceberg.  The court held that Morrisons was vicariously liable for the criminal leak of personal information by one of its employees, even though he acted maliciously to damage the company. This precedent clearly increases the litigation risk that employers must take into account when designing their cyber-security systems and processes.

 

How can business leaders prepare?

  1. Identify cyber security risk via a thorough business analysis
  2. Create an incident response plan (to include ongoing cooperation with the ICO and police)
  3. Train staff* in cyber security measures
  4. Undertake a full review of Cyber Insurance protection

 

How can Cyber Insurance protect my business?

Cyber insurance cover can protect against costs, expenses and liability arising from:

  • Breach of Privacy or Confidentiality – critical defence against your liability for violation of privacy rights or breach of confidential information
  • Data Breach Costs – reimbursement of your costs incurred in dealing with a regulatory investigation, including post-breach costs such as legal, PR & crisis management expenses, customer notifications, credit monitoring and identity theft monitoring costs, and network forensics
  • Regulatory Fines or Contractual Damages – to reimburse sums you’re legally obliged to pay as a direct result of a breach of privacy law or contractual obligation, including PCI-DSS penalties
  • Cyber Liability – your liability for customer/user financial loss or denial of access.
  • Business Interruption – for your lost income as a result of viruses, network failure or damage, hacking or cyber-crime causing ‘down-time’
  • Data Extortion – protection against the threat of extortion as the result of ransomware, theft of data, or damage to your computer network
  • Problems with an outsourcer - we’ll help build protection wherever you face loss or liability, and wherever it arises in your supply chain – including cloud providers & overseas data processors
  • Costs of restoring or recreating data

To get a FREE review of your existing cyber insurance and a no-obligation quote, click here, or call Tracey McCreath on 01223 200665.

 

*Useful staff training links:

https://www.gov.uk/government/collections/cyber-security-training-for-business 
https://www.cyberaware.gov.uk/ 

 

Ready to work with us?

You can call us to talk more about your business on +44 (0)1223 200650 or +44 (0)20 3865 0149

Photo of Tracey McCreath ACII

Tracey McCreath ACII

DIRECTOR, MEDIA, ARTS & ENTERTAINMENT

Direct Dial: +44 (0) 1223 200655

Email: tracey.mccreath@laplayainsurance.com

Twitter: @TraceyatLaPlaya