It is still unclear whether regulators will allow insurance to pay for GDPR fines, but underwriters seem willing to take on the risk, suggests Aon

Anne magnan aon

The whole issue of whether fines levied under incoming General Data Protection Regulation (GDPR) can be covered by insurance policies is still unclear. Furthermore, it looks like differences could arise across the borders of the EU’s single market, suggests Anne Magnan (pictured), technical director at Aon France.

“Penalties are a big issue, whether they are insurable or non-insurable. In some countries they look insurable; in other countries, authorities’ approach suggests they are not insurable. In France it’s unclear,” says Magnan, who leads all financial lines, casualty, cyber and directors’ and officers’ liability (D&O) at the broker.

For a multinational buyer, if the policy is underwritten in France, but the claim arises within a country where a penalty can be paid with funds from an insurance claim, then Magnan suggests the insurer will pay.

Aon has invested in cyber risk and GDPR compliance within the past few years. For example, the broker bought Stroz Friedberg, a IT consultancy focused on cyber risk assessment, system test, consulting and incident response.

“On the technical side, they can help the risk manager beyond insurance in the strict sense of the term. You get a better understanding of GDPR compliance through impact assessments. We can then advise on action to take to be compliant,” said Magnan.

GDPR’s introduction is a driver for clients buying standalone cyber risk policies, Magnan explains, along with loss events involving extortion and non-damage business interruption.

“GPDR is now a focus based on two items. The first one is notifications: organisations are required by the regulation to notify those persons’ whose information has been compromised by a breach; the second is that the policy could be used to pay regulatory penalties,” she said.

D&O is a major focus, Magnan suggests, if senior staff are found liable for not taking the right security measures, the lack of which are subsequently revealed by a breach. “They can be sued by the shareholders if they did not take all measures to secure the network. A claim can also include the defence costs,” she added.