I know that headline will worry a lot of folks. On this side of the Atlantic, it is pretty routine for cyberinsurance to cover (if you pay the premium for it) the payment of fines. But as IT Governance reported on June 4th, that's not true with the EU's General Data Protection Regulation (GDPR).
Insuring against fines would have been nice, especially as the GDPR gives supervisory authorities the power to issue penalties of up to €20 million (about $24.4 million) or 4% of an organization's global annual turnover, whichever is greater. U.S. organizations that are subject to the Regulation must elect one of the EU member states' supervisory authorities. However, it seems that no matter which member state an organization chooses, its laws don't allow for insurance against GDPR fines.
Aon's guide, The price of data security, found that almost all European countries prevent organizations from insuring against GDPR fines. The only exceptions are Finland and Norway.
The relatively good news is that large fines will probably be much less common than people have predicted. In most cases, supervisory authorities will only issue fines if other disciplinary action isn't deemed suitable. Even if fines are necessary, the maximum penalty will be reserved for flagrant or repeated violations of the Regulation. OK, that makes me feel a little better, but it still is a pretty big looming threat that can't be covered by insurance.
Although it's generally not possible to insure against fines, organizations can insure against other damages related to the GDPR. Depending on the circumstance of the violation, cybersecurity insurers will compensate organizations for the cost of:
- Legal fees
- Regulatory investigations
- Incident response
- Hiring a public relations firm to mitigate reputational damage
- Notifying and compensating affected data subjects
A small number of organizations have already taken out GDPR insurance, but that number will no doubt grow. For the moment, entities are still scrambling to become GDPR compliant!
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology