In May 2018, the European Union will implement the new General Data Protection Regulation (GDPR), and companies are making major policy changes to prepare for its installment.

In what Marsh calls "the most significant overhaul of privacy law in a generation," the GDPR will bring enormous changes to Europe's data protection and privacy rules. The regulation establishes global requirements about how organizations that do business in the European Union must manage and protect personal data, while strengthening the privacy rights of residents throughout the EU.

In anticipation of the new regulation, Marsh has released the results and analysis of a recent survey in a new report, titled "GDPR Preparedness: An Indicator of Cyber Risk Management."

|

Correlation between GDPR and cyber risk

The new study says the upcoming implementation of the EU's General Data Protection Regulation (GDPR) has elevated cyber risk to the top of the corporate agenda for organizations doing business in Europe. From the results of the survey, the report concludes that cyber risk management is both a cause and consequence of GDPR compliance, as the rules encourage businesses to adopt more rigid data protection practices.

The international survey polled over 1,300 senior executives whose organizations offer products or services in the EU; 65% of respondents said they now consider cyber a top risk. That number has roughly doubled in the last year, as only 32% of respondents rated cyber as a top five risk in a similar Marsh survey conducted in 2016.

Some are acting in response to the growing threat, as 23% of GDPR-impacted organizations say they were subject to a successful cyber attack in the past year.

"The imminent implementation of the GDPR is spurring firms to take a fresh look at their cyber risk, not just their privacy protocols," said John Drzik, president of Global Risk & Digital at Marsh. "This survey indicates that the most prepared firms are using GDPR as a catalyst to enhance their cyber risk management, including a more economic evaluation of their risks and an increased focus on building resilience in the face of an inevitable cyber incident."

|

Gearing Up

The positive effects of the GDPR are already making themselves evident. The "GDPR Preparedness" report says organizations' preparation alone is creating a strong focus on expanding data protection and privacy issues, prompting related investments.

Of the organizations with plans for GDPR implementation, 78% plan to increase spending on cyber risk management over the next 12 months, including spending on cyber insurance. Among companies without a plan for GDPR, 52% also say they plan to increase spending on cyber risk management.

Marsh surveyors asked respondents about the different cyber risk security measures their organizations have invested in or adopted in the last 12 to 24 months.

Among organizations compliant or developing a GDPR plan, here are the most popular cyber risk management measures adopted in the last 12 to 24 months:

  • Conducted a cyber security gap assessment (67%)

  • Implemented/enhanced phishing awareness training for employees (66%)

  • Encrypted organizational desktop and laptop computers (56%)

  • Improved vulnerability and patch management (56%)

  • Identified external legal, public relations and/or cybersecurity experts to provide support during a cyber incident (31%)

From this question, Marsh data researchers concluded that the cyber risk management activities with the highest levels of participation were cyber security measures focused on defense.

In addition, this question (along with others) highlighted how a large portion of companies are not yet prepared for the GDPR to be enacted in May, or currently have no plans to comply to the new regulations. This analysis posed further questions about the effects and challenges this may create for those companies.

"Given the effort needed to comply, organizations that have yet to make plans are likely to face challenges to meet all the requirements when GDPR takes effect in May 2018," says Thomas Reagan, Marsh's U.S. Cyber Practice leader. "Focusing leadership attention on complying with GDPR is critical. Increased management attention on this issue can also be leveraged to strengthen a firm's overall cyber risk management, broadening a regulatory compliance effort into a source of cybersecurity resilience."

Check out the full report at http://bit.ly/2zfZJiu.

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Danielle Ling

Danielle Ling is an experienced video journalist and business reporter. As associate editor, Danielle manages all multimedia and reports on industry news and risk-related coverage, managing all weather-related content. A University of Maryland and Philip Merrill College of Journalism alum, Danielle previously served as a video journalist for Verizon FiOS 1 News NJ, Push Pause. Connect with Danielle on LinkedIn or email her at [email protected].

Commercial Lines
Cybersecurity
E&S/Specialty
Litigation
Personal Lines
Recruitment
Regulation/Legislation
Information Security