Businesses are waking up to the twin threat of multi-country cyber risk and increasing regulation in the form of the GDPR – billed as the toughest data privacy laws on the planet.
In our Spring ’18 Risk and Confidence report, cyber risk topped the risk league for the first time, both in terms of what is worrying business leaders now and, what they think will dominate their concerns in six months’ time.
Regulatory risk was also a big riser, ranked second as the risk of most concern, whereas in previous surveys this risk had languished near the bottom of the risk ranking.
Crouching tiger
In addition to the widespread global business interruption caused by last year’s state-sponsored, broad ranging Wannacry and not-Petya cyber attacks, a new cyber-related risk emerged when inherent security flaws embedded in computer processing chips were exposed. The flaws known as Meltdown and Spectre, have the potential to open the back door to hackers allowing them access to data held on handheld devices and computers with a processing chip.
Against this backdrop, it’s not surprising that cyber risk became the biggest issue that companies worry about. Concern about cyber risk rose by 11% since our last survey last Autumn. Cyber was the single risk most mentioned by respondents, with 25% rating it their number one risk in the UK and 35% doing so elsewhere in Europe.
Compounded by the wide reaching chip security flaws, these high-profile data breaches, have shown the pervasive and ubiquitous nature of cyber and data privacy risk. The fact that this risk has at last caught the attention of C-suite executives is a step in the right direction. Hopefully this new board level attention will result in robust cyber risk management plans being embedded within their businesses’, so that plans can swing into action to help them to mitigate and control the situation better.
Hidden dragon
There was also a big shift in attitude towards regulatory risk this Spring. Where in the previous two Risk and Confidence reports, regulatory risk ranked near the bottom of business leaders’ risk radar, the introduction of GDPR on the 25th May – is perceived to be a timebomb waiting to explode under UK and European businesses – and a major factor in this shift in attitude.
Despite 60% of the firms we surveyed declaring themselves ‘not ready’ for GDPR implementation, given the looming deadlines coupled with the latest public furore created by the Cambridge Analytica and Facebook data privacy revelations, business leaders are alert to the risks it creates and, the significant work required to be GDPR compliant.
The GDPR will enable the Information Commissioner’s Office (ICO) to impose fines of up to a maximum of 4% of turnover (not profit) and, it’s anticipated that the ICO will be looking to make early examples of companies that are not compliant. With the average cost of £98 per lost or stolen record (in the UK), if companies are not deleting or anonymising personal data when no longer required, fines and the cost of remediation can quickly escalate. This is why upfront investment to imbed data breach prevention is an essential investment.
Rising to the challenge
With the risk environment moving so fast, it’s hard for businesses to keep up. These findings demonstrate that business leaders understand the perfect storm of risk they now face. As a specialist insurer, it is our role to help businesses surmount the cyber and regulatory risks which dominate board agendas today, respond to the challenges they identify for tomorrow, and identify the gaps in risk analysis which could impact their growth plans in the UK, Europe and markets further afield.