Survey Tracks Global Cyber-Risk Perception Leading into GDPR Implementation

12 yellow stars in a circle on top of a map of the European continent on a dark blue wavy material

February 27, 2018 |

12 yellow stars in a circle on top of a map of the European continent on a dark blue wavy material

The upcoming implementation of the European Union's General Data Protection Regulation (GDPR) that takes effect in May 2018 has elevated cyber risk to the top of the corporate agenda for organizations doing business in Europe, according to Marsh's Global Cyber Risk Perception Survey analyzed in a report titled GDPR Preparedness: An Indicator of Cyber Risk Management.

GDPR-impacted organizations are already feeling the effect of cyber threats, with 23 percent of respondents stating that their European organizations were subject to a successful cyber attack in the past year.

"The imminent implementation of the GDPR is spurring firms to take a fresh look at their cyber risk, not just their privacy protocols," said John Drzik, president of Global Risk & Digital at Marsh. "This survey indicates that the most prepared firms are using GDPR as a catalyst to enhance their cyber risk management, including a more economic evaluation of their risks and an increased focus on building resilience in the face of an inevitable cyber incident."

Organizations responded that they intend to spend more on cyber-risk management. Of those respondents whose organizations have plans for GDPR implementation, 78 percent said that they would increase spending on addressing cyber risk over the next 12 months, including spending on cyber insurance. Notably, 52 percent of those who do not have a plan for GDPR indicated that their investment in cyber-risk management would increase.

GDPR readiness will require additional attention in the immediate future. Just 8 percent of respondents at GDPR-affected organizations asserted that their firms were fully compliant, 57 percent of respondents indicated that their organizations were developing compliance plans, and 11 percent said that they had yet to start. Smaller organizations were more likely not to have a plan for GDPR with 19 percent of respondents from businesses with less than $50 million in annual revenue replying that no plan was in place.

According to Marsh, "as organizations prioritize cybersecurity, they look for guidance about improving their readiness for the inevitable attack."

A number of cyber-security regulations and guidance have recently emerged across the globe as follows.

There have been two main regulation movements for increasing cyber-security in the European Union.

The NIS Directive (In Force 2016/Adapt 2018)

The EU GDPR (2016)

  • It impacts any organization that transmits data of any EU resident, regardless of the company's location.
  • GDPR noncompliance can lead to fines of up to 4 percent of annual revenue or €20 million.
  • GDPR enforcement begins on May 25, 2018.

The United Kingdom's Information Commissioner's Office released guidance on the GDPR (2017).

The European Commission released a website with guidance on GDPR implementation: "2018 Reform of EU Data Protection Rules" (2018).

The United States has a growing list of regulations, initiatives, and guidance.

The United States passed four cyber acts in 2014 and 2015.

  • Cybersecurity Information Sharing Act (2014/2015)
  • Cybersecurity Enhancement Act of 2014
  • Federal Exchange Data Breach Notification Act of 2015
  • National Cybersecurity Protection Advancement Act of 2015

Presidential Executive Order 13636, Improving Critical Infrastructure Cybersecurity, was issued by President Obama in 2013, prompting the National Institute of Standards and Technology to issue version 1.0 of the Cybersecurity Framework (2014). An updated draft version 1.1 is pending finalization (2018).

The National Association of Insurance Commissioners (NAIC) issued NAIC Principles for Effective Cybersecurity: Insurance Regulatory Guidance (2015).

Securities and Exchange Commission cybersecurity examinations initiative over the asset management space occurred and a summary of observations were released by the Office of Compliance Inspections and Examinations (2014–2017).

The New York Department of Financial Services released a final rule that established cyber-security requirements for financial services companies (2017).

The NAIC adopted the Insurance Data Security Model Law (2017).

Elsewhere in the world, China, Japan, Singapore, and Australia have all had cyber-security regulations passed in 2016 and in force during 2017.

February 27, 2018