The European Union’s General Data Protection Regulation, which officially went on the books May 25, has had companies around the world worried — and for good reason.
Failure to comply with the data privacy and security regulation, which is applicable to companies that handle and process EU citizens’ data, could lead to fines of up to 4% of a company’s global revenue or 20 million euros, whichever is higher.
Just two weeks before the GDPR deadline, there seemed to be a consensus that companies should be reviewing their cyberinsurance policies and if they didn’t already have a such a policy, they should get one.
Uncertainty policies will cover fines
Surprisingly though, companies don’t seem to be in a rush to purchase this type of protection from cyber liability.
Adrienne Ehrhardt, a partner at Michael Best & Friedrich, said that there is still some uncertainty about whether cyberinsurance policies will cover the fines associated with the GDPR.
“One of the more obvious [reasons] is that I think there is uncertainty as to whether cyberinsurance policy coverage [applies to] administrative fines under the GDPR,” Ehrhardt said. “I was talking to someone in the industry who seems pretty adamant that most policies don’t. If that’s the understanding of a lot of potential purchasers of that insurance, then I can see how most organizations are making the decision that it’s not worth their while.”
However, there is a belief that those fines will eventually be covered, the policy language just needs to be worked out first.
Policy language not explicit
Jared Zola, a partner at Blank Rome, said that he too is not surprised that companies are not rushing to get cyberinsurance because, save for the policies from a few insurers, guidelines are generally not yet explicit in saying that the potential fines and penalties will be covered.
Zola said there are “strong arguments” that GDPR is covered by third-party liability sections of cyberinsurance policies. And even for the handful of insurers that do explicitly cover GDPR fines by endorsement, policies are “not written as clearly as they could be,” he noted.
“I think we’re going to see that changing over the next couple of years. Slowly but surely that language will make its way into a policy that the companies are buying off the shelf,” Zola said. “I think what you’re going to see is the evolution of very clear GDPR coverage language being added to these policies.”
Reducing risk exposure
Beyond the uncertainty of whether insurers will actually cover the potential penalties, Ehrhardt says there may be less to actually insure, which is why companies also may have chosen to not rush to their closest cyberinsurance attorney to work out a policy.
“I think that GDPR generally is seeking to limit the type of personal data that organizations have or handle, both in terms of the amount [of data] and length of time that data is retained. So because of that result, the amount of risk exposure … in the amount of personal data the organization holds is being reduced from a security stand point,” Ehrhardt said.
There also appears to be a hesitation on the part of the insurers.
“My sense is, from talking to others in the area, that most insurers aren’t willing to go out on a limb and cover the potential administrative fines that could be 20 million euros or 4% of worldwide turnover,” Ehrhardt said.
Pricing policies is tough
Zola said there is also some hesitation on the part of the insurance companies because it’s tough to even know how to price polices that include these brand new GDPR fines and penalties.
“There is so much nuance there that I think insurers are having a hard time pricing what that would cost. Of course, the built-in protection for the insurer is that there are policy limits. If you buy a policy with $10 million worth of limits and the assessment ends up being 20 million euros, you’re just not going to have coverage for the entire amount,” Zola said.