Peter J. Beshar is executive vice president and general counsel of Marsh & McLennan.
Cyber breaches have dominated the headlines in the United States, with public companies, government agencies, universities, and now even political parties reporting attacks. No sector has been spared. Gazing across the Atlantic, however, the landscape appears dramatically and blissfully different. Virtually no large European company has publicly acknowledged a cyber breach. Is there an Iron Dome or magnetic force field protecting Europe against cyber attacks?
Sadly not. Cyber attacks are occurring across Europe every day. The fundamental difference is that the U.S. has 47 state laws mandating the public disclosure of cyber attacks. Up until now, Europe did not. One possible consequence is that the time lag between a cyber intrusion and the detection of that incident is nearly three times longer in Europe than the rest of the world.
That will change — and the ramifications for European companies will be profound.
After years of debate, European authorities recently approved the EU General Data Protection Regulation. For the first time, companies operating in Europe will be required to report cyber breaches to national authorities within 72 hours and, if there is a significant risk of harm, companies would need to report the breaches to affected individuals. In addition, the regulation directs companies to implement "appropriate technical and organizational measures to ensure a level of security appropriate to the risk." Companies that fail to adhere to these requirements will be subject to penalties of up to 4% of total revenues, as well as private lawsuits by individuals.
While formal implementation of the EU General Data Protection Regulation is two years away, we now have a window into what European companies can expect. Last year, the Dutch authorities adopted a "mini-GDPR" that imposes an obligation on companies operating in the Netherlands to report cyber incidents to the authorities. The fines for failure to do so can range up to 10% of a company's revenues. In just the first 130 days since the law took effect at the start of this year, more than 1,500 cyber incidents were reported. Additionally, a 2015 study by PwC reported that 90% of large UK-based businesses – and 74% of small businesses – reported being hacked in the previous year.
Once these incidents are subject to public reporting, rather than whispers, public awareness and concern in Europe will increase markedly. If headlines are filled with reports of cyber breaches, supervisory boards of companies across the continent will press their management teams for assurance that proper attention and adequate resources are being allocated to confront this dynamic risk. Policymakers and data protection authorities will closely monitor these developments, particularly when attacks are directed at critical infrastructure.
The best risk mitigation strategy, of course, is preparation. European companies should be conducting comprehensive assessments of their IT security practices and benchmarking their performance against an established industry standard. In developing a plan of action, four key points should be considered.
First, cyber security is not an IT problem.
One of the lessons from the U.S. is that treating cyber risks as solely an IT issue will not work. The most senior members of a management team, including the CEO, CFO and GC, alongside the board of directors, need to be conversant with the principal threats facing their companies and the strategies for mitigating those threats. Too many companies continue to segregate their cyber security strategy within the walls of their IT departments. This must change.
Second, keep current with the most rampant types of attacks.
Though there are many forms and vectors of attack, "spearphishing" tops the list. Hackers send bespoke e-mails with details lifted from an employee's Facebook page or forward "spoof" job listings from LinkedIn. Once an employee clicks on the attachment or link, malware is loaded on to the company's system. Not surprisingly, more than 90% of successful cyber attacks begin with phishing campaigns. While there is no simple fix, technology in the form of detonation software that scans and then explodes malware in a quarantined environment, regular training of employees and sound software patch management protocols are crucial.
Third, build relationships with security, law enforcement and data protection authorities.
Trying to solve this issue alone will not work for either the government or industry. We are in this together. Collaboration with law enforcement is particularly important for operators of critical infrastructure — power plants, telecommunications networks, transportation systems, chemical facilities, dams, civilian nuclear plants, and aviation, to name a few. Given the large percentage of critical infrastructure owned and operated by the private sector in the United States, American authorities have worked diligently to forge public-private partnerships to enhance cyber resilience. Replicating this model, the EU just adopted a new Network Information System Directive and a call for a Public-Private Partnership to combat this dynamic risk. Companies should embrace these efforts.
Fourth, assume you will be breached. Not if, but when. Do you have a written incident response plan?
Have you conducted a simulated drill for a cyber attack? Do you have an external and internal communications strategy? The goal is not elimination of the threat, but rather resilience. When a breach takes place, the objective is to be able to maintain the smooth running of your core operations.
Adequate preparation for cyberattacks is complicated, costly, and for many companies, somewhat counterintuitive. But armed with the facts and a clear regulatory roadmap, now is the time to make the necessary investments – and just as important, build the corporate culture – to protect your business and clients.
As cyber attacks grow more sophisticated and cause greater damage to industries and individuals, it will be increasingly difficult to counter this threat unless we learn from each other and incorporate best practices on both sides of the Atlantic.