With the implementation of the General Data Protection Regulation (GDPR) only weeks away, cyber security is once again a red-hot topic. Yet, many small to medium-sized businesses are still failing to protect their data adequately, with security firm, Kaspersky Labs describing them as ‘woefully under-prepared.’ And while cyber insurance may provide some financial remedy for fines and penalties (so far as it’s legally recoverable), facing a fine of up to £17million or 4% of your turnover once the GDPR is in force – especially if your organisation is of sufficient size – could prove too much for current levels of indemnity.
It is true that the Information Commissioner’s Office (ICO) has been playing down its much-publicised powers to impose fines of this magnitude, but the fact remains that the commissioner is committed to ensuring the GDPR works to protect UK citizens’ personal data. So, while the ICO may prefer the ‘carrot to the stick’ approach when dealing with negligent organisations, it still intends to take ‘effective, proportionate and dissuasive’ measures against any company that fails to abide by the new regulation. Such a measure may not amount to applying the maximum fine permissible, but it could prove painful, nonetheless, for any offending business.
Cyber Crime is Fast Becoming a Major Problem for British Firms
In 2016 cyber-attacks affected the operations of 2.9 million UK organisations at a cost of £29.1 billion. In 2017 we saw Wannacry, Petya and ZCryptor cause significant financial and reputational damage to organisations across the globe. And according to a recent UK government survey, 3% of the businesses and 19% of the charities canvassed reported a data breach or cyber-attack in the previous year.
Computer viruses and phishing emails are the most common corporate cyber threats faced by British businesses with large organisations being the preferred and more lucrative targets for cyber criminals. Successful cyber-attacks on smaller businesses seem to be less numerous but can inflict proportionally greater damage. Statistics show that roughly 60% of small businesses in the UK will close permanently within six months of a cyber-attack.
Disclosing a Cyber-Attack and the GDPR
Several high-profile cyber-attacks in 2016 and 2017 remained unreported for months while the organisations affected chose to conceal the data loss from the public. This will no longer be possible under the GDPR.
From the 25th May onwards, a data breach must be reported to the ICO within 72 hours of its discovery. The breach notification must include who has been affected, what data has been lost and what the likely outcome of the data loss may be. All these factors will inform the ICO's decision whether or not to impose a fine.
Cyber Insurance, The ICO and GDPR Penalties
In light of this, can an organisation continue to rely on its existing cyber cover (if it has any) to indemnify itself against a GDPR fine? There is no clear answer to this, so long as the question of whether an insurer has to pay a claimant following a GDPR fine remains untested in the English courts. Nevertheless, while acknowledging that each case will be different, it’s more likely than not that a GDPR fine will fall squarely within the category of statutory penalties and criminal sanctions that may not be recovered from insurers. This is essentially because regulatory fines exist for important public policy reasons.
So, if the ICO deems an organisation’s failure to protect its data is significant enough to deserve a hefty fine, a court will also likely view it as ‘reprehensible’ enough to prevent the company from recovering the cost of the fine from its insurers. The victims here are, after all, the individuals whose data has been compromised, not the organisation being sanctioned by the ICO.
That said, costs associated with defending or appealing investigations from the ICO may be covered by a policy, and insurers might choose to pay out an amount in relation to a fine. The real commercial value, however, in having adequate cyber insurance lies in the guidance and expertise your insurer can provide, especially when it comes to responding to a data breach. Cyber policies, by and large, cover systems failure and data restoration, as well as third-party claims for damages for lost data, or breaches of security and privacy. They may also cover extortion money paid to cyber criminals following, for example, a ransomware attack.
There is No Safety Net When it Comes to Non-Compliance
Ultimately, relying on cyber insurance to indemnify your organisation against a GDPR fine is not the right strategy to adopt. Instead, you should make sure you have a robust data protection policy in place, alongside adequate cyber cover and know in detail what the GDPR requires, so you can remain on the right side of the ICO, the GDPR, and those headline-grabbing fines.