Fines for the most serious violations of the GDPR can be as high as 4% of a company’s global annual turnover or €20 million, whichever is greater. The maximum liability, therefore, is substantially higher in comparison with current penalty rules under the 1995 Data Protection Directive. Excluding fines and penalties, the overall average costs associated with handling a single data breach amounts to $3.62 million globally and $7.35 million in the U.S., according to the 2017 Cost of Data Breach Study from IBM Security and the Ponemon Institute 1.
Cyber Insurance: An Additional Shield Against GDPR Exposure?
Considering that even the most advanced security infrastructure may not entirely prevent all data breaches, it may be sensible to explore other options with an aim to reduce the financial impact caused by non-compliance with the GDPR. For instance, companies should re-evaluate the adequacy of their current insurance policies and, if necessary, consider taking out a cyber insurance policy which may serve as an additional layer of protection against GDPR-related risks.
A cyber insurance policy is a specialized insurance product that is designed to insure businesses against a wide variety of cyber-related risks, such as fines caused by non-compliance with certain GDPR obligations or costs related to investigating data breaches and notifications to regulatory bodies and data subjects. Certain policies also compensate for claims made by third parties, such as data subjects which may come in handy if multiple data subjects’ personal data are compromised.
What Should You Do Before Getting Cyber Insurance?
It is crucial to note that selecting optimal cyber insurance coverage requires a thorough analysis of the company’s practices around protection of personal data, which will help to identify relevant risks and assist in choosing appropriate coverage for these risks. Since cyber insurance policies can be very complex, it is advisable to have this matter brought to a knowledgeable broker, who is familiar with the GDPR and can suggest optimal cyber insurance coverage, based on the needs of a particular organization.
When getting a cyber insurance policy, one important point of consideration is to determine what is excluded from the scope of coverage. Certain insurance policies tend to exclude fines and penalties, unless they are “insurable by law”. The insurability of fines and penalties imposed by the GDPR is questionable and yet to be tested by the courts in the EU Member States and the U.S. Therefore, companies should consider taking out coverage whose wording and limits are specifically tailored in light of the GDPR.
How Much Does a Cyber Insurance Policy Cost?
Pricing for such policies depends on a range of factors, including the company’s industry, size and revenue. Additionally, the scope of coverage and liability limit are fundamental factors used to determine the cost of a policy. Some insurers will also want to obtain a better picture of the relevant risks within the applicant organization, as well as data practices, number of security incidents etc. The average premium for a cyber insurance policy that provides compensation up to $1 million, can run between $12,500 and $15,000 USD annually 2.
Speak with your insurance broker to see if a cyber insurance policy that provides coverage for GDPR-related fines is appropriate for your circumstances.