The international survey polled over 1,300 senior executives whose organizations offer products or services in the EU. 65% of respondents said they now consider cyber a top risk. This number has roughly doubled in the last year, as only 32% of respondents rated cyber as a top five risk in a similar Marsh survey conducted in 2016.

Related: Insurance-linked securities and cyber risk 

Some are acting in response to the growing threat, as 23% of GDPR-impacted organizations say they were subject to a successful cyber-attack in the past year.

"The imminent implementation of the GDPR is spurring firms to take a fresh look at their cyber risk, not just their privacy protocols," said John Drzik, President of Global Risk & Digital at Marsh. "This survey indicates that the most prepared firms are using GDPR as a catalyst to enhance their cyber risk management, including a more economic evaluation of their risks and an increased focus on building resilience in the face of an inevitable cyber incident." 

Preparing for the GDPR 

Of the organizations subject to GDPR, two-thirds are preparing for or are compliant with the new rules taking effect this upcoming spring. As illustrated in the graphic to the right, 57% are in the process of developing a plan for compliance, and 8% say they are already fully compliant of the new impending rules.

The positive effects of the GDPR are already making themselves evident. The "GDPR Preparedness" report says organizations' preparation alone is creating a strong focus on expanding data protection and privacy issues, prompting related investments.

The majority of respondents said they intend to spend more on cyber risk management. Of the organizations with plans for GDPR implementation, 78% plan to increase spending on cyber risk management over the next 12 months, including spending on cyber insurance. Among companies without a plan for GDPR, 52% also say they plan to increase spending on cyber risk management.

Related: Lloyd's: 92% of European businesses suffered a cyber breach in past 5 years 

Cyber risk management measures

Marsh surveyors asked respondents about the different cyber risk security measures their organizations have invested in or adopted in the last 12 to 24 months.

Among organizations compliant or developing a GDPR plan, here are the most popular cyber risk management measures adopted in the last 12 to 24 months:

• Conducted a cybersecurity gap assessment (67%)
• Implemented/enhanced phishing awareness training for employees (66%)

(Measures explicitly or strongly implied by GDPR):

• Encrypted organizational desktop and laptop computers (56%)
• Conducted penetration testing (56%)
• Improved vulnerability and patch management (56%)
• Identified external legal, public relations and/or cybersecurity experts to provide support during a cyber incident (31%)

From this question, Marsh data researchers concluded that the cyber risk management activities with the highest levels of participation were cybersecurity measures focused on defense.

In addition, this question (along with others) highlighted how a large portion of companies are not yet prepared for the GDPR to be enacted in May, or currently have no plans to comply with the new regulations. This analysis posed further questions about the effects and challenges this may create for those companies.

Thomas Reagan, Marsh's US Cyber Practice Leader, says, "Given the effort needed to comply, organizations that have yet to make plans are likely to face challenges to meet all the requirements when GDPR takes effect in May 2018. Focusing leadership attention on complying with GDPR is critical. Increased management attention on this issue can also be leveraged to strengthen a firm's overall cyber risk management, broadening a regulatory compliance effort into a source of cybersecurity resilience."

You can read about the full details and conclusions of the report on Marsh's website.