A survey of 1,300 senior executives at companies doing business in the EU reveals that the most-prepared firms are using the General Data Protection Regulation (GDPR) as a catalyst to up their game in cyber risk management.
Eight months from now, the European Union plans to deal onerous fines to companies found noncompliant with the GDPR.
To comply, businesses that process EU customer data must: demonstrate accountability; appoint a Data Protection Officer (DPO); take special precautions when moving data across borders; encrypt their systems; have a recovery plan in case of a cyberattack, and more.
Over the past few months, analytics giants across the globe have conducted studies to assess the preparedness of companies ahead of GDPR taking effect next year. The most common finding is that, with each passing month, businesses are becoming more aware of the importance of compliance – if not for the sake of their customers then for the sake of their business.
A recent survey by Marsh further confirms this trend. The insurance broking and risk management company polled 1,300 senior executives on GDPR matters and found that 65% now consider cyber as a top-five risk (up from 32% last year). The number makes sense, considering that 23% of respondents said their European organizations fell victim to a successful cyber-attack in the past 12 months.
Some 69% said their company was fully compliant encryption-wise, and 49% said they had developed a cyber-incidence response plan. 27% reported increasing or restructuring their cyber risk insurance and 78% said they plan to increase spending on addressing cyber risk over the next 12 months.
This is all good news, but it’s all the good news. According to the same survey, only 8% of companies handling EU customer data believe they are fully compliant with the GDPR requirements. 57% are developing a plan for compliance, and 11% have not yet developed or are not even considering developing a plan.
More worryingly, a staggering 24% have no clue about the implications of noncompliance. This data point corroborates findings by analytics firm SAS in a similar survey this spring, when 42 percent of respondents indicated that their organizations were not fully aware of this impact.
As of May 2018, a company found noncompliant with the GDPR risks having to pay up to 4% of the company’s annual revenue, or up to €20 million (whichever is highest) in penalties.