Cyber Insurance v GDPR - The Myths, the Maths and the Law
We rarely switch on our computers without an email containing the latest guidance, opinions, dos and don'ts, risks, or the undeniable fact that the harsh penalties which are likely to flow from the GDPR from 25 May 2018 could be eye-watering.
It is also true that during 2016, the purchase of cyber insurance cover took an abrupt upward turn, not just in the UK but globally to the tune of some 50%1. The insurance industry has seen a dramatic and significant hike in premium income as cyber and ransomware attacks increase and the reality of the GDPR comes home to roost. KPMG predicts growth in the global cyber market will exceed $20 billion by 2025 in terms of cyber premiums2, compared to the 2016/17 level which stood at just $2.5 billion.
While cyber insurance policies may well provide cover for fines and penalties so far as they are "insurable at law", prepare for a big shock if you expect the insurance to indemnify your organisation for fines and penalties imposed by the ICO under the GDPR.
The upper end of stand-alone cyber cover limits tends to be £400 million. For some global entities, facing fines up to 4% of global turnover, such a limit, even if provided, would be woefully inadequate to cover such a fine in any event. While the ICO has played down the punitive 4% deterrent, saying it will approach the imposition of fines fairly and proportionately, the GDPR does require fines to be 'dissuasive'3.
And the law
From a commercial perspective, you have to ask why a prudent underwriter would carry a risk that could amount to 4% of a company's global turnover when cyber-attacks are becoming an increasingly common menace.
From a legal perspective, there is much talk of the grey areas when it comes to insurability of these types of fines. However, while uncertainties remain (see below) and acknowledging that each case will turn on its facts (and that the exact question of whether GDPR fines are recoverable from insurers has yet to be tested by the English courts), let's be clear - it is more likely than not, that GDPR fines will fall squarely within the category of statutory penalties and criminal sanctions that may not be recovered from insurers (Safeway v Twigger4).
This is essentially because regulatory fines exist for important public policy reasons. Penalties, including those the GDPR will impose, are meant to be punitive. This is demonstrated by Article 84 of the GDPR which requires penalties to be "effective, proportionate and dissuasive" and due regard should be given to the intentional or negligent character of the infringement under Article 83(2)(b). Passing on such liability will very likely fall within the restriction set in Safeway v Twigger5.
The Safeway v Twigger case concerned itself with a £10.7 million fine imposed on former supermarket chain Safeway, by the Office of Fair Trading (a fine which would now be imposed by the CMA) for its participation in the exchange of price sensitive information on dairy products. This had an anti-competitive effect of increasing prices for consumers. Safeway attempted to recover this amount from the directors and employees who, it argued, were directly responsible for the infringement, on the basis that the directors and officers had breached their employment contracts and fiduciary duties to the company. In practice, Safeway effectively sought to recover the sum from the company directors' and officers' insurers.
However, the court did not allow this argument, ruling that the public policy considerations which underpinned fines for breaches of competition law "would be undermined if undertakings were able to pass on the liability to their employees, or to their D&O insurers".
Importantly, this case applied the established legal doctrine Ex Turpi Causa Non Oritur Actio to a corporation for a regulatory breach. This doctrine forbids claimants from pursuing civil remedies for damages that occurred as a result of their own wrongful act.
The FCA and its predecessor had got to grips with this early in 2004 when it barred regulated firms from taking out cover to insure against its sanctions. There is a common theme here; the ICO, FCA and CMA all have wide-ranging statutory powers to impose punitive sanctions. Any attempt to pass on the liabilities in respect of such fines levied by these organisations (either through insurance policies or through seeking damages from third parties in a civil claim) is likely to fall foul of the Ex Turpi Causa maxim as a matter of public policy.
What, then, is the 'grey area'?
The grey area comprises two interlinked questions:
1. Is a company personally or vicariously liable for a breach?
In Safeway v Twigger, the High Court initially took the view that Safeway was vicariously, rather than personally, liable for the breach, so could not be prevented from bringing a claim against its directors or insurers. Personal liability, it was argued, meant that the act had to be (i) authorised by the directors of the company or (ii) committed by someone with the 'guiding mind of the company'. However, the Court of Appeal disagreed with this reasoning, as this would mean the Ex Turpi Causa maxim would hardly ever apply to very large organisations who are not aware of acts committed by their employees.
2. Is the act criminal and/or morally reprehensible?
The maxim of Ex Turpi Causa is clearly established for criminal or morally reprehensible acts. An arsonist who sets his car alight cannot claim on his car insurance. However, there has been some debate about the extent to which this maxim applies to quasi-criminal penalties, such as regulatory or administrative breaches.
Safeway served to clear these muddy waters by ruling that a regulatory competition fine was sufficiently serious to prevent recovery from third parties including insurers. The case effectively widened the public policy defence of ex turpi causa. Morally reprehensible acts may include negligence - albeit each case will turn on its facts. Some would say that the Safeway case has not set a precedent for data protection/GDPR fines and may argue that a victim of a malicious cyber-attack should not be prevented from recovery from insurers. However, if the ICO considers that the company's procedures (or lack thereof) are sufficiently serious to warrant a hefty fine, it is likely that the court will also view this conduct as reprehensible enough to prevent the company from recovering from others (including insurers). The victims of the cyber-attack are, in fact, the individuals whose data has been compromised.
Legally: While many insurance policies provide cover so far as insurable by law the reality is that GDPR fines themselves will likely not fall for cover. There may be cover for the costs associated with complying with, defending or appealing investigations from the ICO. And insurers may, of course, elect to pay out an amount in respect of the fine (potentially leading to issues in respect of reinsurance recovery). Note, also, that Bermuda legislation does not prohibit passing on liability for fines and may therefore provide some excess options worth considering.
Commercially: Regardless of any debates around the legal position in coverage of fines, the commercial reality is that the value of cyber cover comes in the knowledge and expertise that can be provided by the insurer, particularly in terms of responding to a data security breach. Cyber policies will generally cover systems failure, data restoration, as well as third party claims for damages for lost data or breaches of security and privacy and may also cover amounts paid in response to cyber extortion. Crucially, they will usually also provide access to necessary and pre-approved vendors and a package of cover that includes:
- pre-breach offerings;
- disaster recovery costs;
- communication and notification costs;
- paying for forensic investigations to determine the cause of the breach;
- legal advice;
- engaging experts to manage public relations and protect the company's reputation;
- lost income and payroll as a result of a breach; and
- credit monitoring for customers.
Of course, insurance can be no substitute for robust data protection policies - and the potential to be on the wrong end of a GDPR penalty makes it all the more important for companies to invest in such policies and procedures. However, in today's climate of increased cybercrime, it is vital for businesses to arrange cyber-cover and to partner with insurers in order to assess its exposures and be in a position to respond swiftly and effectively as and when a security breach occurs. Just don't have an unrealistic expectation that it will provide indemnification in respect of any GDPR fines.
- 1The Cyber Insurance Report -- Cyberinsurance spending forecasts differ widely - Menlo Park, Calif. 6 Mar 2017
- 2Cyber risk 2025 - the next 10 years, Allianz, July 2016
- 4 EWCA Civ 1472,  All ER (D) 245 (Dec).
- 5 EWCA Civ 1472,  All ER (D) 245 (Dec).
This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.