Bermuda was cited by underwriters at several large insurers, speaking to StrategicRISK  about potential jurisdictions outside the EU that brokers are suggesting could be used to insure GDPR fines

St George's Bermuda

Uncertainty about whether regulatory penalties can be insured for Europe’s new General Data Protection Regulation (GDPR) law is leading to speculation about insuring fines outside Europe.

Bermuda was cited by underwriters at several large insurers, who preferred not to be named, speaking to StrategicRISK at Airmic 2018, about potential jurisdictions outside the EU that could be used to insure GDPR fines.

Singapore and Latin American jurisdictions such as Mexico and Colombia were also named as attracting broker interest. “Out of Europe – some of the more esoteric markets,” noted one cyber underwriter.

Firms deemed negligent at data protection are eligible for regulatory fines of as much as 4% of their annual top line revenues under the GDPR rules that came into force across Europe from 25 May this year. That ceiling falls to 2% if they made efforts at compliance, but also made mistakes.

One underwriter pointed to Spain as one European country where insurance has been used previously to pay small civil penalties – but it is unclear if the same could happen under GPDR.

Bermuda was cited by multiple sources as the source of interest among insurance brokers looking for a jurisdiction where a policy might be used to pay out if a multinational were to be fined under GDPR by a European regulator.

“I don’t know whether it will work, but brokers are asking the question,” said a cyber underwriting source. “The point is that the brokers are trying to be innovative.”

Bermuda is already used as an underwriting jurisdiction for insuring the punitive fines issued by state regulators in the US. “They get puni-wraps done in Bermuda, and the brokers are thinking about replicating that,” added the cyber underwriter.

“They have prior form,” suggested another cyber underwriting source.

Underwriters were bashful about the legal conundrums involved. While a claim could not be paid directly into Europe, international bank transfers and the capital fungibility of large multinationals might facilitate the process. “Someone will get stung, we’re just not sure if it will be the client or the insurer,” said the same source.

Because GDPR is new legislation, a lack of case law means it is unclear whether firms can successfully fight to insure a penalty under the new rules. The size of fines is also a matter of speculation, as firms to not know yet how close to the ceiling regulators will go.

“We don’t know how big fines are going to be or if the regulators are going to make examples of companies. Most companies can quantify a loss for business interruption or cyber extortion but for this it is impossible,” said the source.

The question of insuring fines is of huge magnitude for cyber risk insurers as well as their worried clients. As one source noted: “If one fine is insurable, then all of our policies are exposed.”