Risk Management

Insurance coverage available for GDPR exposures

Judy Greenwald

October 17, 2018 Reprints

European Union Cyber Risks Emerging Risks General liability Regulation Technology More + Less -

Insurance coverage is available for risks related to the European Union’s General Data Protection Regulation, say observers.

Richard May, Seattle-based managing principal for Integro Ltd., said although many cyber policies are written to respond to data breaches and do not necessarily incorporate claims related to privacy rights, “most of the major insurers have issued GDPR endorsements that incorporate to a greater or lesser degree the privacy rights granted under GDPR into the coverage” under their cyber policies.

“But most of them are very narrowly written, so they only apply” to European countries regulated by the GDPR, Mr. May said.

Steven H. Anderson, Dallas-based vice president and product executive for privacy and network security at QBE North America, a unit of QBE Holdings Inc., said most insurers’ cyber policies provide regulatory coverage, “and GDPR would fit under that” category.

Some brokers are asking insurers, though, for specific endorsements that target the GDPR, “just to make sure the i’s are dotted and the t’s are crossed,” Mr. Anderson said.

The coverage “hasn’t been challenged yet from a claims perspective,” but brokers are asking for the endorsements to make sure there isn’t any confusion, he said.

Mr. May also pointed to the California Consumer Privacy Act of 2018, which takes effect in January 2020 and incorporates many of the GDPR’s provisions.

“With the change in the California law, privacy rights is going to become a big issue for almost every buyer of cyber, so I expect the next year we’re going to see a shift from a lot of policies being quite narrowly data breach-driven to a broader privacy rights approach,” he said.

It may take a couple of years, though, for insurers to assimilate the California law’s impact, Mr. May said.