• by Ray Schultz , October 18, 2017

It’s getting tiresome reading reports about how few firms are ready for the EU’s General Data Protection Regulation (GDPR). But here’s one more.

A study by Marsh shows that only 8% of firms are now in full compliance with the regulation that takes effect next May. That doesn’t leave much time for the other 92%.

And 23% of those subject to the GDPR have been hacked in the last year.

But it’s not as bad as it sounds. Of 1,312 senior executives surveyed globally, 57% are developing a plan for compliance, and a mere 11% are not. (The rest don’t know).

The study also shows a strong correlation between GDPR compliance and levels of cyber risk management. For instance, 69% of the fully compliant firms have or plan to deploy encrypted computers, versus only 38% of the non-compliant. And 49% of the firms in full readiness have developed a cyber incident response plan, compared with 10% of those that have not.

Finally, 27% of the prepared companies are increasing or restructuring their cyber risk insurance. And 17% of the laggards are not. In general, 65% say cybersecurity is a top priority. And 26% rank it as a risk, but not in top five. 

However, readiness for GDPR seems to depend on the size of the organization.

Of companies with revenue topping $5 billion, 29% are fully compliant, versus 18% that fall below that threshold. And 13% of those mega-firms are developing a plan, compared with 27% of their smaller counterparts.

Only 5% of the majors have no plan. The same can be said of the lesser outfits.

As for spending, 78% of the compliant firms or those planning for GDPR have increased their spending on cybersecurity, versus 52% of the un-ready companies. Over half of the respondents have estimated their financial exposure to a cyber incident, but almost a third have not. And the remainder don’t know.

Of the firms that believe they are compliant, 22% have taken 10 to 14 recommended cyber risks steps and 54% have taken four to nine steps.

Only 9% of those with no plans have taken 10 to 14 actions, and 36% have tried four to nine.

In addition, compliant corporations are much more likely to have taken actions strongly implied by GDPR — like penetration testing, and improving vulnerability and patch management.

They are not as likely to have identified external legal, public relations or cybersecurity experts to help during an incident.

Here’s one more finding: 85% of compliant firms that have encrypted their data use cloud services.