Companies Unprepared for Looming Cyber Crime Rules Face Crippling Fines

A string of surveys and public statements show that most CEOs are at least wise to the risks presented by cyber crime. Now, a related threat is emerging that could do equal damage to their business: cyber crime rules.

Governments around the world are gradually taking a more heavy-handed approach to regulation after high-profile attacks crippled public services or led to the theft of troves of customer data.

In February, New York state introduced final regulations that require banks and insurers to meet minimum cybersecurity standards and report breaches to regulators.

European countries, however, appear to be taking the lead on the issue, with the pending introduction of General Data Protection Regulation, due to come into force May 2018.

“a startling 60% aren’t even aware of the new rules.”

Companies falling foul of the rules could face a maximum penalty of €20 million ($22 million), or 4% of their global turnover—potentially catching out foreign companies with European subsidiaries, or the large number of U.S. companies that have based themselves there for tax purposes.

Just a third of UK-based companies have started preparing for the rule change, while a startling 60% aren’t even aware of the new rules, according to a new survey commissioned by law firm Irwin Mitchell.

The poll of 2,000 businesses, conducted by YouGov, also found that 71% weren’t aware of the size of the penalties they could face. Some 18% said they would go out of business if they received the maximum penalty, while around 10% said they would need to make significant job cuts.

The findings come after 836 insurance practitioners polled by PwC ranked cyber risk as their second-biggest concern for 2017, behind change management risks associated with digital disruption, and jumping above regulation risks and recession fears.

Insurers were anxious about attacks on their own businesses, but also about the cost of underwriting cyber crime. Covering clients for multi-million fines could be a big part of the mix, too,  if businesses, particularly in Europe, don’t strengthen their defenses soon.

“[Next] May’s deadline is fast-approaching and with so much at stake, our study reveals there’s a very real possibility that the majority of organizations will not be compliant in time,” Irwin Mitchell partner Joanne Bone said.