Cyber: does your insurance cover regulatory fines?

Cyber insurance is still (just about) the new kid on the block. It is commonly thought of as a tool to mitigate exposure to ever-evolving cyber risks. That is right up to a point; but the increasing exposure of business to losses potentially covered by cyber insurance is, in our view, in material part driven by changes in the legal and regulatory risk environment.

It is helpful to start by understanding what cyber insurance does: it transfers to the insurance market some categories of loss resulting from cyber and data risks which may not be covered under other insurance products (although to some extent there may be overlap). These losses may include, for example, cyber incident response costs, data breach claims and business interruption losses caused by cyber incidents.

Cyber and data risk may be considered as part of the peril or event from which insurable losses may result. These are well understood to be quickly evolving risk. According to the 2019 edition of the World Economic Forum's Global Risks Report, cyber attacks and data fraud are two of the top five risks that respondents identified as most likely to occur.

But the way in which a cyber and data risk translates into loss for a business, particularly for liabilities, fines and costs, is heavily impacted by the legal and regulatory environment. Recent developments include:

• the UK Court of Appeal's decision in the first data breach class action (WM Morrisons Supermarket Plc v Various Claimants [2018]) to uphold the finding of the High Court that an employer can be vicariously liable for an employee's data breach even when the employer was not at fault. In response to an argument put forward by Morrisons that public policy considerations militate against imposing a disproportionate burden on an employer, the Court of Appeal's response was that "the solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees";
• the well-publicised General Data Protection Regulation (GDPR); and
• the implementation in national law of the Network and Information Security Directive (Cyber Security Directive).

From an insurance perspective each of these developments carries significant potential exposures for businesses and, by corollary, insurers. The decision in Morrisons deals with liability and not with quantum. However, the data of almost 100,000 employees leaked and any awarded compensation, including distress-based damages, will likely be considerable. A breach of the GDPR can lead to fines of up to the higher of €20 million or 4% of global turnover; and similarly a breach of the Cyber Security Directive can lead to fines of up to £17 million.

There are also legal risks regarding the scope of what is insurable. Cyber insurance policies tend to provide cover for fines "to the extent insurable by law". However, there is some uncertainty as to whether or to what extent some fines are insurable as a matter of English law - a topical subject in light of the fines proposed by the ICO against BA and Marriott hotels in recent weeks for breaches of GDPR.

PRA/FCA fines are uninsurable; but whether GDPR or Cyber Security Directive fines are insurable turns broadly upon the application of the so-called illegality defence (i.e. the ex turpi causa doctrine) or, put another way, whether the basis of the fine may be considered quasi-criminal. By way of analogy, in the case of Safeway v Twigger the UK courts determined that a penalty for anti-competitive practices in breach of the Competition Act was not recoverable on these grounds.

In the case of GDPR fines, it must be highly doubtful that fines for fraudulent conduct are insurable; but there is a debate to be had in relation to the insurability of fines for innocent or negligent behaviour, including whether it is correct to determine insurability by reference to conduct on a case by case basis.

In January 2019 the Global Federation of Insurance Associations called for clarity from the Organisation for Economic Cooperation and Development (OECD) regarding the insurability of fines and penalties following privacy breaches. The OECD's insurance and private pensions committee is considering the issue. Until these issues are resolved, we are left with the unsatisfactory position that policyholders cannot count on coverage for fines and, conversely, insurers may be exposed to them if they have agreed to underwrite that risk.

These legal and regulatory issues drive exposure to underlying loss, and the extent of coverage, in tandem with evolving cyber and data risk. In the meantime, the insurance market is responding with innovative insurance products aimed at mapping and mitigating risk. By way of example, some insurers are partnering with cyber security companies to offer cover in tandem with advice on cyber security and GDPR compliance policies, or to measure objectively and score the insured's network's resilience to evaluate the insurer's risk. These types of products may become more widespread as a means for insurers to assess, control and manage their exposure to legal and regulatory risks in the cyber and data sphere.

From left to right: Greig Anderson is partner, Rachelle Waxman is senior associate and Sarah Irons is professional support consultant, all at law firm Herbert Smith Freehills.

Read HSF's General Counsel Update for the latest legal and regulatory developments and for access to further articles.