As the U.S. presidential campaign enters its home stretch, the issue of cyber security is front-and-center. Rarely a day goes by when a new report of a corporate or government breach fails to make headlines. Across Europe on the other hand, news of major cyber attacks, particularly against European companies, are rarely found on the front pages of Le Monde, Der Spiegel or La Repubblica.
Have European institutions done a better job of safeguarding against attacks than their American counterparts? Has Europe just been exceptionally lucky?
The answer to both questions is a resounding no. The unfortunate truth is that breaches are occurring with frequency across Europe.
Last week, I was invited to join a panel at the European Parliament to discuss the state of cyber security and what European companies – and the EU – can do to prevent and prepare for future attacks. There were three core takeaways .
First, the cyber landscape in Europe is about to change profoundly. The adoption of the EU General Data Protection Regulation (GDPR) is a watershed event. For the first time, companies across Europe will be required to disclose data breaches to national data protection authorities and, where warranted, affected individuals. Importantly, failure to do so may result in extraordinary penalties of up to 4% of total revenues.
We already have a window into how the post-GDPR reality will look. After Dutch authorities adopted a “mini-GDPR” that requires companies operating in the Netherlands to report data breaches, more than 3,600 incidents have been logged so far this year. Extrapolate that across the EU and the press, regulators and supervisory boards will demand change in the way European companies conduct business.
Second, companies operating in Europe have quite a journey to travel to prepare for this changed landscape. To gauge their state of readiness, Marsh & McLennan just completed a comprehensive study of the cyber security practices of more than 750 companies across Continental Europe.
On the good news front, awareness of cyber security risk is unquestionably on the rise. The number of companies that listed cyber as a top-5 concern has doubled in just the last year, according to the study. And whereas a quarter of European companies in 2015 didn’t mention cyber security as a concern at all, this number dropped to 10% in 2016.
Yet, while consciousness is rising, far too many companies lag behind. Seven in 10 companies this year reported that they do not have a strong understanding of their cyber posture, according to the study. Moreover, even among companies that profess to have awareness of the threat, too few are taking the necessary steps to defend against attacks or respond to them. In America, the conversation has turned from “if” to “when.” Yet in Europe, just 40% of companies in our survey have a written incident response plan.
Third, no one has all the answers. Not government. Not industry. And the stakes are rising by the day. Just last week, the director of the International Atomic Energy Agency publicly disclosed for the first time that there was a “disruptive” cyber attack against a nuclear plant.
Against this backdrop, the European Union merits praise for emphasizing that a joint effort between government and industry is required to enhance our collective cyber resilience.
That collaboration can take many forms. An important priority is the monitoring and detection of cyber breaches. This early detection is crucial for reducing the so-called “dwell time” – the amount of time from intrusion to ultimate detection.
According to forensic experts, companies in Europe are currently taking three times as long to identify penetrations of their IT systems.
Just as important, the EU must help companies peel back the secrecy that currently enshrouds cyber incidents. If companies take the step of sharing greater details about the types of attacks and intrusions that are occurring, government should reciprocate by disseminating cyber threat intelligence in real-time. To be effective, the flow of information cannot be a one-way street. While companies are rightfully protective of sharing private, confidential data, there is ample precedent to show that a reasonable balance can be struck between privacy considerations and liability protections.
In recent years, the technology revolution has changed the way virtually every industry conducts business. The lesson of this disruption has been clear: companies that adapt, survive and flourish, while those that stubbornly cling to the past, are left behind. Combatting cyber attacks is no different. With the number and sophistication of attacks on the rise – and the GDPR creating significant financial implications for non-compliance – now is the time to prepare.
Peter J. Beshar is executive vice president and general counsel of Marsh & McLennan Companies.