International cyber threats and vulnerabilities are quickly becoming the “new normal.” In fact, the number of significant cyber breaches has been steadily increasing for years. According to the Online Trust Alliance, in 2017 the number of incidents nearly doubled from the year prior, most of which had global impacts. In an effort to unify the region’s privacy laws and protect the personal data of its citizens, the European Union (EU) has adopted the General Data Protection Regulation (GDPR), effective May 25, 2018.
Who it Impacts
While the regulation originates in the EU, its implications reach far beyond the borders of its member countries. The GDPR may apply to any entity that processes (collects, uses, discloses or stores) the personal data of citizens of the EU. Unfortunately, many organizations outside the EU are not aware that they fall within the scope of the GDPR and its breach notification requirements. As a result, these organizations may face hefty fines, sanctions and litigations after May 25, 2018, for failing to comply with the regulation.
Understanding Your Exposure
Engaging with the risk management and cyber liability experts at RCM&D can help you take the first step toward understanding your exposures and determining if your operations fall within the scope of the GDPR. After reviewing your potential GDPR exposures, your RCM&D consultant will refer your business or organization to an appropriate third-party technology, legal and/or compliance vendor that can further help you understand and address the new regulations.
Cyber Liability Coverage
Most cyber liability carriers include a regulatory defense and penalties insuring clause in their cyber policy. As long as the EU does not deem that the fines are uninsurable, the regulatory coverage should respond in the event of a breach. However, the GDPR fines and penalties can be quite high and as a result, the typical regulatory coverage limit on a cyber policy may not be large enough in the event of a GDPR breach.
Organizations that have significant GDPR exposure should engage their RCM&D consultant to investigate with the cyber carrier as to whether it is possible to increase the regulatory defense and penalties limit.
For a more in-depth overview of the GDPR and its requirements, how U.S. businesses can prepare, and the consequences of failing to comply, download the full article GDPR Enforcement Begins May 25, 2018
To discuss the GDPR requirements or your organization’s general cyber liability exposures contact me directly at cmartin@rcmd.com or at 804.237.5923.