The EU General Data Protection Regulation means cyber security will become a critical part of company research and engagement. David Sheasby, head of stewardship and ESG at Martin Currie, explains the risks for companies.
There has been no shortage of high-profile cyber-attacks in 2017, and it is safe to say that this threat won’t diminish any time soon. In fact, it’s more likely to get worse. So, when looking for prominent themes for 2018, this is not a bad place to start.
Few companies will now be ignorant of the operational, reputational and financial risks from cyberspace, but preparedness varies significantly. Critically, the laissez-faire approach of the past is coming to an end in many jurisdictions. Of biggest consequence in 2018 is the introduction of the EU General Data Protection Regulation (GDPR), which European companies have to comply with by the end of May.
The regulation comes with a fairly sizeable stick – failure to comply can lead to fines of up to €20 million, or 4% of annual group turnover (whichever is larger). In addition, companies will be required to report data breaches within 72 hours of discovery.
Not only will companies have to spend more on their cyber defences, but they may also end up questioning the risk/reward of holding certain data. Indeed, although it’s early days, we’ve already seen companies deleting whole databases after failing to justify the attendant risks.
So, what are we doing in this area? Well, due to the materiality across sectors, cybersecurity has become a critical part of our company research and engagement. An example of the latter is our involvement in the Principles for Responsible Investment (PRI)’s collaborative engagement on cybersecurity. Here we have been on the steering committee setting the terms and objectives, as well as selecting the list of targeted businesses.