Back
Insurances - Risk management | publié par Loyco | 26.09.2023
nldp assurance

New data protection law: how are insurers responding?

September 1, 2023 marked the entry into force of the new Swiss Data Protection Act(nLPD), which aims to guarantee the security of Swiss citizens’ personal and sensitive data.
This legislation has raised questions about the implications for companies and the associated risks when processing data on behalf of third parties. Our Loycomates, risk management experts Grégoire Mottier and Lionel Ducommun, have examined this question from an insurance perspective and offer you a summary here.

Risk management according to ISO 31000

In the reference framework established by ISO 31000, risk management directly follows the phases ofidentificationanalysis – andevaluation of the various risks. The 5 stages of risk management under ISO 31000

 

Our survey of insurance companies

According to ISO 31000,“Risk management offers various strategies, one of which is to transfer or share the residual risk to an insurer, in return for a premium”.
Against this backdrop, our two experts conducted a survey of various insurance companies to clarify a number of key points:

  • Whether insurers will, in the short term, modify or restrict their “Liability for financial loss” cover in the context of claims for damages based on the application of the nLPD (for example, in the event of a culpable data leak).
  • Whether insurers will be able to cover (via Cyber cover?) fines of up to CHF 250,000 applicable to a natural person responsible for data protection, for example in the event of failure to comply with minimum data security requirements.
    It should be noted that only an intentional or potentially intentional action would result in such a penalty.
    However, damage to the company’s reputation remains unaffected.

Position of insurers contacted and survey findings

  • Insurance conditions for third-party liability are not expected to undergo any significant changes in the short term, either in terms of scope of coverage or premiums.
    This stability is explained by the fact that insurance conditions already referred to data protection legislation before the nLPD came into force.
    Insurers clearly prefer to observe the real effects of this new legislation before making changes to their products.
  • As a general rule, fines and penalties are not insurable.

Any insurance Contrat covering such indemnities would be considered contrary to good morals and would therefore be null and void under article 20 paragraph 2 of the Code of Obligations.
It should be noted, however, that the terms and conditions of third-party liability insurance for breaches of the law can vary considerably from one company to another.
In particular, the cause of the insurable event must be carefully examined on a case-by-case basis.  

What to do in this context?

With the nLPD coming into force, the key to effective risk management lies in anticipation.
Organizations are encouraged to:

  • Ensure compliance with nLPD expectations (which should already be in place), including IT security.
  • Draw up a list of scenarios that could lead to a breach of the nLPD that could result in damages to third parties.
  • Make an inventory of existing insurance cover (Civil Liability and/or Cyber) and review it according to each scenario.
  • If necessary, contact your insurer or broker to clarify and guarantee all the answers you need.

 

In conclusion

The nLPD, while involving additional work for all organizations and creating some uncertainty, encourages organizations to strengthen their compliance and data security.
For more information on the Swiss nLPD, you can consult the official Swiss government page here, or contact our specialists for advice and support.

See all news