GDPR and Cyber Insurance - key things you need to know

Published: 18/04/2018

Don't make the mistake of assuming your Directors & Officers insurance will pick up the tab if you fall foul of the new data laws or suffer a data breach.

The new General Data Protection Regulation (GDPR) brings a duty to report data breaches, with widespread implications and new financial risks:

  • Duty to notify the Information Commissioner’s Office (ICO) of data breaches.
  • Fines of a much greater magnitude can be levied by the ICO on companies failing to comply with this duty and, where personal data has been leaked, follow on claims can be expected.
  • Requirement to conduct costly investigations into cyber security breaches and report to the ICO.

Cyber insurance can be a part of the solution, but it's a complex area. It should be tailored to your particular risk exposures – based on your business plan. It’s highly unlikely an off-the-shelf policy will protect a typical innovative or disruptive business hub.

Last year’s major cyber security incidents - from the “WannaCry” ransomware attack (losses of $8bn worldwide), to the “Petya” infection of a major law firm’s global IT network and hundreds of thousands of customer details being seized from Wonga and Three Mobile amongst others. 

Increased risks:

  1. Mandatory reporting of data breaches is likely to put businesses at greater risk of enforcement and civil litigation after a cyber security incident - whether resulting from malware, rogue employees or poor security of third parties holding their data.
  2. Investigation costs: with a massively expanded workload as breach reporting spirals upwards, the ICO is likely to outsource part of its investigative role to the companies reporting data breaches.  Businesses may be called upon to assist the ICO and other law enforcement agencies to investigate the nature, source and ramifications of cyber security incidents.
  3. Reliance on data: as the volume of data increases, so too does the value (and vulnerability) of holding data for business. 
  4. Cyber security threats are multiplying daily
  5. Reputational risk is a significant threat to balance sheets and to building trust with your market.  
  6. Larger fines: to date, the largest fine imposed by the ICO was £400,000 on TalkTalk, in August 2017. Under the GDPR, the fines can reach up to 4% of annual turnover. 
  7. Civil follow-on claims: as well as regulatory enforcement, civil claims may be brought against businesses as a result of cyber security incidents. The climate of transparency is likely to increase the frequency of such follow-on claims.

Civil Claim Case study:

The recent judgment in Various Claimants v VM Morrisons Supermarket plc marked the first data leak collective action in the UK and may have been the tip of the iceberg.  The court held that Morrisons was vicariously liable for the criminal leak of personal information by one of its employees, even though he acted maliciously to damage the company. This precedent clearly increases the litigation risk that employers must take into account when designing their cyber-security systems and processes.

How can business leaders prepare?

  1. Identify cyber security risk via a thorough business analysis
  2. Create an incident response plan (to include ongoing cooperation with the ICO and police)
  3. Train staff* in cyber security measures
  4. Undertake a full review of Cyber Insurance protection

How can Cyber Insurance protect my business?

Cyber insurance cover can protect against costs, expenses and liability arising from:

  • Breach of Privacy or Confidentiality – critical defence against your liability for violation of privacy rights or breach of confidential information
  • Data Breach Costs – reimbursement of your costs incurred in dealing with a regulatory investigation, including post-breach costs such as legal, PR & crisis management expenses, customer notifications, credit monitoring and identity theft monitoring costs, and network forensics
  • Regulatory Fines or Contractual Damages – to reimburse sums you’re legally obliged to pay as a direct result of a breach of privacy law or contractual obligation, including PCI-DSS penalties
  • Cyber Liability – your liability for customer/user financial loss or denial of access.
  • Business Interruption – for your lost income as a result of viruses, network failure or damage, hacking or cyber-crime causing ‘down-time’
  • Data Extortion – protection against the threat of extortion as the result of ransomware, theft of data, or damage to your computer network
  • Problems with an outsourcer - we’ll help build protection wherever you face loss or liability, and wherever it arises in your supply chain – including cloud providers & overseas data processors
  • Costs of restoring or recreating data

To get a FREE review of your existing cyber insurance and a no-obligation quote, click here, or call Tracey McCreath on 01223 200655.


Ready to work with us?

You can call us to talk more about your business on +44 (0)1223 200650 or +44 (0)20 3865 0149

Photo of Tracey McCreath ACII

Tracey McCreath ACII


Direct Dial: +44 (0) 1223 200655

Mobile: +44 (0) 7747 536965


Twitter: @TraceyatLaPlaya