Select Page

As the now-familiar graphic below illustrates, Privacy Regulatory Liability Coverage is the last of the four basic coverages found in most cyber policies. I’ve covered the basics of the other coverages here, here, here, and here.

Privacy Regulatory Liability Coverage is intended to cover loss a company sustains as a result of regulatory investigations and claims. For that reason calling this a liability coverage is only partially correct. Unlike the other liability coverages which respond only to claims by third parties, privacy regulatory coverage also covers costs a company incurs to respond to regulatory investigations.

Regulatory coverage is immensely important in the current cyber risk environment. Regulators around the world have never been more active. In the US, after a year of an administration that is generally friendly to business, federal regulators such as the Federal Trade Commission and the Office of Civil Rights in the Department of Health and Human Services continue to aggressively enforce laws protecting consumer privacy. Recently the Securities and Exchange Commission announced that cyber security will be an examination priority in 2018. State attorneys general are also focused on cyber security issues; actions taken following the Equifax breach are a good example.

Regulators outside the US are, or are poised to be, similarly active. A few examples:

  • The UK Information Commissioner’s Office (ICO) energetically enforces the Data Protection Act and other laws. In January 2018 alone the ICO issued over £1.7 million in fines.
  • The UK government has stated that critical infrastructure companies may be fined up to £17 million if they do not have effective cyber security measures.
  • In 2017 the Italian government fined five companies €11 million for improperly accessing personal information of over 1000 individuals as part of a money laundering scheme.
  • The EU General Data Protection Regulation will be effective on May 25, 2018. Violations of the GDPR carry the potential for fines of €20 million or 4% of a company’s global revenues for the previous year, whichever is greater.
  • Under China’s new Cybersecurity Law, which became effective on June 1, 2017, companies may face fines up to ¥1 million (roughly $160,000) for non-compliance. Fines have already been issued.
  • In December 2017, and again in January 2018, the South Korean government issued fines against several Bitcoin exchanges for various privacy violations.

In light of the regulatory activity around the world, regulatory coverage is something companies have to get right in their cyber policies.

“a company needs to ensure that its coverage is tailored to its unique regulatory environment”

So what does good regulatory coverage look like? First and foremost, a company needs to ensure that its coverage is tailored to its unique regulatory environment. Here are a few things to keep in mind:

Coverage should not be limited to data privacy

In many policies regulatory coverage is limited to regulatory claims and investigations concerning data privacy. Regulators’ interests are broader than that though. Outside the US regulators may be concerned with matters like the processing and storage of private information, the right to be forgotten (which applies to public information), and the publication of prohibited information. Regulators also concern themselves with cyber attacks on companies’ computer systems. Regulatory coverage needs to address as much of what regulators take an interest in as possible.

Coverage should include claims by a wide variety of regulators

Cyber policies may limit the types of regulators whose actions trigger coverage. Policies often cover actions by or on behalf of government agencies. Not every regulator is part of a government though. FINRA in the US is a good example. Legislative bodies are increasingly getting into the act and conducting investigations of cyber events. Companies need to determine who its regulators are and then ensure that regulatory coverage is broad enough to include them.

Coverage should not be limited to claims involving specific laws

It is not unusual for a cyber policy to specify a short list of laws and regulations that can be the basis for a regulatory claim and to include a “catch-all” that includes other similar laws that govern data collection and protection. That may seem fine, but regulators may look to other laws to bring an action against a company. For example, a regulator could assert that that a company committed fraud by misrepresenting in its privacy policy how data would be obtained and used. The law prohibiting fraud may have nothing at all to do with data security practices. In that situation an insurer could (though hopefully wouldn’t) argue that the claim isn’t covered.

Watch out for sublimits

In recent years insurers have frequently sublimited regulatory coverage. The sublimits were often very low. While the trend now is to provide regulatory coverage up to the full policy limit, it is doubtless possible to end up with a cyber policy with a sublimit. While excess coverage may be available over low regulatory sublimits, the excess policies will have similarly low sublimits. In view of increased scrutiny and enforcement by regulators around the world, a sublimit for regulatory coverage can leave a company with a substantial uninsured loss.

Fines and penalties coverage needs to be sufficiently broad

Regulators often seek to impose fines and penalties. Cyber policies, like most others, typically exclude fines and penalties. While there are often exceptions for regulatory fines and penalties, it is essential that the exceptions be broad enough.

Claims by regulators as customers

Regulators, government agencies, and law enforcement entities may be your customers. A good cyber policy should be crafted to ensure that claims by regulators in their capacities as customers are covered under privacy liability, security liability, or other insuring clauses, not under a regulatory liability insuring clause.