In May 2018, the European Union will implement the new GeneralData Protection Regulation (GDPR), and companies are making majorpolicy changes in preparation for its installment.

In what Marsh calls "the most significant overhaul of privacylaw in a generation," the GDPR will bring enormous changes toEurope's data protection and privacy rules. The regulationestablishes global requirements about how organizations that dobusiness in the EU must manage and protect personal data, whilestrengthening the privacy rights of residents throughout theEU.

In anticipation of the new regulation, Marsh has released theresults and analysis of a recent survey in a new report, titled "GDPR Preparedness: AnIndicator of Cyber Risk Management." 

Related: Emerging cyberrisks 

Emerging correlation between GDPR and cyberrisk

The new study says the upcoming implementation of the EuropeanUnion's General Data Protection Regulation (GDPR) has elevatedcyber risk to the top of the corporate agendafor organizations doing business in Europe. From the results of thesurvey, the report concludes that cyber risk management is both acause and consequence of GDPR compliance, as the rules encouragebusinesses to adopt more rigid data protection practices.

The international survey polled over 1,300 senior executiveswhose organizations offer products or services in the EU. 65% ofrespondents said they now consider cyber a top risk. This numberhas roughly doubled in the last year, as only 32% of respondentsrated cyber as a top five risk in a similar Marsh survey conductedin 2016.

Related: Insurance-linked securities and cyberrisk 

Some are acting in response to the growing threat, as 23% ofGDPR-impacted organizations say they were subject to a successfulcyber-attack in the past year.

"The imminent implementation of the GDPR is spurring firms totake a fresh look at their cyber risk, not just their privacyprotocols," said John Drzik, President of Global Risk & Digitalat Marsh. "This survey indicates that the most prepared firms areusing GDPR as a catalyst to enhance their cyber risk management,including a more economic evaluation of their risks and anincreased focus on building resilience in the face of an inevitablecyber incident." 

Preparing for theGDPR 

Of the organizations subject to GDPR, two-thirds are preparingfor or are compliant with the new rules taking effect this upcomingspring. As illustrated in the graphic to the right, 57% are in theprocess of developing a plan for compliance, and 8% say they arealready fully compliant of the new impending rules.

The positive effects of the GDPR are already making themselvesevident. The "GDPR Preparedness" report says organizations'preparation alone is creating a strong focus on expanding dataprotection and privacy issues, prompting related investments.

The majority of respondents said they intend to spend more oncyber risk management. Of the organizations with plans for GDPRimplementation, 78% plan to increase spending on cyber riskmanagement over the next 12 months, including spending on cyberinsurance. Among companies without a plan for GDPR, 52% also saythey plan to increase spending on cyber risk management.

Related: Lloyd's: 92% of European businesses suffered acyber breach in past 5 years 

Cyber risk management measures

Marsh surveyors asked respondents about the different cyberrisk security measures their organizations have invested in oradopted in the last 12 to 24 months.

Among organizations compliant or developing a GDPR plan, hereare the most popular cyber risk management measures adopted in thelast 12 to 24 months:

• Conducted a cybersecurity gap assessment (67%)
• Implemented/enhanced phishing awareness training for employees(66%)

(Measures explicitly or strongly implied by GDPR):

• Encrypted organizational desktop and laptop computers(56%)
• Conducted penetration testing (56%)
• Improved vulnerability and patch management (56%)
• Identified external legal, public relations and/orcybersecurity experts to provide support during a cyber incident(31%)

From this question, Marsh data researchers concluded that thecyber risk management activities with the highest levels ofparticipation were cybersecurity measures focused on defense.

In addition, this question (along with others) highlighted how alarge portion of companies are not yet prepared for the GDPR to beenacted in May, or currently have no plans to comply with the newregulations. This analysis posed further questions about theeffects and challenges this may create for those companies.

Thomas Reagan, Marsh's US Cyber Practice Leader, says, "Giventhe effort needed to comply, organizations that have yet to makeplans are likely to face challenges to meet all the requirementswhen GDPR takes effect in May 2018. Focusing leadership attentionon complying with GDPR is critical. Increased management attentionon this issue can also be leveraged to strengthen a firm's overallcyber risk management, broadening a regulatory compliance effortinto a source of cybersecurity resilience."

You can read about the full details and conclusions of thereport on Marsh's website.