Cyber risk is an ever evolving threat for 21st century business and as such, is a top of mind issue for today’s business leaders. A cyber security breach can have huge legal and financial ramifications for any business. High profile cyber-attacks are on the rise and governments are increasingly cracking down on cyber criminals. New regulations around cyber are coming into force around the globe and companies, especially middle market companies, need to ensure they are adequately prepared.
The middle market is often guilty of considering itself to have a lack of exposure to cyber threats. Middle market companies believe that since large corporates hold more data, hackers will target them, but this is certainly not the case. The “it won’t happen to me” attitude, and lack of action that comes as a result, means these very companies are often seen as an easy target. Middle market businesses must be proactive in identifying and managing the risk.
Just last week, the Australian Senate announced the Notifiable Data Breaches Bill which forces organisations under the Privacy Act to inform the public, as well as the Australian Information Commission, if their data has been compromised. Notably, the EU announced it will implement a new general data protection regulation (GDPR) that is set to come into force on the 25th May, 2018 and will mandate Data Protection Officers (DPOs) for some companies.
The GDPR is a regulation by which the European Parliament, the European Council and the European Commission intend to unify and strengthen data protection for individuals inside the European Union. Whilst regulated sectors are being proactive about the incoming regulation, any business should start planning before it comes into full effect. This is particularly pertinent for those middle market businesses that may have fallen behind in the cyber-boom of the last 20 years.
The middle market has been perceived as falling behind. One reason is simply that levels of cyber risk have sky rocketed in the last three years which has led to changes in legal and regulatory requirements, and to significant increases in the cost of overhauling cyber security measures. This means that larger multinational corporations with deeper pockets are often better equipped and their systems more up to date.
Cyber security regulation can be an awkward area for many middle market firms to navigate. Unlike large corporates, middle market firms do not have the resources to pull out all the stops to guard against a cyber breach. For example, many simply cannot employ an internal team dedicated solely to understanding and enacting upon the legal minefield. And this could leave them vulnerable – some middle market firms do not have processes in place, for example, when they transfer data onto a new system, leaving the old system open to an attack.
Even if a company were to ride the wave of potential damage done to them by a cyber-attack (stolen data, financial cost, lost files, etc.), without spending too much money on security measures, the GDPR will enable data protection authorities to issue fines to companies of up to 4% of worldwide annual turnover, as well as run compulsory audits and suspend data transfers.
Middle market business should implement appropriate data protection policies, procedure and processes. Their nimble nature gives them an advantage in preparing for new regulation and they can get ahead by preparing for the GDPR, as some experts speculate that many companies will be underprepared, partially due to confusion as to whether the GDPR will apply in the UK following Brexit. They have the flexibility to try and test which compliance methods work best for them versus large corporates with archaic structures that are difficult to change.
Middle market firms should bring the issue of cyber security into their executive team. There has been a marked increase in demand for in-house data protection officers (DPOs) and chief privacy officers (CPOs) in the last few years and having a person at hand will help middle market firms react and adapt.
Effective training for employees and regular reviews of cyber activities by way of data inventory analysis, data-flow mapping and data protection audits should all become second-nature to ensure cyber-safety and compliance with new regulations as and when they are implemented. By baking the processes of cyber security into everything they do, middle market businesses have an opportunity to stay ahead and adapt more quickly than their larger counterparts.