Complying with New EU Data Rule Brings Cyber Best Practices to ForeCyber Practice Leader at Marsh
The EU General Data Protection Regulation is set to bring far-reaching changes to Europe’s data protection and privacy rules. The GDPR, which will take effect in May 2018, establishes requirements governing how organizations around the world manage and protect personal data while doing business in the EU. The regulations are strict and the potential penalties high—fines up to 20 million euros ($23.5 million) or 4 percent of global turnover, whichever is greater.
But new rules can also inspire positive change. Such is the case with the GDPR, which has prompted many companies to evaluate and improve on how they manage their overall cyber risk. With the GDPR deadline fast-approaching, some companies appear to be further ahead than others in compliance planning, according to a global survey regarding corporate cyber-risk perception conducted by Marsh.
Marsh’s independent analysis of the survey’s findings highlight three key points:
1. Cyber risk is a top priority at organizations that report they are also preparing for GDPR.
The regulation comes at a time when cyber risk is—or should be—on every company’s radar, a fact underscored by survey respondents. In an age of technology-driven disruption, the threat of evolving cyber risks is real. The WannaCry and Petya ransomware attacks in 2017 impacted the share prices of several global companies and did significant damage to a number of smaller firms. They served as one in a string of reminders that any company that is connected to the Internet, that uses technology, or that stores customer or employee data is at risk—a list that excludes almost no one.
2. GDPR compliance efforts are encouraging broader cyber-risk management practices.
Organizations preparing for the GDPR are doing more to address cyber risk overall than those that have yet to start planning, according to survey respondents. And this is happening despite the fact that the GDPR does not showcase a “prescriptive” set of regulations with a defined checklist of compliance activities. Instead, GDPR preparedness appears to be both a cause and consequence of overall cyber-risk management.
Survey respondents who said their organizations were actively working toward GDPR compliance—or felt that they were already compliant—were three times more likely to adopt overall cybersecurity measures and four times more likely to adopt cyber resiliency measures than those that had not started planning for GDPR.
Practices such as cyber incident planning and cyber insurance are not explicitly required by the GDPR, but those that said their organizations had high levels of GDPR readiness had also adopted these measures. This works both ways—organizations that have adopted a cybersecurity measure such as encryption also have a jumpstart on GDPR compliance since encryption is strongly encouraged. And, while cyber incident planning and cyber insurance are not explicitly required, they still enable firms to quickly marshal the resources to meet the GDPR’s 72-hour data breach notification requirement.
3. Even organizations with a higher degree of GDPR readiness may not be fully prepared for a cyber incident.
Consider third-party vulnerabilities. For years now we have known that weaknesses in suppliers, vendors, and other third parties are prime entry points into a system for threat actors. The good news is that most organizations now realize this, as indicated by the 67 percent of respondents who said they assess the cyber risk of vendors and suppliers.
However, digging into what such assessments entail shows a somewhat alarming lack of detail. For example, only 17 percent of respondents said that they have assessed the financial strength of their suppliers/vendors, something that is at the heart of the ability to pay compensation in the event of a loss.
With GDPR implementation just months away, among organizations subject to the GDPR, 8 percent said they were fully compliant, 57 percent were developing a compliance plan, and 11 percent had yet to start. Given the effort needed to comply, this suggests many organizations will face challenges meeting all requirements by the time GDPR takes effect in May 2018.
Those who are ahead recognize the GDPR compliance process as a game-changing opportunity. Preparation has effectively focused executive attention on broader data protection and privacy issues, prompting related investments and commitment. In preparing for the new rules, organizations are strengthening their overall cyber-risk management posture and turning what is often viewed as a constraint into a competitive advantage.