In May 2018, the European Union will implement the new GeneralData Protection Regulation (GDPR), and companies are making majorpolicy changes to prepare for its installment.

In what Marsh calls "the most significant overhaul of privacylaw in a generation," the GDPR will bring enormous changes toEurope's data protection and privacy rules. The regulationestablishes global requirements about how organizations that dobusiness in the European Union must manage and protect personaldata, while strengthening the privacy rights of residentsthroughout the EU.

In anticipation of the new regulation, Marsh has released theresults and analysis of a recent survey in a new report, titled "GDPR Preparedness: AnIndicator of Cyber Risk Management."

Correlation between GDPR and cyber risk

The new study says the upcoming implementation of the EU'sGeneral Data Protection Regulation (GDPR) has elevated cyber riskto the top of the corporate agenda for organizations doing businessin Europe. From the results of the survey, the report concludesthat cyber risk management is both a cause and consequence of GDPRcompliance, as the rules encourage businesses to adopt more rigiddata protection practices.

The international survey polled over 1,300 senior executiveswhose organizations offer products or services in the EU; 65% ofrespondents said they now consider cyber a top risk. That numberhas roughly doubled in the last year, as only 32% of respondentsrated cyber as a top five risk in a similar Marsh survey conductedin 2016.

Some are acting in response to the growing threat, as 23% ofGDPR-impacted organizations say they were subject to a successfulcyber attack in the past year.

"The imminent implementation of the GDPR is spurring firms totake a fresh look at their cyber risk, not just their privacyprotocols," said John Drzik, president of Global Risk & Digitalat Marsh. "This survey indicates that the most prepared firms areusing GDPR as a catalyst to enhance their cyber risk management,including a more economic evaluation of their risks and anincreased focus on building resilience in the face of an inevitablecyber incident."

Gearing Up

The positive effects of the GDPR are already making themselvesevident. The "GDPR Preparedness" report says organizations'preparation alone is creating a strong focus on expanding dataprotection and privacy issues, prompting related investments.

Of the organizations with plans for GDPR implementation, 78%plan to increase spending on cyber risk management over the next 12months, including spending on cyber insurance. Among companieswithout a plan for GDPR, 52% also say they plan to increasespending on cyber risk management.

Marsh surveyors asked respondents about the different cyber risksecurity measures their organizations have invested in or adoptedin the last 12 to 24 months.

Among organizations compliant or developing a GDPR plan, hereare the most popular cyber risk management measures adopted in thelast 12 to 24 months:

• Conducted a cyber security gap assessment (67%)

• Implemented/enhanced phishing awareness training for employees(66%)

• Encrypted organizational desktop and laptop computers (56%)

• Improved vulnerability and patch management (56%)

• Identified external legal, public relations and/or cybersecurityexperts to provide support during a cyber incident (31%)

From this question, Marsh data researchers concluded that thecyber risk management activities with the highest levels ofparticipation were cyber security measures focused on defense.

In addition, this question (along with others) highlighted how alarge portion of companies are not yet prepared for the GDPR to beenacted in May, or currently have no plans to comply to the newregulations. This analysis posed further questions about theeffects and challenges this may create for those companies.

"Given the effort needed to comply, organizations that have yetto make plans are likely to face challenges to meet all therequirements when GDPR takes effect in May 2018," says ThomasReagan, Marsh's U.S. Cyber Practice leader. "Focusing leadershipattention on complying with GDPR is critical. Increased managementattention on this issue can also be leveraged to strengthen afirm's overall cyber risk management, broadening a regulatorycompliance effort into a source of cybersecurity resilience."

Check out the full report at http://bit.ly/2zfZJiu.