Nobody quite knows yet what GDPR compliance looks like, but efforts are in full swing

Gdpr countdown

The efforts of French companies to prepare for Europe’s General Data Protection Regulation (GDPR) are catching up with those of the US market for privacy risk. However, big questions about compliance – and whether insurance can be used to pay penalties – remain unanswered.

That was the message from two cyber risk experts at insurance broker Marsh: Jean Bayon de la Tour, cyber development leader, Marsh Continental Europe; and Luc Vignancour, head of cyber practice, Marsh France.

“We spend a lot of time with the chief technology officers, and those clients feel something is wrong,” said Bayon de La Tour. “It’s a new risk to manage and they are not sufficiently helped by their existing insurance contracts.”

He thinks in the five years that Marsh has operated its cyber risk broking practice, companies in France and Western Europe have gone a long way towards closing the gap with their US counterparts, renowned for data breach litigation, to address the risks. GDPR, enforceable across Europe from May 2018, is accelerating those efforts.

“The gap between US and Europe will be smaller. We see a great interest from clients, from large firms and some midsize firms. Nobody yet knows what it means to be compliant, but they can at least take steps,” said Bayon de La Tour.

Data governance has been selected as a major theme at this year’s AMRAE conference, and while this is itself not an insurance issue, it is crucial for GDPR, and closely related to related insurance questions.

“GDPR is totally linked with data governance, which is one of the main concern of clients.” said Vignancour. “We know by end of May that we have a lot of things to do, but most companies are taking steps to organise themselves to be GDPR compliant. There’s a huge link between GDPR and data governance, and we’re trying to build a bridge with insurance.”

Vignancour highlights a difference in priorities of evolving cyber risk and insurance markets on both sides of the Atlantic. The biggest claims in the US have been breaches of privacy, whereas in Europe there has been more focus on first party business interruption. “GDPR brings more pressure on the privacy side,” said Vignancour. “That means in five years’ time efforts will be more harmonised across the ocean.”

He suggests that Marsh places at least half of commercial insurance for cyber risk in France, giving rise to some interesting observations. Attacks in the past year have begun to create some major claims and losses, according to Vignancour. “Some losses have amounted to several million euros. The biggest one is not quite finished yet, but is likely to be about €10m,” he added.

Bayon de La Tour emphasises the importance of crisis response services that kick in when a cyber risk event takes place. “Having crisis management embedded within insurance policies is very important. The experts are ready to get [the client] back to business as fast as possible,” he said.

Internal politics within a group can also come into play. Bayon de La Tour remembered the example of one multinational client operating a subsidiary. “For a relatively small incident, they did not want to trigger their own group’s crisis management team, and preferred to use the crisis response through their insurance,” he said.

On the question of using insurance to pay regulatory penalties under GDPR, Vignancour ventures an opinion but stresses there are no answers yet from the authorities in France or other EU members.

“Clients are asking about penalties but it’s a grey area. There is no way at present to say it is insurable. If you look at different stories in France, my thought is that it is not insurable, but that’s just an opinion” he added.