End of the wild wild web: Navigating cyber regulations
Two decades ago, the internet was a very different place – the world wide web resembled the American “Wild West” of the 19th century; beyond the reach of established regulations and lawmakers
Today, the question of how to regulate the internet more effectively is high on government agendas. In part, this is because cyber risks – such as the recent WannaCry and Petya ransomware attacks – are becoming more prevalent. The Internet of Things (IoT) is providing ever more points of access for cybercriminals, and nearly every business now has digital, networked elements.
The increase in cyber threats is driven by a range of factors. Some of these stem from new sources of cybercriminal activity, like state actors and more organised criminal networks. But the underlying trends revolve around business and technological innovations.
“In terms of what’s driving these cyber threats, the underlying sources are many: cloud computing, IoT, mobility, social media, big data, AI, automation and ever-expanding connectivity,” says CJ Dietzman, vice president of cyber resilience at Stroz Friedberg, Aon. “From the collection and analysis of customer data at retail locations, to providing advanced analytics on the back-end, technology and data integration have certainly become standard expectations from business leadership.”
And a more digitally integrated business means one that’s more vulnerable to cyberattack. “As technology continues to have a transformative impact on business operations, risk profiles will change rapidly and significantly,” says Dietzman.
The need to control these risks is prompting a renewed commitment to comprehensive regulatory responses. But as regulators look to manage certain areas of risk, they create new difficulties for organisations to navigate.
Your customers are global and may have different digital rights
The European Union (EU) has ramped up its cybersecurity provisions over the last year. The General Data Protection Regulation (GDPR) will come into effect in May 2018 and is designed to protect the digital rights of EU citizens with regards to the use and storage of their data.
Kevin Kalinich, cyber insurance global practice leader, Aon, explains, that the GDPR will affect “organisations of every size, industry and geography that process data of EU citizens.”
“It applies broadly to personal data, including customer lists, contact details, genetic / biometric data and potentially online identifiers, such as IP addresses. Companies must obtain explicit clear and affirmative consent prior to processing personal data – assumptions based on silence do not comply.”
The new regulation will require organisations to strengthen existing controls, implement new processes and procedures, and document, embed and evidence them appropriately. Organisations will also have to consider the best ways of enabling individuals to exercise their rights surrounding their personal data and its use.
The EU GDPR is therefore a game-changer when it comes to the collection, processing and storage of personal data, and one with global implications. As such, organisations need to evaluate their existing position, prepare for the impending changes, and ensure their data protection systems are robust going forward.
Fines for non-compliance with the EU GDPR will increase to as much as €20 million or, if higher, to 4 per cent of an organisation’s annual global turnover. This is a significant escalation from the current penalties under existing data protection laws. Fines for serious violations have the potential to reach the billions for large, global companies.
Adam Peckman, global practice leader, cyber risk consulting, Aon, advises organisations to take the following actions to comply with GDPR to meet the ongoing data privacy rights of their customers and employees:
- Understand where European personal data is stored and how it is used
- Review existing security controls
- Assess third parties’ personal data security standards
- Be prepared to report data breaches within 72 hours
An enterprise approach
Karl Curran, cyber practice leader, Aon Ireland, explains that cyber needs to be seen as an organisational issue with exposures understood from a business perspective. It’s definitely not an IT issue; it’s a strategic business risk, and boards need to be very aware of this. Even where there is awareness and preparation for evolving cyber risks, Karl sees too many approaches where “cyber is still being measured and mitigated within each silo within the business like legal, HR, compliance all looking after their own functional areas, across the company.
“What we really want to get to is a more holistic approach where the business views cyber as a key enterprise risk, and not an individual business unit risk, such as IT or legal. That way the attitude toward cyber is ‘when it happens, how resilient can we be?’ Not ‘how can we prevent it from happening?’”
His best advice for clients? Assume it’s going to happen. “Look at the strategic assets, the crown jewels of the business as if you focus too much on the perimeter and they get in, you don’t need to worry about the crown jewels anymore; they’re in!”
While some larger companies may already be on their way to being compliant, others could struggle. As Jackie Quintal, (financial institutions practice leader, Aon) notes with GDPR requirements; organisations, especially smaller ones, that don’t have dedicated in-house expertise in dealing with such issues might experience a bit of shock.
Nevertheless, cyber regulation is essential to improve the digital system as a whole. As events like the WannaCry and Petya hack demonstrate, our data is more vulnerable than ever as we become more and more reliant on deeply interconnected digital infrastructure. Shouldering the burden may not be easy, but it will be something that companies need to do if they are to ensure they continue to operate in a safe, stable digital ecosystem, rather than the lawless, digital frontier towns of the recent past.
“GDPR is a truly game-changing overhaul of European data protection laws that is going to impact every business, every individual and every member of public sector bodies in Europe" – Helen Dixon, data protection commissioner of Ireland.
“The new rules will ensure that the fundamental right to personal data protection is guaranteed for all. The General Data Protection Regulation will help stimulate the Digital Single Market in the EU by fostering trust in online services by consumers and legal certainty for businesses based on clear and uniform rules.” – Frans Timmermans, European Commission first vice-president.
For more information, visit www.aon.com/Ireland/GDPR