In preparing for the impending implementation of the EU General Data Protection Regulation, many organizations today are elevating cyber-risk to the top of the corporate agenda, a new cyber-risk perception survey has found.

The survey, “GDPR Preparedness: An Indicator of Cyber Risk Management,” conducted by insurance broker Marsh, found that organisations are using the process of complying with the EU General Data Protection Regulation (GDPR) as an opportunity to beef up their cyber-risk management and resilience.

Furthermore, the survey found that respondents who said their organisations either complied with, or were developing a plan to comply with, the GDPR were more than three times as likely to adopt some cyber-security measures—and more than four times as likely to adopt some cyber-resiliency measures—as those who had not started planning.

The survey of over 1,300 executives worldwide also found that respondents with a higher level of GDPR readiness were more than 1.5 times as likely to purchase or strengthen their cyber-risk insurance to help offset the financial impact of a cyber-event.

Among respondents who said their organisation was subject to the GDPR, 65 percent viewed cyber-risk as a top-five risk management priority—little wonder given that one in four of them (23 percent) had been victims of a successful cyber-attack in the last year. Moreover, the threat of a cyber-attack leading to a data leak is significant, and fines for serious data breaches under the new regulation can rise to €20m or 4 percent of global turnover (whichever is greater). Thus, organisations need to equate GDPR compliance with good risk management.

Marsh believes that cyber-risk management is “both a cause and consequence of GDPR compliance.” In fact, a key provision of the EU regulation, which comes into effect next May, states that the adoption of “appropriate technical and organisational measures” is essential if they want to ensure a “level of security appropriate to the risk.”

In preparing for the impending implementation of the EU General Data Protection Regulation, many organizations today are elevating cyber-risk to the top of the corporate agenda, a new cyber-risk perception survey has found.

Marsh states that “organisations with strong cyber-security measures have a jumpstart on compliance, since the GDPR strongly encourages certain practices, such as encryption.” It added that several other cyber-security-related measures can positively impact general GDPR compliance—for example, although cyber-incident planning and cyber-insurance are not explicitly required under the regulation, they enable firms to quickly marshal the resources to meet the GDPR’s 72-hour data breach notification guidance.

Other than having to notify regulators and data subjects of a breach within three days, the GDPR has few explicit requirements (though national regulators may provide additional guidance later). In fact, most are recommendations, rather than strict provisions, such as strongly encouraging encryption.

This principles-based approach puts the onus on organisations to determine “appropriate” controls based on their risks and, with no ready-made checklist, requires them to look more deeply at their business operations and review how they protect personal data, especially since the regulation’s scope is extra-territorial. The GDPR applies to all organisations that collect or process data on EU residents, no matter where they are headquartered or operate. Any company that offers products or services in the EU may be affected.

Evidence suggests that organisations that are compliant or that are developing a GDPR plan are more likely to adopt cyber-risk management measures, irrespective of whether the regulation requires them to do so. For example, 56 percent of respondents in the Marsh survey have ensured that their work desktops and laptops are encrypted to prevent data losses, which is strongly encouraged—though not required—under the regulation.

What is the EU GDPR?

EU member states—including the United Kingdom (despite Brexit)—have had since May 2016 to prepare for the GDPR. The regulation comes into effect across the 27-nation bloc next May and its powers are sweeping: it affects all organisations gathering data on EU citizens anywhere in the world—not just European companies operating in the EU—and can raise fines up to €20m or 4 percent of global turnover (whichever is greater) for serious compliance failures.
Other key points regarding the regulation include:
Organisations must gain explicit consent for the collection of specific categories of sensitive personal information.
There are new restrictions on the profiling of data subjects.
Organisations must maintain an inventory of where personal data exists and be able to demonstrate compliance with the regulation.
There is a legal requirement for organisations to appoint a data protection officer when core activities include the large-scale processing of special categories of personal data and/or criminal conviction information, or the systemic monitoring of data subjects.
Data privacy impact assessments will be required for certain new or changed products and services.
If organisations have suffered a personal data breach, they are required to notify both the regulator and data subjects “without undue delay”—meaning within 72 hours.
There are new and enhanced rights for data subjects, including the right to request access, correction, and deletion of personal data.
Regulatory or enforcement action will be lead by a single regulator/authority.
As the implementation deadline looms closer, several membership bodies have issued guidance in recent weeks to help organisations get to grips with the compliance requirements.
Working with law firm Baker & McKenzie, the Institute of Chartered Secretaries and Administrators (ICSA), an organisation that promotes better corporate governance practices, issued guidance to facilitate conversations between the board and those within organisations responsible for dealing with data to help them deal more effectively with the implications of the forthcoming GDPR. Alongside an overview of the new legal landscape, the guidance highlights the strategic and practical considerations raised by GDPR. It includes a series of checklists that compliance professionals may find useful.
Meanwhile, the Information Security Forum (ISF), an organisation that champions IT security practices, has also issued its GDPR Implementation Guide, which includes best practice tips for compliance functions to prepare for the regulation coming into effect. The guide presents GDPR compliance in two phases: the first phase is to “prepare” by discovering personal data, determining its compliance status, and defining the scope of a GDPR compliance programme; while the second phase is to “implement” the GDPR requirements to demonstrate sufficient levels of compliance.
—Neil Hodge

The same number have conducted penetration testing and carried out improved vulnerability testing and patch management—again, without being forced to do so. Thirty-one percent have identified external legal, PR, and/or cyber-security experts to provide support during a cyber-incident—a precaution that the GDPR strongly implies that organisations should take.

Other cyber-risk management actions that organisations have carried out include conducting cyber-security gap assessments; providing enhanced phishing awareness for employees; requiring multifactor authentication for employees to have remote access to the company network; and developing cyber-response plans and scenario testing.

Marsh reports that GDPR preparation is focusing executive attention on broader data protection and privacy issues and prompting related investments. Among respondents with a higher level of GDPR readiness, 78 percent reported an increase in cyber-risk management spending, including on cyber-insurance.

Not many respondents to the Marsh survey, however, have made much progress toward full GDPR compliance. Just 8 percent of respondents said that their organisations were fully compliant. Over half (57 percent) said that their organisations were developing a compliance plan, while 11 percent had yet to start, and 24 percent did not know how far along in the process their organisations were.

Common factors. According to Marsh, organisations that have made the most progress in using GDPR compliance to review their cyber-security measures share three common characteristics.

Firstly, they understand that cyber-risk management is a shared responsibility that extends from the IT department to the executive suite. Regardless of size, Marsh said that many of these organisations have set up internal cross-functional taskforces or steering committees led by senior executives—sometimes including or reporting to the CEO.

Marsh said these organisations are using the GDPR compliance process to look comprehensively at how they collect, retain, use, and manage data across the enterprise. They are exploring new tools (such as the use of cloud services), are championing privacy rights, and have made significant investments to ensure that any information they possess is secure. More broadly, they are re-examining their privacy and data protection practices to ensure that people, processes, and technology are properly aligned.

Secondly, they treat cyber-events as inevitable. Instead of focusing only on preventing cyber-attacks, these organisations look to respond to incidents more quickly and reduce the potential damages, viewing the GDPR’s data breach notification requirement as an opportunity to develop stronger incident management protocols, for example, or encrypt their computer systems so that stolen data is rendered useless.

Thirdly, they take a quantitative and holistic approach. Because the GDPR compliance process requires organisations to implement measures that are appropriate to the potential threats they face, these forward-looking organisations has rigorously analysed their cyber-risk exposures—both internal and external—and have put a dollar amount on potential losses. As a result, they are not only investing in appropriate cyber-security defences, but they are strengthening cyber-incident response plans as well as other risk mitigation and resiliency measures.