2017 brought new regulations in cyber security, but 2018 will be the year that businesses truly feel their effects. Regulatory bodies are keen to demonstrate their seriousness as new rules and guidelines are rolled out, with severe repercussions for non-compliance. The powers that be are patiently awaiting any slight misstep, so organisations will need to tread carefully – or risk being made an example of.
EU
General Data Protection Regulation (GDPR) will take effect in May. The new rules set a universal standard for consumer data privacy, which will apply to all companies that collect data of EU citizens. The prospect of class action lawsuits and reputational damages associated with GDPR will be particularly worrisome for consumer businesses.
Enforcers will be keen to prove that the new regulations are more than just talk. “One thing to look out for in 2018 is that as these regulators continue to increase their focus on guidance on requirements, you’re going to see more enforcement actions taking place, almost certainly,” says CJ Dietzman, vice president, security advisory at Stroz Friedberg. In the coming year, his risk management firm predicts that the European Commission will slam at least one major company with a fine for violating GDPR – a penalty that could reach as high as 4% of worldwide annual revenue or US$23.8m.
Asia-Pacific
Countries like Australia, Japan, and South Korea are closely aligning their regulations with Europe’s GDPR standard, though enforcement and fines are expected to less severe.
United States
Big data aggregators are expected to come under intense scrutiny in the US in 2018 over how they collect, use, and secure data. The New York Department of Financial Services and other regulatory bodies throughout the country will likely double down on enforcement of existing cyber security rules in response to some of the major breaches of 2017.
New regulations will have an impact on companies beyond the sectors traditionally concerned with cyber regulations, like healthcare, financial services, and retail. “If you read the tea leaves, whether it’s the Government Accountability Office issuing guidance and conducting analysis around automotive cyber security with the smart car, or the FDA and Congress’ focus on medical device security, this type of [scrutiny] and guidance is going to have impact across industry sectors and ancillary industry sectors that historically have not been highly regulated from a cyber security standpoint,” says Dietzman. “In this new environment, companies will need to harmonise their regulatory approach. It’s high time to look for ways to innovate.”