Cyber & Data Risk
Cumulative legal costs in data theft and privacy claims will be a significant exposure for insurers
Litigation and compensation claims following data security and privacy breaches will ramp up under the General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018. Publicity surrounding the introduction of the GDPR and news coverage of recent high-profile data leaks mean consumers are more aware than previously that they may be entitled to claim compensation following breaches.
While the quantum of each individual claim is relatively modest, group actions are increasing and the cumulative exposure to individual claims can easily run into the millions (as can be seen in Various Claimants v Wm Morrisons Supermarkets Plc (2017)). The greatest exposure for both liability and cyber insurers is likely to be in legal costs, but some comfort may be taken from the costs judgment in Morrisons, which showed that claimants must plead arguments in a proportionate and focused way. Those who indulge in tenuous arguments risk a significant reduction in their costs recovery.
Cyber-attacks will test war and terror policy exclusions
It is possible that we could see direct and disrupting cyber-attacks on the US or its political allies in the short to medium term. States’ openness about cyber warfare capabilities have increased in recent years and it is only natural that certain countries may want to conduct a limited and deniable show of force to test the defensive responses.
For insurers, this could manifest itself in systemic business interruption or even physical damage losses. Attribution of cyber-attacks is notoriously difficult, which will challenge the application of war and terror exclusions. This will be particularly difficult for those untargeted businesses caught in the ‘shrapnel effect’ of major attacks on larger businesses or national infrastructure.
EU regulators will benchmark GDPR fines
The first financial scalp will likely be taken by a European regulator for a breach of the GDPR in the first half of 2019, setting the benchmark for GDPR fines across Europe. The EU’s Data Protection Board has emphasised the need to apply fines consistently. The UK’s regulator, the Information Commissioner’s Office (ICO), is bound to do this until the UK leaves the EU but we expect the ICO will continue to use EU fines as a benchmark after this point.
The insurability of such fines is a hot topic for insurers as the GDPR is silent on this point and member states’ national laws will differ. Here in the UK, it is not possible to insure against fines arising out of deliberate wrongdoing, illegality or morally reprehensible actions on public policy grounds. While the recoverability of civil fines for data protection breaches has not been tested, we expect parallels will be drawn with other UK regulators and punitive fines will not be insurable. In the absence of clarification in either the GDPR or the UK’s Data Protection Act 2018, if litigated it may take several years before a judicial answer is given.
Cyber modelling will improve with data and expertise
Cyber modelling will improve with the increase in availability of empirical data, modelling providers and expertise. Demand for more accurate modelling is likely to be spurred on by the Prudential Regulation Authority’s follow-up enquiries to its Supervisory Statement published in July 2017. The follow-up enquiries include requests to see evidence that insurers understand their exposures to affirmative and non-affirmative cyber losses. This is likely to be accompanied by an expectation that businesses will have modelled a range of extreme cyber loss scenarios.