Data protectionNov 26 2018

Data breaches could force advisers out of business

twitter-iconfacebook-iconlinkedin-iconmail-iconprint-icon
Search supported by
Data breaches could force advisers out of business

Financial services companies could find themselves in trouble as they are not ready to handle any fallout from breaching the General Data Protection Regulation, experts have said. 

The European rules known as GDPR, which came into force in the UK in May, enforce penalties on companies found to have misused or mismanaged clients' personal data. 

But while most businesses across Europe currently adhere with the new regime, many have not revisited their compliance and legal documentation, nor administrative and crisis procedures, which could prove as punitive as flouting the rules, experts warned.

Problems could arise in the event of a cyber attack, for instance. According to UK government figures published in April, more than four in ten businesses had experienced a cyber security breach or attack in the previous 12 months.

Paul Towler, senior partner at JLT, said being compliant did not automatically lead to a business being ready in the event of a data breach or falling foul of the rules. 

He said fines issued in relation to GDPR may not be covered by a firm's insurance. While some insurance may cover defence and legal costs, policies that were taken out before the implementation of the GDPR rules may not cover anything associated with it. 

Mr Towler suggested firms check their documentation. 

He also said while some large financial services companies had wide-ranging sophisticated professional indemnity insurance, smaller firms, including some IFAs, may not.

This left them open to fees for forensic accounting, public relations work and IT consultants to rectify problems and get a company back online in the case of a data breach.

He said: "The vast majority of firms spent time and effort preparing the best they can for GDPR, they have done many of the changes internally, now they need to be prepared for when something happens." He added there was "more appetite for standalone cyber cover".

Tim Hickman, partner at legal firm White and Case, said companies should remember that although fines are expected to be issued as a last resort, the quantum of the fines for GDPR breaches – up to €20m (£17.7m) – could outstrip any insurance cover for administrative or legal matters.

Mr Hickman estimated most companies did not yet fully adhere to all aspects of GDPR but were on a compliance journey to doing so.

The experts advised firms to check both their cover and procedures in relation to third parties and suppliers as they could find their polices do not cover GDPR-related issues.

Such cover could help in a breach situation by providing emergency back-up and administrative solutions as many small companies may have never experienced this before and struggle to react in a correct and timely fashion, they said. 

Any breach has to be reported within 72 hours, for example, or companies can be hit with a fine. 

Duc Tran, senior associate at Herbert Smith Freehills and a specialist on data protection, said a lot of the organisations the law firm worked with had put in place data breach response-related policies and procedures as part of their compliance programmes.

Mr Tran said: "The better prepared organisations have done their best to stress test these policies and procedures, but data breaches are, by their nature, unpredictable – particularly those involving the actions of third parties – and so it is challenging for organisations to be fully prepared in advance for every feasible scenario which could arise."