Is your client’s cyber insurance policy GDPR ready?

At-Bay provides cyber insurance for the digital age.

Photo credit: Matthew Henry

The General Data Protection Regulation changes what a good cyber and data privacy insurance policy looks like.

GDPR is a law which regulates the processing, use, and fundamental rights associated with personal data of individuals within the European Union and its Member States. It expands upon formerly enacted cyber and data privacy regulations and introduces new requirements to protect the rights of individuals to data privacy.

While GDPR is only one of a multitude of privacy related regulations, it is different than others due to its broad scope, use of previously little seen obligations and requirements, and potential to serve as a catalyst and muse for future regulations.

GDPR’s implications and differences may not be considered in the standard cyber insurance policy of today.

Today’s standard cyber insurance policy contains many coverages, one of which is commonly referred to as “Regulatory Coverage.” Regulatory coverage responds to claims made by regulators for violations of underlying regulations or cyber related events. Standard cyber insurance policies contemplate any worldwide regulation which governs cyber, data, and identity privacy as well as various types of underlying cyber events.

The scope and complexity of GDPR puts underwriters and brokers in a tough position. First, they need to quickly understand what GDPR regulates and articulate the consequences of those regulations to clients. At the same time, brokers must review all of their clients’ various cyber insurance policies to identify coverage gaps in policy forms and close them as quickly as possible.

This article provides a short guide to redesign cyber and data privacy insurance programs for brokers and underwriters. In particular, we provide the following guidance:

  • We summarize four important considerations about GDPR with relevant implications on policy terms and conditions.
  • We identify potential cyber insurance coverage gaps in policy forms introduced or exacerbated by each of these considerations.
  • We highlight excerpts from the At-Bay policy form that show how we expanded our coverage to close these gaps for GDPR and for future privacy regulations.

Some carriers have already updated their policies with “magic” GDPR buzzword(s), such as “right to erasure” or “right to be forgotten.” By itself, these types of individual policy language updates serve only as a lark mirror and are not sufficient to protect clients.

A GDPR-ready cyber insurance policy must use comprehensive terms, conditions and language, with select use of specificity where appropriate, to ensure coverage availability for all privacy regulations, both GDPR and others.

1. GDPR uses a broad definition of personal data.

GDPR broadly defines “personal data” as “any information relating to an identified or identifiable natural person,” which provides a range of interpretive discretion. GDPR supplements “personal data” with specifically defined categories of information, such as “biometric data” and “genetic data”.

Where cyber policy forms should be reviewed?

Like GDPR, every cyber insurance policy in the market defines what type of information it contemplates, typically set forth by a defined term such as “Protected Personal Information.”

To make sure clients are adequately covered for newly enacted privacy regulations, many insurance professionals first look for specificity in a cyber policy’s definition of covered information. While specificity is nice to have, it is not sufficient to cover the full breadth of information that a regulation like GDPR could potentially regulate. A GDPR-ready cyber insurance policy requires a comprehensive definition of protected information, with a specific list serving only for additional clarity.

How does At-Bay define information in its cyber policy?

We define the information covered in our policy through the defined term “Protected Personal Information.” Portion (e) of “Protected Personal Information” is a must-have in any cyber policy and covers any type of personal information defined in any regulation worldwide, including but not limited to GDPR: “Protected Personal Information means […] any other non-public personal information or data of a natural person as specified in any Privacy Regulation.” Portions (a) through (d) of “Protected Personal Information” clarify intent and support easy navigation of the policy.

2. GDPR regulates more than just data breaches.

The GDPR regulatory framework encompasses a broad range of information privacy events, including how organizations internally handle and process data. This is in addition to an actual breach, or unauthorized access, of private information. For example, GDPR’s “right to be forgotten” requires companies to delete individuals’ data whenever requested, even when violation of this requirement may not lead to a breach of private information.

Where cyber policy forms should be reviewed?

A standard cyber insurance policy pays for claims and losses that result from a set of defined information privacy events. Any cyber insurance policy which covers breach event types only is too specific and not sufficient for the wide scope of information privacy events defined in GDPR. A GDPR-ready cyber insurance policy requires a comprehensive definition of covered events to include any type of information privacy event, not just data breaches.

How does At-Bay define an information privacy event in its cyber policy?

In our policy, we define covered cyber events for information privacy and breach through the defined term “Information Privacy Event”. Portions (a) through (c) of our definition are a must-have in any cyber policy and cover any type of information privacy event including breaches, violations of any privacy regulation, and any mishandling and mis-processing of data. Portion (e) clarifies our intent to cover new types of penalties introduced by GDPR and helps you navigate our policy.

3. GDPR expands EU regulators’ power to investigate suspected privacy violations

GDPR’s framework allows for regulators to investigate any organization which they suspect may have violated GDPR’s requirements, notably the rights of individuals to data privacy. A legal defense and response is necessary for any organization subject to such a regulatory investigation.

Where cyber policy forms should be reviewed?

All cyber insurance policies define what types of third-party claims trigger coverage. When a regulator makes allegations against a company, this trigger is called a regulatory “claim.” Some cyber insurance policies require a formal investigation to trigger a regulatory claim.

A GDPR-ready cyber insurance policy must amend its trigger for regulatory claims to include any suspected GDPR violations or investigations. Any policy without this approach may leave a company uninsured during a investigation portion of a GDPR regulatory claim.

How does At-Bay cover suspected GDPR violations in its cyber policy?

We include early claim triggers in our definition of “Regulatory Claim.” We broaden the scope “Regulatory Claim” in our second paragraph to include “an investigation into a potential violation of Privacy Regulations, which may reasonably be expected to give rise to a Regulatory Claim.” This expanded trigger is a must-have in any cyber policy and allows clients to access insurance payouts, notably defense and legal fees, at the beginning of a potential violation of GDPR law.

4. GDPR may leave fines and penalties uninsured under certain jurisdictions.

GDPR’s enactment has created some jurisdictional ambiguity in regard to the insurability of fines and penalties assessed against companies. GDPR may be enforced under a variety of jurisdictions, each with a potentially more or less favorable environment as it relates to the insurability of fines and penalties.

Where cyber policy forms should be reviewed?

Cyber insurance policies typically contemplate the payment of regulatory fines and penalties through a definition of damages. Many policies are silent on the jurisdictional applicability of fines and penalties, which can expose clients to financial burden of regulatory fines and penalties. A GDPR-ready cyber insurance policy contains explicit language to allow for the insurability of GDPR-related fines and penalties in any relevant jurisdiction that most favors coverage.

How does At-Bay provide favorable jurisdictional insurability in its cyber policy?

We address the insurability of regulatory fines and penalties in our definition of “Damages.” Section (g) of our “Damages” definition includes “to the extent to which such fines, penalties, taxes, or sanctions are insurable under the applicable laws of any jurisdiction which most favors coverage…” With this definition, we highlight our intention to pay for regulatory fines and penalties to the broadest jurisdictional extent possible.

Conclusion

GDPR changes what a good cyber and data privacy policy looks like. Its principles will spread all over the world and new similar privacy local regulations will be enacted. Underwriters and brokers should start now to review cyber policies and to support clients in understanding new exposures.

In At-Bay, our approach is to have a clear and broad policy form that reinforce our intent to support the client, pay fines whenever possible, and allows the broker to confidently validate that the policy has comprehensive and best in class regulatory fines and penalties coverage.


Found this post useful? Kindly tap the 👏 button below and share the story to help others find it! :)

About the author

Ben Grosser is the Insurance Product Lead at At-Bay. He likes buffaloes (CU Boulder style) and insurance policies that allow brokers & clients to sleep easy in the digital age.

This was written in collaboration with Giovanni Fassio, who likes playing the piano and discussing how technology can apply to the insurance industry.