What does Cyber Insurance Cover? Does it Cover GDPR Fines?
Cyber-insurance, also referred to as cyber-liability insurance, is designed as an insurance product that offers businesses protection against the potential financial and business devastation caused by the effects of a cyber-attack. The threat of cyber-attacks is very real in today’s data-driven business economy.
Cybercrime which includes malware and ransomware attacks, distributed denial-of-service (DDoS) attacks, or any other form of cyber-attack, can leave businesses and organizations vulnerable to data theft or damage and extensive financial losses.
For businesses, cyber-insurance coverage can act as a buffer against the financial and legal implications of a data breach and costs associated with loss of business revenue and reputation.
Typically, cyber insurance policies are customized to ensure the business has the specific help it needs to mitigate risks. This brings us to an important question – what does cyber-insurance policy cover?
What Does a Cyber-insurance Policy Cover?
As mentioned above, cyber insurance policies are designed to provide businesses with robust protection from the devastating effects of a cyber-attack. It is, however, important to understand the scale and scope of protection offered by your cyber-insurance policy.
You may also notice that not all cyber-insurance policies offer the same type of coverage – so what your cyber-insurance policy covers may be different from what another cyber-insurance policy covers.
Here are some of the common losses that are typically covered under a cyber-insurance policy:
- Losses caused due to business interruption.
- Contingent business interruption costs – this includes the revenue loss a business suffers because of system downtime caused by third-party (IT vendor) failure
- System failure costs
- Loss due to destruction of the digital asset(s)
- Data retrieval costs.
- System restoration costs.
- Cyber-extortion/ransomware costs – this includes data breach response costs and remediation costs, as well as network security and privacy liability.
In addition, cyber-insurance policies today are increasingly focusing on offering business with post-breach funds.
It is also important to know that your cyber-insurance policy does not cover certain forms of cyber risks. One example of such risk includes the financial damage or devastation that might occur due to terrorist activity or by war or even business loss that can happen due to the failure of the business’s internal infrastructure. In addition, costs due to reputation loss driven by such situations will not be covered either.
So, you must read between the fine lines and go into every aspect of your cyber-insurance policy before signing on the dotted line.
Does Cyber Insurance Cover GDPR Fines?
The General Data Protection Regulation (GDPR) came into effect in May 2018 in Europe. The law focused on the responsibility organizations have when it comes to protecting user information.
Businesses that are EU-based or those businesses with EU citizens as customers come under the purview of GDPR penalties and fines.
Your cyber-insurance policy should typically cover several fines and penalties, including the fines associated with data breaches and privacy law violations. However, when it comes to comprehensive GDPR fines coverage, there are a few areas that should be carefully scrutinized.
Consider the following:
Who is a privacy regulator – You may find that your cyber-insurance policy mentions “international” or “foreign” entities within their potential privacy regulatory bodies list to give the impression that the policy is strongly GDPR aligned. However, this does not naturally translate into material change.
The difference in the definition of Breach vs. Privacy Violations – Typically, the language for “privacy law” in cyber-policies pertains simply to laws regulating a privacy breach. However, GDPR includes a wider scope of privacy issue rules, including how you store, manage, and access user data. So while your policy might include coverage for claims related to these exposures, a robust cyber-insurance policy should ideally cover any potential allegation of improper data storage and management.
Regulatory coverage – It is important to ensure that your cyber-insurance policy specifies coverage for privacy violations related to every aspect of how data is stored and managed. You might also want to see if your cyber-insurance policy covers other critical aspects of GDPR violations, including “not hiring a Data Protection Officer.
Most favorable venue for fines and penalties – The most favorable venue provision within your GDPR cyber-insurance policy indicates the intention of the insurer to pay the penalty or a fine whenever possible. This means that the insurer will consider all reasonable venues before going ahead and deciding whether or not the penalty or fine can be covered or if it is insurable. Today an increasing number of cyber-insurance insurers are displaying a willingness to get on board with this provision to make the policy more GDPR compliant.
To Wrap Up
Changes in data and privacy policies are driving new changes within cyber-insurance policies. As a result, cyber-insurance policies are becoming more comprehensive. And laws such as GDPR further widen the scope of coverage provided by policies. However, cyber threats and privacy laws are continuously evolving. These changes are bound to have an impact on how cyber-insurance policies are designed going forward.