In May 2018, the European Union will implement the new General Data Protection Regulation (GDPR), and companies are making major policy changes to prepare for its installment.
In what Marsh calls “the most significant overhaul of privacy law in a generation,” the GDPR will bring enormous changes to Europe's data protection and privacy rules. The regulation establishes global requirements about how organizations that do business in the European Union must manage and protect personal data, while strengthening the privacy rights of residents throughout the EU.
In anticipation of the new regulation, Marsh has released the results and analysis of a recent survey in a new report, titled “GDPR Preparedness: An Indicator of Cyber Risk Management.”
Correlation between GDPR and cyber risk
The new study says the upcoming implementation of the EU's General Data Protection Regulation (GDPR) has elevated cyber risk to the top of the corporate agenda for organizations doing business in Europe. From the results of the survey, the report concludes that cyber risk management is both a cause and consequence of GDPR compliance, as the rules encourage businesses to adopt more rigid data protection practices.
The international survey polled over 1,300 senior executives whose organizations offer products or services in the EU; 65% of respondents said they now consider cyber a top risk. That number has roughly doubled in the last year, as only 32% of respondents rated cyber as a top five risk in a similar Marsh survey conducted in 2016.
Some are acting in response to the growing threat, as 23% of GDPR-impacted organizations say they were subject to a successful cyber attack in the past year.
“The imminent implementation of the GDPR is spurring firms to take a fresh look at their cyber risk, not just their privacy protocols,” said John Drzik, president of Global Risk & Digital at Marsh. “This survey indicates that the most prepared firms are using GDPR as a catalyst to enhance their cyber risk management, including a more economic evaluation of their risks and an increased focus on building resilience in the face of an inevitable cyber incident.”
The positive effects of the GDPR are already making themselves evident. The “GDPR Preparedness” report says organizations’ preparation alone is creating a strong focus on expanding data protection and privacy issues, prompting related investments.
Of the organizations with plans for GDPR implementation, 78% plan to increase spending on cyber risk management over the next 12 months, including spending on cyber insurance. Among companies without a plan for GDPR, 52% also say they plan to increase spending on cyber risk management.
Marsh surveyors asked respondents about the different cyber risk security measures their organizations have invested in or adopted in the last 12 to 24 months.
Among organizations compliant or developing a GDPR plan, here are the most popular cyber risk management measures adopted in the last 12 to 24 months:
Conducted a cyber security gap assessment (67%)
Implemented/enhanced phishing awareness training for employees (66%)
Encrypted organizational desktop and laptop computers (56%)
Improved vulnerability and patch management (56%)
Identified external legal, public relations and/or cybersecurity experts to provide support during a cyber incident (31%)
From this question, Marsh data researchers concluded that the cyber risk management activities with the highest levels of participation were cyber security measures focused on defense.
In addition, this question (along with others) highlighted how a large portion of companies are not yet prepared for the GDPR to be enacted in May, or currently have no plans to comply to the new regulations. This analysis posed further questions about the effects and challenges this may create for those companies.
“Given the effort needed to comply, organizations that have yet to make plans are likely to face challenges to meet all the requirements when GDPR takes effect in May 2018,” says Thomas Reagan, Marsh's U.S. Cyber Practice leader. “Focusing leadership attention on complying with GDPR is critical. Increased management attention on this issue can also be leveraged to strengthen a firm's overall cyber risk management, broadening a regulatory compliance effort into a source of cybersecurity resilience.”
Check out the full report at http://bit.ly/2zfZJiu.