Should cyber insurance cover GDPR fines?
I see the interesting debate around whether GDPR fines should be covered within corporate cyber insurance policies has raised its head again. See Law360’s GDPR Fines May Be Uninsurable, Broker Warns and Are GDPR Fines Insurable? UK Watchdog Won’t Say
With increasing regulation and scrutiny placed on organisations and critically, individuals within them (such as the FCA’s SM&CR), there is obviously a growing fear within the boardroom of the potential financial and personal impact from a serious data breach.
Add to that the WHEN not IF mentality of potentially always being one step behind the hackers, a desire to limit or transfer exposure of damaging financial penalties is completely understandable.
Whether it is legally, morally or commercially viable to insure yourself against a GDPR fine (or any other regulatory penalty for that matter) as a consequence of an organisation’s own “failures” is clearly a matter for some debate (answers on a postcard) and opinions vary between countries, states and regulators.
I’m glad to hear the ICO play a straight bat on this with a spokesperson for the regulator reported as saying it is “not an issue for the ICO”. GDPR regulations neither permit nor prohibit insurance cover against fines, but irrespective of this “a focus on insurance rather misses the point, and organisations should be looking to recognise the benefits of good information rights practice to their efficiency, reputation and competitive edge” they added.
Establishing sound data privacy and protection practices is enshrined in the regulation under Article 25 – Data protection by design and by default and should be the primary focus for any organisation’s efforts whilst at the same time maintaining and mitigating all risks to that data, especially those within the potentially weakest links in the “extended enterprise” and data supply chain. I won’t wax lyrical on this – but you can learn more about DVV Solutions Third Party and Data Processor Risk solutions here.
Post 25th May 2018, ensuring the privacy and security of employee and customer data is now a matter of good, standard business practice – shouldn’t it have been already? However, as we remain in the early days of incomplete GDPR compliance, ignorant flouting of data processing rules and high-profile breaches, penalties and customer backlash there is a huge opportunity for organisations to leverage their data governance and usage as key differentiators.
Looking for insurance against a GDPR fine is therefore to focus on the stick and not the carrot. Whether or not insurers will protect their clients against the cost of GDPR fines, there is no easy way out of the responsibilities and accountability GDPR and other regulations impose, so look beyond the costs, address the risks and ensure your investment in data governance creates a real commercial advantage.
Sean O’Brien CTPRP, Managing Director, DVV Solutions
About the author:
Sean has over 25 years’ hands-on experience of delivering managed services within IT security and governance, risk and compliance (GRC) and is a practicing Certified Third Party Risk Professional (CTPRP).
As a foundation to the success of DVV Solutions, Sean has been instrumental in supporting our business partners Prevalent Inc. and Shared Assessments in creating a foothold in the Third Party risk assurance marketplace across Europe.
His philosophy to become a trusted information security partner is built upon long-term relationships with clients based on honesty and shared values.
Connect on LinkedIn:
Connect to Sean O’Brien, CTPRP profile