The EU cyber security and regulatory environment is soon set to change significantly, challenging organisations to rethink how they protect customer data and deal with the consequences when things go wrong. Data breaches remain a primary area of concern. A Deloitte report on the business impact of a cyber attack recently showed that 89% of the impact of a breach comes from three factors:
Value of lost contract revenue; Devaluation of trade name; and Lost value of customer relationships.These conclusions were based on research about US companies, but the questions remain; how relevant are these three factors for EU companies that face similar cyber threats, and how might a changing EU regulatory environment influence this?
The difference between Europe and the USIt is important to note that these factors look quite different from an EU perspective. Most EU companies are not currently required to notify regulators or customers after a data breach, as opposed to the US, where 47 out of 50 states have mandatory notification laws. As a result, several main impacts (which are felt heavily in the US) are either non-existent or less visible in the EU, including:
Cost no mandatory breach notification means fewer lost contracts and regulatory or compliance requirements.
Scrutiny damage to business relationships and devaluation of trade name is avoided, as customers, competitors and regulators remain unaware of a breach.
Pressure companies can conduct breach investigation and remediation out of the public spotlight.
As a result of these differences, EU companies are less incentivised to improve cyber security. The EU market for cyber insurance is consequently less mature than in the US where products have been developed to transfer the costs of business disruption, customer notification, and identity theft protection.
European companies need to prepare for changeHowever, this situation will change over the next two years, as the EU General Data Protection Regulation (GDPR) and Network and the Information Security (NIS) directives come into force in mid-2018. Both pieces of legislation will increase the number of companies and sectors that will have to report breaches to their national regulator and possibly to customers within 72 hours (GDPR) or without “undue delay” (NIS Directive) depending on the severity of the breach.
It will be expensive to notify thousands, or even millions, of customers that their data has been compromised and offer identity theft protection and incentives to retain their business. Pressure and scrutiny will grow in the wake of a data breach, as companies spend days or weeks in the glare of the spotlight while scrambling to minimise reputational damage.
Be ready for changeSo how can companies prepare for these changes? Firstly, companies need to accept that preparation is needed, as this legislation is likely to take effect before the UK leaves the EU. Secondly, they need to seek expert guidance on the implications for their sector and specific circumstances, while looking for additional guidance and clarification (regarding ambiguity or legislative overlap) from EU working groups over the next two years. Finally, they need to use this opportunity to create momentum for improving their cyber security along with public relations and crisis management capabilities.
The cost, scrutiny and pressure of dealing with a data breach will soon become more apparent to EU companies and there will be a competitive advantage to adapting and preparing now.
Phill Everson is UK head of cyber at Deloitte