Cyber and GDPR
Cyber risk and the forthcoming changes to data protection under the GDPR in 2018 are current hot topics and OPDU has received a number of enquiries about cover for these matters under our pensions trustee liability policy.
- Losses arising from cyber events are covered under OPDUs PTL policy where an allegation of Wrongful Act by a trustee or pensions employee has been made in accordance with the policy.
- In this case it does not matter whether the event leading to the allegation arose because of a cyber incident or otherwise because an allegation of Wrongful Act has been made and it is this which triggers a response from the policy.
- Almost all schemes use third party providers such as administrators. In the event that an administrator fails to supply the service promised under the contract due to a cyber event the OPDU policy may also respond if you have Third Party Pursuit extension.
- In this case the policy will pay the costs of pursuing the third party for redress and may also cover any excess losses which could not be recovered subject to the policy terms and conditions.
- Investigations will also be covered which stem from a cyber event becoming known. In this case there is no requirement of an allegation of Wrongful Act.
- We would encourage trustees to review their contracts with their party providers to ensure that adequate provision is made for losses arising from cyber events.
- The new data protection regime takes effect in 2018 and this will mean extra duties for trustees and potentially significantly higher fines for breaches.
- OPDUs PTL policy covers trustees and pensions employees for civil fines and penalties including data protection provided that an allegation of Wrongful Act has been made and the penalty is not criminal. OPDUs policy will continue to provide this cover under the new GDPR regime in 2018 subject to the policy limits.
- You will be asked what actions your scheme has taken to cater for the new regime on renewal or for a new application.
- Investigations will also be covered which stem from a data breach becoming known. In this case there is no requirement of an allegation of Wrongful Act.
- Many administrators are declining to increase contract indemnities given to the trustees, arguing that under the new regime they become in scope for a potential fine. If they have not already done so we would suggest that the trustees consider our Any One Claim Extension, whereby the policy limit applies to every claim separately rather than as an annual aggregate limit. This may provide greater levels of protection for the trustees in the event of a large fine being imposed.
- We would encourage trustees to review their contracts with their third party providers to ensure that adequate provision is made for the new regime.
For further information please get in touch.