Engineers Journal / Technology

Financial exposure to GDPR and cyber attack: A review

Tuesday 16 October 2018

Data Privacy, the GDPR (General Data Protection Regulation) and related security matters have been widely discussed and publicised in recent times. As you are no doubt aware, the new regulation came into force on May 25, 2018. Some of the big questions being asked of businesses in relation to GDPR: • How ready are you for the changes that will arise? • Have you considered the potential financial risks that you will have? • Are you concerned that you may not have adequate controls and protections? • How will you deal with data privacy notifications, data requests and portability?

What has changed since May 25, 2018?

The reality is that most businesses, no matter how well prepared and compliant, will remain susceptible to cyber-attacks and to external and internal data breaches. In today’s digital workplace, achieving total security and eliminating all cyber and data handling/storage related risks is virtually impossible. Since May 25, 2018, the potential impact of a cyber-attack or data breach to a business of any size arising from a related fine penalty or litigation, could be financially greater and potentially highly damaging to reputation. With the increase in the availability and adoption, by businesses of all sizes, of digital tools, cloud based systems and other technologies, the need to plan and provide for cyber related risks and their potential impact, is becoming more prevalent. You should also fully expect to see the frequency of claims in this area to increase as GDPR comes into effect, and as data subjects become increasingly aware of their rights. So, what are the main risks and exposures following a cyber-attack or data breach? • Reputational risk – the resultant damage to the business’ reputation in the market and loss of clients; • Regulatory risk – the risk of being in breach of the legislation and the resulting fines and penalties associated with the breach; • Regulator risk – the risk of negatively coming to the attention of the regulator; • Regulatory investigation costs – the financial cost in facilitating a regulatory audit; • Failure to notify affected clients (data subjects) following a personal data breach; • Risk of a breach of personal data resulting from insufficient data safeguards; • Failure to notify the regulator following a personal data breach; • Legal, PR and IT costs – particularly 1st response in the immediate aftermath of a breach. Loss of reputation is a key risk; • Cost of identity theft and credit acquisition monitoring – for data subjects following an actual or alleged breach; • Civil liability arising from a 'material' or 'non-material' loss suffered by a data subject as a result of a data breach; • Cyber-attack and extortion costs – investigation and ransom; • Failure of a third party provider to safeguard personal data which you have provided. For any business, there are significant concerns arising from these exposures especially around the potential sanctions, financial and otherwise, that can now be imposed by the regulator. There is a view that penalties and fines will be applied to a greater extent than before. Furthermore under previous data protection rules it was difficult for a data subject to bring a claim unless they could actually demonstrate 'material loss'. Under GDPR data subjects can now bring claims in situations where no 'material loss' has been identified and this also has serious implications for businesses.

What financial protection is available?

Glennon Insurance has been the broker to Engineers Ireland for many years and we can provide members with significant financial protection with a Cyber Liability Insurance policy at a very affordable price. The policy provides protection in three distinct areas: 1.) Event Management The immediate availability of specialist assistance and to have all associated costs paid for, and should be a vital consideration for any business. Policy sections would cover: • First Response - Legal, IT specialist, crisis consultant; • Legal services; • IT services; • Data restoration; • Reputational protection; • Notification costs; • Credit and ID monitoring. 2.) Data Protection Obligations The policy would cover: • Defence costs in respect of a regulatory investigation; • Data protection fines imposed by a regulator for a breach of data protection regulations. 3.) Liability The policy will provide an indemnity in respect of: • Actual or alleged breach of personal information; • Claims from third parties in respect of an actual or alleged security failure; • Failure to notify a data subject and/or regulator of a breach of personal information; • Alleged or actual breach of duty by the information holder in respect of the processing of personal information. In summary, the cover will provide for the immediate availability of specialist assistance and to have all associated costs paid for arising from a defined cyber event. For additional information or to obtain a quote please contact rfogarty@glennons.ie