In 1999, Scott McNealy, then the CEO of Sun Microsystems, wasfamously quoted dismissing Internet security as hopeless. “You havezero privacy anyway,” he said. “Get over it.” It was a provocativenotion, but let's just say the European Union's regulators don'tthink that way.

The EU's new cybersecurity rules—the General Data ProtectionRegulation (GDPR)—willbe enforced starting on May 25 of this year. The GDPR applies toany organization that does business in the European Union, not justcompanies based in EU countries, and organizations that don't meetits requirements could conceivably face fines equal to 20 millioneuros or 4 percent of their global annual revenue.

Marsh surveyed 1,300 executives globally, and 65 percent said theirorganization either had plans to comply with the GDPR or werealready set. But 11 percent said they had not developed a plan orweren't planning to create one. And 24 percent didn't know.

On its face, the GDPR may look like just another regulatoryburden with a complex compliance process. But organizations may beable to turn compliance into a competitive advantage. That'sbecause the GDPR gives treasury teams a strong incentive to improvetheir cybersecurity practices, which are ever more important in atechnologically driven world. Treasurers can use GDPR compliancerequirements as a motivator for optimizing the resources theydevote to cyber risk management—which, in turn, can enableconfident, informed risk-taking that supports business growth.

Significantly, among Marsh's survey respondents whoseorganizations are subject to GDPR, 65 percent said cyber risk isone of their top five risk management priorities (see Figure 1,below). Cyber risks ranked up there with natural disasters, majoracts of violence or terrorism, and political upheaval. Theiranswers show that awareness is up dramatically: In a similar surveyMarsh conducted in continental Europe a year before, only 32percent rated cyber threats as a top-five risk. If nothing else,the approaching GDPR deadline has been a wake-up call for manycompanies.

Still, the May deadline may leadto a lot of sleepless nights for corporate executives. Analysts atOliver Wyman, another operating company of Marsh & McLennanCompanies, predict that fines and penalties in the U.K. in the first yearalone may total £5 billion, or about US$7 billion, among FTSE100 companies that fail to comply with GDPR. The totals worldwidecould be much higher.

Take a moment to absorb those numbers. Most companies that areunprepared for GDPR will probably not pay the maximum fines, but dothey want to take the chance? Of all the risks an organizationfaces, how many could wipe 4 percent of annual turnover off thebooks in a heartbeat?

|

What Is the GDPR?

The GeneralData Protection Regulation focuses on protecting the personaldata of EU residents. It restricts the types of informationorganizations can collect and use, and requires greater opennessabout what happens to it, including disclosures if data is lost ina cyberattack. The GDPR defines personal data as “any informationrelated to a natural person or 'data subject' that can be used todirectly or indirectly identify the person.” That includes name,email address, computer IP address, bank details, medicalinformation, photo, or information posted on social networkingsites. It's difficult to imagine a company that does not store thistype of data on at least some of its customers, suppliers, oremployees.

Most of the cybersecurity measures that GDPR encouragescompanies to take are technical; they're the kinds of things an ITdepartment might already be doing to keep up a network's defensesagainst possible attacks. The problem, of course, is that cyberrisk is evolving very quickly. As soon as a company fixes oneweakness, attackers will find another.

Here is a better approach: Think of cybersecurity as not just atechnical risk—something to try to prevent—but also a businessrisk, something to be managed intelligently. Cyber risk is not justan IT issue; it ultimately deserves the attention of the C-suite.Think dollars, not bytes.

To that end, companies will benefit if they quantify cyber riskin economic terms. Doing so helps focus staff on building theorganization's resiliency in the face of inevitable attacks. Thisis key. Companies must think in terms of minimizing the businessdisruption caused by an attack, since defensive measures can doonly so much.

Among companies that are planning to comply with GDPR, Marsh'ssurvey found that:

• 56 percent have encrypted organizational desktop and laptopcomputers,
• 56 percent have conducted penetration testing,
• 56 percent have improved their vulnerability and patchmanagement,
• 67 percent have conducted a cybersecurity gap assessment,and
• 65 percent have implemented or stepped up phishing awarenesstraining for their employees.

As you might expect, there is significant overlap in thesenumbers. If an organization is sufficiently concerned about cyberrisk to take one of these steps, it will generally take others.

|

The Goal: Resiliency, Not Just Defense

Keeping a business healthy is, of course, what cybersecurity isall about. The stories are now legion of companies that werebrought to a halt because a never-seen attacker found a weaknessthat was years old, or because one employee was fooled by aphishing email or lost a flash drive with sensitive data on it.Companies that take all the best security steps can still be laidlow if their vendors or contractors don't also follow theirprotocols. The cost of such lapses is often fearsome, in terms ofbusiness interruption, reputational damage, deals not made, or lossof potential partners that decide to take their businesselsewhere.

But while the costs can be fearsome, they are quantifiable. Andthey become less fearsome when a company puts dollar figures onthem. If you can quantify the risks you face, you will have abetter sense of where to dedicate your security resources.

Forty-five percent of the executives responding to Marsh'ssurvey said their organization had given an economic estimate toits vulnerability to cyberattack. That's not a majority, and amongthe companies that made the effort, only 24 percent actuallyexpress cyber risks in hard numbers. Most rely on qualitativeindicators—the green, yellow, and red of a traffic light, forinstance—to signal their level of concern.

|

Tactics vs. Strategy

Those that do use numbers are more likely to be strategic intheir efforts to manage cyber risks. They think of cybersecurity asa matter of making their corporate defenses more robust, and theytake a more comprehensive approach than simply beefing up ITdefenses against ever-changing methods of attack. On a practicallevel, that means these companies have taken such measures asdeveloping a comprehensive plan for responding to cyber incidents,modeling potential loss scenarios, and organizing legal andcommunications support in case of an attack. Some have also boughtinsurance against losses incurred in a cyberattack. (See Figure 2,below.)

In contrast, companies that have not quantified theirvulnerabilities tend to be more tactical. They may, for instance,warn employees to be wary of unfamiliar emails or conduct tests tosee where their online systems need patching. Such steps areuseful, but they're not as important in the long term as having anoverarching strategy to build resiliency in the organization'sresponse to attack. That's why there is such benefit to assigningactual numbers to cyber risks.

If GDPR can push companies to think more holistically aboutcyber risk, it will be a good thing. We all know how high thestakes are. In 1975, according to the advisory firm OceanTomo, 83 percent of the market value of S&P 500 companieswas tied to tangible assets, such as factories and manufacturedgoods. Today, 84 percent is information-based—ranging from consumerand transactional data to private medical files to proprietarybusiness software.

|

Mitigation and Transfer

Possible corporate responses to cyber risks fall into four broadcategories. First, companies may think their best bet is simply toavoid the risk. Ultimately, though, that is not possible. Everycompany doing business today faces some degree of cyberthreats.

A second approach is to accept the risk. This is certainly partof every organization's response; cyber risks are so prevalent thatthey cannot be entirely avoided. But that cannot become an excuseto do nothing.

A company's third option is to mitigate the risk. Most companiesare already routinely doing this in some way. They employ ITsecurity specialists. They install firewalls and buy antivirussoftware, and they contract with the vendors for advice.

Finally, a company can consider transferring the risk—in otherwords, making plans so that when things go wrong, the organizationdoes not assume the entire financial responsibility on its own.

The best corporate cyber risk management plans strike a balancebetween risk mitigation and risk transfer. Companies protectthemselves, but only to the degree that it is cost-effective giventheir quantification of the risks they face. If a company planswell, it will be able to maintain operations in the face of anattack, recover quickly from any harm, protect its reputation, andremain in compliance with regulatory requirements.

|

Determining What Actions to Take

So, how can corporate CFOs and risk managers determine how tostructure their organization's cybersecurity practices in light ofthe GDPR? They would do well to ask the following questions:

1. Have we calculated the value of our cyber assets atrisk? Quantification can make a significantdifference. If a company knows what its worst-case losses couldbe—expressed in dollars, euros, or another hard number—it is morelikely to build strategies to bounce back quickly. As the sayinggoes, you can't manage what you can't measure.

2. What process do we use internally to identify likelycyber events? And what scenario modeling do we engage in to assessthe potential impact of cyberattacks? Gapassessments, tabletop exercises, and similar measures all help.They lead to vulnerability management so that a company can betterplan for attacks.

3. What stakeholders are involved in our cyber riskplanning? Cyber risk is best managed if it includesan organization's C-suite and board of directors. Risk officers arevaluable as coordinators. In Marsh's survey, 70 percent ofrespondents said their IT departments are the principal “owners” ofcyber risk. There is no question that technological defenses areimportant, but they should not be isolated from the rest of theorganization.

4. What risks beyond data breach have weassessed? Depending on an organization's expertisein cyber issues, outside counsel may be helpful. It is important,no matter how hard, to be as imaginative as the unseen attackers,who are constantly hatching new schemes.

The biggest challenge in cyber risk management is for companiesto look at the big picture. But the impending GDPR regulations giveorganizations impetus to do just that. If they approach cyber riskstrategically and quantitatively, and if they integrate it into theway they operate, they can become more robust and recover morequickly from attacks.

We cannot eliminate cyber risk, at least not anytime soon. Butwe can make it manageable.

Thomas Reagan is thecyber practice leader at Marsh. Based in New York, he overseesclient advisory and placement services for cyber risk throughoutthe country. Reagan recently led development of Marsh's innovativeCyber ECHO and Cyber CAT cyber and privacy insurance products. Healso serves as the senior cyber adviser for some of Marsh's largestclients.