Bruce Hepburn, Chief Executive Officer for Mactavish, commented: “Although many policyholders may not be aware of the detail, all GDPR fines are currently unlikely to be insurable in the UK for reasons of public policy, but the position is still not fully clear.
“In addition, very large fines of this level or more would also exceed the maximum amount of insurance most companies could buy in the cyber insurance market under a standard policy structure. However, Cyber insurance is still a valuable mitigation if purchased carefully: well-designed Cyber insurance can cover any fines which are deemed to be insurable by law, defence costs (which could be significant), compensation due to affected individuals, as well as crisis management and customer support costs that an affected company will incur beyond the fine itself.
“But the devil is in the detail for cyber-insurance and companies need to understand what they are buying and the limits to what their insurance will in fact cover. As just one example, cyber insurance might provide broad cover to voluntarily notify individuals affected by a data breach, or much narrower cover to notify individuals only where there is a strict legal requirement to do so.
“Such differences can be critical but are often buried in the detail of the insurance policy. So companies need to invest the time in understanding their needs and ensuring they buy the right insurance to avoid surprises if affected by a claim.”
|