Data Regulations Are Increasing; It’s Time to Reevaluate Your Cyber Defense Now
In 2018, the EU General Data Protection Regulation (GDPR) came into effect, impacting how businesses collect and use consumer data.
It also reinvented the way data collection and related risks are viewed as a whole. Hacking and data breaches have almost fallen into the category of the inevitable, and cyber security and data privacy dominate the regulatory agenda.
GDPR isn’t the only data regulation that’s come into play either; the California Consumer Privacy Act, which expanded the rights for consumers to know how a company uses their information, and the New York Department of Financial Services Cybersecurity Regulation, which requires financial services companies to establish and maintain a cyber security program, also entered the data privacy conversation.
One Deloitte report said several more countries are looking to implement or enhance already-existing regulatory requirements, from Brazil and the UK, to the U.S. and Australia.
“For insurers to remain competitive,” said the report, “they need the ability to acquire and manage vast quantities of data to provide more relevant coverage for consumers.”
Stepping Up GDPR Coverage
One cyber insurance company, Coalition, Inc., has already started broadening its coverage for GDPR violations. It is now the first insurer to offer full-spectrum coverage to help businesses comply with regulations, protect against alleged violations and pay resulting expenses and penalties.
“Coalition’s policy will now not only respond with broad coverage for any resulting costs and liability, including GDPR violations, resulting from a security failure or data breach, but also protect organizations against their failure to comply with broader GDPR enforcement actions.”
It seems this coverage is timely, too, because UK leaders are cracking down on companies that do not comply with these regulations: “The British government plans to hit social-media firms [Facebook and Google] with fines potentially worth billions of dollars if they fail to rid their platforms of content considered harmful,” reported Business Insider.
“It is not just financial penalties that are under consideration,” the article further stated. “The government has also suggested that tech executives could face criminal sanctions if they fail to get a grip on their platforms.”
With penalties like this on the table, GDPR has opened a door for executives and the boards of directors to come under fire if the company is not up-to-date with the latest data regulations.
The Board and GDPR
“GDPR forced companies to be more strategic in how they handle their data. The board must decide on how to mitigate the risk,” said Tom Mackey, risk management consultant, EPIC.
As cyber crimes grow in sophistication and data privacy regulations like GDPR come into play, company directors will undoubtedly be held liable for cyber breaches that compromise customer data and erode shareholder value.
The ramifications of GDPR have been found to be widespread and can impact businesses regardless of their location, size or financial health. A board that isn’t proactive in protecting against cyber attacks is a board vulnerable to regulatory fines, reputation damage and public scrutiny.
It’s no wonder, then, that there’s a growing interest in incorporating the board in cyber conversations.
“Boards should first make sure they’ve addressed exposures of GDPR. Some companies don’t think they are exposed, but they can fall within that scope. Penalties can be large in scale,” said Brendan Goodwin, regional cyber director-Northeast, Gallagher.
“There needs to be a focus now, because it’s not an easy fix,” he said.
“Cyber risk [like this] has to be present in the board’s conversation. It can’t be an annual review,” added Mackey. “It has to be discussed regularly.” &