Responsive Regulation in practice : The role of cyber insurance in GDPR compliance and enforcement
Sinikallio, Samppa (2025)
2025
Kauppatieteiden maisteriohjelma - Master's Programme in Business Studies
Johtamisen ja talouden tiedekunta - Faculty of Management and Business
This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Hyväksymispäivämäärä
2025-11-20
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:tuni-2025112010802
https://urn.fi/URN:NBN:fi:tuni-2025112010802
Tiivistelmä
The European Union’s General Data Protection Regulation (GDPR) is perhaps the most significant data protection regulation framework that has, and continues to, shape organisational practices. Compliance to GDPR’s provisions requires investments into data protection measures and failure to do so has been seen to result in massive financial penalties. At the same time, cyber insurance market has grown rapidly, in part due to organisations seeking protection to risks associated with data breaches and regulatory violations. This makes GDPR and cyber insurance timely, interesting, and a relevant topic of research.
The goal of the study is to examine how GDPR and cyber insurance are interconnected, and in what ways could cyber insurance have an impact on GDPR enforcement. The main theory of this study is the Responsive Regulation Theory, and though the lens of this theory the relationship between cyber insurance (private actor) and GDPR enforcement (regulator) is analysed.
This study was conducted as a qualitative study where data was collected through semi-structured interviews with three Finnish cyber insurance experts. The interview data was analysed through thematic analysis and the results of it were compared to the theoretical framework of the study.
Results of the study show that insurers can be seen to play a role, albeit an indirect one, in promoting GDPR compliance. While insurance companies’ role as quasi-regulators is limited to the lower levels of the regulatory pyramid, education and persuasion, they are able to influence organisational behaviour through coverage, pricing, and by guiding organisations. Insurance driven regulation enforcement arguably complements formal regulation but the effectiveness of it is somewhat diminished by factors such as the cyclical nature of the cyber insurance market.
The goal of the study is to examine how GDPR and cyber insurance are interconnected, and in what ways could cyber insurance have an impact on GDPR enforcement. The main theory of this study is the Responsive Regulation Theory, and though the lens of this theory the relationship between cyber insurance (private actor) and GDPR enforcement (regulator) is analysed.
This study was conducted as a qualitative study where data was collected through semi-structured interviews with three Finnish cyber insurance experts. The interview data was analysed through thematic analysis and the results of it were compared to the theoretical framework of the study.
Results of the study show that insurers can be seen to play a role, albeit an indirect one, in promoting GDPR compliance. While insurance companies’ role as quasi-regulators is limited to the lower levels of the regulatory pyramid, education and persuasion, they are able to influence organisational behaviour through coverage, pricing, and by guiding organisations. Insurance driven regulation enforcement arguably complements formal regulation but the effectiveness of it is somewhat diminished by factors such as the cyclical nature of the cyber insurance market.