GDPR spurs cybersecurity improvements at FTSE 350 companies

Out-Law News | 06 Mar 2019 | 10:46 am | 2 min. read

The introduction of the General Data Protection Regulation (GDPR) spurred the UK's biggest public companies to improve the measures they put in place to protect data, according to a UK government survey.

The GDPR, which took effect on 25 May 2018, "contributed to a greater level of board engagement in cybersecurity issues" among FTSE 350 companies, the government's Cyber Governance Health Check (60-page / 2.70MB PDF) found.

"The 2018 Health Check indicates that GDPR has increased the attention FTSE 350 boards give to cyber risk," the government's survey report said. "Over three quarters of businesses (77%) report that board discussion and management of cyber risk has increased since the introduction of GDPR, and more than half (55%) of these businesses have increased measures as a result."

According to the survey, 95% of FTSE 350 companies have developed cyber incident response plans, but just 57% of those businesses test those plans regularly.

Cyber risk expert Ian Birdsey of Pinsent Masons, the law firm behind, said: "In our experience of managing breaches post-GDPR, very few companies have incident response plans and even fewer follow those plans in the event of a security incident or personal data breach."

The survey also found that most board members at the UK's biggest companies continue to lack "comprehensive understanding" of the impact a cyber incident can have on their business.

"Only a minority of businesses (16%) report that their board has a comprehensive understanding of the impact of loss or disruption associated with cyber threats on the types of impact tested in the 2018 Health Check, i.e. customers, share price and reputation," the government said. "This indicates that most businesses feel that board understanding of impacts could be improved."

Birdsey said companies are often unprepared for the scope of the response and the attendant costs, which may cover technical, data analysis, dealing with regulatory and criminal authorities, and managing takedowns, notification and litigation.

"Companies managing a breach response are also typically not prepared for the post-notification stage where notified individuals may exercise their data protection rights, such as issuing data subject access requests, enforcing their 'right to be forgotten' and pursuing claims – including group claims – following high profile data breaches," Birdsey said.

Director-level understanding of cyber issues improves where chief information security officers report directly into the board, according to the survey.

The 'health check' also identified weaknesses in the oversight FTSE 350 companies have of the efficacy of cybersecurity measures throughout their supply chains.

"The supply chain is increasingly becoming a target for cyber attacks; however, recognition of cyber risks in the supply chain appears to be a significant gap amongst a large proportion of businesses," the government said.

"Whilst recognition of the cyber risks arising from businesses in the supply chain is relatively high (73%), less than a quarter (23%) of businesses recognise the cyber risks associated with businesses that are not directly contracted by the business (fourth party and beyond), leaving them particularly vulnerable to such threats," it said.