Europe’s Firms, Unprepared for Cyber Risks, Face Breach Disclosure Law

European companies are unprepared to cope with the reality of today’s cyber risks, according to a new report from Marsh & McLennan Cos. (MMC) and cyber security company, FireEye.

However, companies will be forced into action as a result of the European Union’s General Data Protection Regulation (GDPR), which in May 2018 will require public disclosure of “data breaches to national data protection authorities and, where the threat of harm is substantial, to affected individuals,” said the report.

“Failure to do so could result in fines of as much as four percent of a company’s global turnover – a staggering sum,” said the report titled “Cyber Threats: A Perfect Storm About to Hit Europe?”

Threat Intensifying

The report further warns that the cyber threat environment is intensifying dramatically.

“Concerns about the misappropriation of financial and personal data – while important – have been supplanted by the spectre of an even larger and more devastating threat. Cyber attacks on critical infrastructure — manufacturing plants, power stations, aviation systems, transportation networks, water systems and even nuclear facilities — are the new reality in Europe,” the report emphasized.

Cyber attacks against critical infrastructure have been dubbed a potential “Cyber Pearl Harbor” by US military officials, the report said, noting that this is a reality that European governments and businesses must now confront.

Unprepared for Growing Threat

With the growing cyber threat and the implementation of the GDPR, the report questioned how prepared are businesses across Europe.

“To assess their state of preparedness, Marsh conducted a broad survey of 750 European clients. The responses suggest that, while progress has been made, a significant journey remains,” the report said.

For example, Marsh found that the percentage of companies indicating that they assessed “key suppliers” for cyber risk actually decreased from 23 percent in 2015 to 20 percent in 2016.

“As numerous attacks in the US and elsewhere have shown, hackers often gain access to larger organizations by initiating attacks against smaller vendors that provide services like air conditioning or takeout food,” the report emphasized.

As a result of the dangers and new regulation, European management teams will be pressed, as never before, “to address concerns from data protection authorities, supervisory boards and journalists about their state of preparedness. Rather than waiting until 2018, companies must work to confront this looming challenge now,” the report went on to say.

Key takeaways of the report include:

• Ransomware attacks, in which files are encrypted and can only be unlocked when the victim pays a ransom of bitcoin, spiked significantly in 2016.
• The industries most frequently targeted by hackers are financial services, manufacturing and telecommunications.
• The countries with the highest number of incidents were Germany, Belgium, Great Britain and Spain.
• Less than a third of companies surveyed have a strong understanding of their cyber risks.
• Less than a third regard cyber security as a “top-five risk.”
• European organizations take three times longer to identify intrusions than the average among the rest of the world.

Some Recommendations

There are many technological advances that will form part of cyber protections, such as encryption and blockchain, the report provides five non-technological recommendations for companies to consider:

• Cyber security is not solely an IT issue.The most senior members of a company’s management team must engage and be at least conversant with this risk and know what are the principal cyber vulnerabilities, what are key strategies for risk mitigation and whether adequate resources being devoted to the problem.
• Vulnerability assessments are essential.Every company should conduct a vulnerability assessment, by benchmarking cyber protocols against an established standard. Questions to ask are: What are the company’s critical cyber assets? Does the organization rely upon proprietary data or industrial control systems? Have the financial consequences of a large-scale breach been assessed?
• Cyber risk is now a board-level issue.Supervisory boards in Europe will be putting far more focus and pressure on management teams in the coming year. “If it takes your organization three times longer to identify a cyber intrusion as other companies, will that be satisfactory for your board?” the report questioned.
• Corporations should engage with external stakeholders.Reach out now to build relationships of trust with data protection and law enforcement authorities, policymakers and the press. The report suggested engaging “top-notch security experts to respond to an incident.”
• Governments in Europe must lend a hand to the business community. Given the particular threat posed to critical infrastructure, governments in Europe should reach out more affirmatively to the business community by 1) sharing threat intelligence in real time about the latest forms of attack and known malicious IP addresses and 2) promptly alerting businesses that their systems have been breached.

Source: Marsh & McLennan Cos. and FireEye

*This story appeared previously in our sister publication Insurance Journal.