This report provides a comprehensive view of the expanding sources of cyber fines and penalties across EMEA jurisdictions. It explores how enforcement is becoming more assertive and how the insurability of cyber fines and penalties remains uncertain.
As cyber incidents increase across every industry sector and countries, so do the new regulations aimed at promoting greater cyber resilience; introducing more fines and penalties for companies, executives and board members who fail to ensure compliance.
Expanding Regulatory Reach
The report reveals that the regulatory perimeter for cyber fines has expanded sharply. The EU, for example, has introduced major regulatory frameworks such as DORA (the Digital Operational Resilience Act) and the NIS2 Directive (Network and Information Security). The UK has recently published the Cyber Security and Resilience Bill. As a result of these new rules, where enforcement is more assertive, technical and multi-layered, the insurability of any fines and penalties is uncertain.
Insurance Constrained
Many jurisdictions restrict or prohibit insurance for criminal or punitive administrative fines on public policy grounds. Where cover is available, it is typically constrained to the extent insurable by law, excluding deliberate or gross negligence.
Other costs following an investigation are more consistently insurable. These may include:
- Defence costs
- Investigation
- Notification
- Public relations support
- Business interruption and restoration
'The insurability of cyber fines remains an uncertain and jurisdiction-specific issue. This report highlights the importance of understanding local legal nuances, the need for close collaboration amongst legal, risk and insurance functions, and the imperative of staying ahead of regulatory developments.'
Pablo Constenla
Head of Coverage and Claims, Cyber Solutions & Financial Lines EMEA
Boardrooms at Risk
Findings from the report show that non-monetary penalties can be as disruptive as fines. These measures can include orders to cease processing, undergo audits, suspend operations or revoke licences.
In addition, boards and senior management face heightened accountability with new regulatory regimes raising expectations around proper oversight, investment and preparedness in risk mitigation.
'With significant cyber regulations coming into force across EMEA, the insurability of cyber fines is a critical, evolving matter. As enforcement intensifies globally, understanding the legal implications and insurance constraints are essential.
Charlie Weston-Simons'
Partner, A&O Shearman
