Should cyber insurance be part of your GDPR compliance preparation?

New research reveals that the raft of recent ransomware attacks which affected corporate giants including WPP, FedEx and telephonica has had very little impact on the cyber insurance market in the UK. Despite the fear factor caused by these attacks UK organisations are not taking out cyber insurance policies despite the global market being worth an estimated $2.5 billion. But with more stringent legislation around data protection coming with GDPR, now only less than 11 months away, should cyber insurance be part of the compliance regime?,

So what does it cover?

Cyber-insurance protects organisations from Internet-based risks and more generally from risks relating  to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security audit; post-incident public relations and investigative expenses, and criminal reward funds. Additionally it should cover fines that come as a result of cyber-attacks (for example fines for data breaches – although this is still a grey area as so far no organisation has made a claim for data breach fine) it also makes provisions for crisis management, such as expenses related to the management of an incident, the investigation, the remediation, data subject notification, call management, credit checking for data subjects, and legal costs. 

All eyes are currently on the grey area relating to fines as in the wake of GDPR having insurance to cover sanctions of up to four per cent of global turnover could be very prudent, indeed.