As the May 2018 implementation of the European Union’s General Data Protection Regulation approaches, cyber risk has become the top concern of a majority of executives in a Marsh survey.
A global study of more than 1,300 senior executives found that 65% of respondents whose organizations offer products or services in the EU said that they now consider cyber as a top risk, Marsh said in a statement Monday.
A similar Marsh survey conducted last year found that only 32% of respondents rated cyber as a top five risk.
Marsh said 23% of respondents reported that their European organizations were subject to a successful cyber attack in the past year.
Seventy-eight percent of the respondents whose organizations are planning GDPR implementation said they would increase spending on addressing cyber risk over the next 12 months, including spending on cyber insurance.
Fifty-two percent of those who do not have a plan for GDPR said their investment in cyber risk management would increase.
The GDPR will apply to companies that are “processors” or “controllers” of data on citizens of the European Union — including the United Kingdom which, though slated to leave the EU, will still be part of the GDPR’s scope when it comes into force.
The GDPR will require many companies to have data protection officers in place and fines for the most serious breaches could total up to 4% of annual revenue.
Marsh said only 8% of respondents at GDPR-affected organizations said their firms were fully compliant; 57% said that their organizations were developing compliance plans; and 11% said they had yet to start. Smaller organizations were more likely not to have a plan for GDPR with 19% of respondents from businesses with less than $50 million annual revenue replying that no plan was in place.
“This survey indicates that the most prepared firms are using GDPR as a catalyst to enhance their cyber risk management,” John Drzik, president of global risk and digital at Marsh, said in a statement, “including a more economic evaluation of their risks and an increased focus on building resilience in the face of an inevitable cyber incident.”