The arrival of the General Data Protection Regulation (GDPR) next May will have a significant effect on the financial exposures of UK businesses, and could even lead to an increase in premium rates for cyber and data breach coverage, according to Tokio Marine
The introduction of mandatory notification for data breaches under the regulation means that the number of reported breaches in the UK is likely to increase significantly, and the number of breaches reported relative to the number of registered businesses could match or even surpass those seen in the more advanced US market, says Paul Gooch, cyber underwriter at the insurer.
Businesses that suffer a breach face hefty fines under the new law: the greater of €20 million (£17 million) or 4% of total worldwide annual turnover. But by handling a breach appropriately, companies could stand to reduce that figure, Gooch told Insurance Business.
“Four per cent (4%) of annual worldwide turnover is a massive figure – for any company, that could have a serious effect on earnings for the year,” he commented.
“The GDPR doesn’t explicitly state that should a company handle a breach in a certain way then the fine will be lower, but it does state that the manner in which regulators become aware of the breach and the actions taken by the affected company to mitigate the damage should be taken into account when deciding whether or not to impose a fine and the amount.
“We would definitely expect that if you do suffer a data breach and you hold your hands up, you report it to the correct authorities, and you notify individuals where required, then the fine imposed should be lower.
“We don’t know if that’s definitely the case yet, as it hasn’t yet come into effect, but you would expect a company that handles a breach appropriately to be treated less harshly than one that lacks in their response to it,” Gooch explained.
Under the GDPR, individuals are given a right to claim against an organisation where their data has been breached. While in the US, customers must prove a financial loss as a direct result of having their data breached in order to take action, in this respect the GDPR may even go further.
“Initial indications are that in the UK, individuals will be able to claim for non-material damage,” Gooch said.
But the implications aren’t just limited to the immediate financial impact. The potential for reputational harm under a system of mandatory notification is also significant, particularly while the concept is new, according to the underwriter.
While many policies provide coverage for the direct costs of a data breach, under the GDPR, clients should consider whether their policy will include losses incurred as a result of damage to their reputation, such as a loss of customers.
Overall, once the GDPR comes in, companies are “much more exposed” to the financial losses that can result from data breaches, but Gooch stressed that we will have to wait and see as to whether premium rates will increase.
He added: “If the claims volume increases, which we would expect it to, given that GDPR increases the exposure, then premiums would surely increase following the increased claims activity. If there’s not an increase in claims activity, then probably not. But given that the exposure is increasing, you’d expect claims to increase, and therefore expect rates to follow suit.”
Another day, another data breach: This time it's with a PayPal-acquired firm
Brokers warned to check business clients’ coverage