Should U.S. CFOs Worry About EU Cyber Risk Rules?

Compliance will motivate firms to update their current processes and methodology to assess cyber risks and the related potential business effects.
Kevin P. KalinichFebruary 10, 2017
Should U.S. CFOs Worry About EU Cyber Risk Rules?

CFOs around the world have one more risk to fold into their financial planning strategies. The European Union General Data Protection Regulation (EU GDPR), set to come into effect on May 25, 2018, will apply to every organization of every size, industry, and geography that processes data from EU citizens.

The rule subjects a violator of the EU GDPR to a fine of up to 4% of annual global turnover. Thus, U.S. finance chiefs need to  impress upon their companies of the potential financial statement effects of the requirements. To do this, they must understand the cost-benefit analysis of technical and organizational measures needed to ensure EU GDPR compliance.

The EU GDPR has two primary objectives. The first is to provide EU citizens with control of their personal data, and the second is to simplify the regulatory environment by unifying regulation across the EU.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

The rule applies to personal data, including customer lists, contact details, genetic/biometric data, and potential online identifiers like IP addresses. Companies must obtain explicit, clear, and affirmative consent before processing personal data. Assumptions based on silence don’t comply. Organizations outside the EU will still be covered by EU GDPR requirements if they process data related to the offering of goods or services or the monitoring of the activities of EU citizens.


There are several requirements to become EU GDPR compliant. Companies, for instance, should only collect data needed to fulfill specific purposes. Organizations processing large amounts of special categories of data, including public authorities, must appoint a data protection officer with expert knowledge.

The rule mandates that companies conduct privacy risk-impact assessments to analyze the risk of data breaches, including steps to minimize such risk. Adherence to several data breach reporting regulations is mandatory.

The message for CFOs: Be concerned, but don’t panic. Your companies have adequate time to prepare for Europe’s data protection regulations before the 2018 launch date.


Compliance with the EU GDPR will enable firms to update their current processes and methodology to assess cyber risks and the related potential business impact. Preparation can begin by ensuring completion of the following:

  1. EU GDPR Readiness Assessment, which calls on companies to identify, prioritize, and remediate gaps in compliance programs and understand and mitigate data protection risks to satisfy the new rule.
  2. Cyber Impact Analysis, which models the financial statement impact from data breaches under the regulation and more broadly provides a comprehensive understanding of the cyber exposures facing a company.
  3. EU GDPR Insurance Endorsement, which requires companies to address defense costs, expert cyber services, and regulatory defense costs, to the extent allowable under law and arising out of a covered event.
  4. Incident and Claims Response, asks companies to recruit post-event advisory services, including incident response, digital forensics, and claims handling to lower the total cost of risk.

Insurance carriers are starting to see an increase in demand for cyber coverage as cyber exposure awareness becomes an enterprise issue. Cyber insurance underwriters consider an EU GDPR-compliant organization a desirable risk for cyber insurance.

Rather than accept the typical insurance exclusion with respect to regulatory actions, EU GDPR-ready companies can get customized insurance-policy wording to address some of the could be and liabilities that could be suffered due to alleged rule violations.

Companies may also be able to have law firms and incident-response outfits pre-approved with their cyber insurers. As with other policies, there remain material shortcomings to such insurance coverage, such as long-term brand/reputation damage and the value of unauthorized loss of trade secrets.

Cost-efficiency Benefits

Compliance with the EU GDPR will motivate firms to update their current processes and methodology to assess cyber risks and their related potential business impact.

In addition to stronger risk management, the EU GDPR can also help an organization achieve cost efficiency. Becoming compliant could be a strategy CFOs use to improve the companies financial planning and budget analysis and reporting.

Once compliant, a company’s total cost of risk could be reduced if it draws a roadmap of its enterprise risk management, consisting of collaboration and accountability with various organizational stakeholders regarding cyber risk identification, quantification, mitigation, and response planning.

The compliance effort can also boost the company’s defenses against specific private rights of action against the organization conferred by the GDPR.  As a result, a built-in mergers and acquisitions due diligence cyber exposures checklist could be set up, which would price potential acquisitions and divestitures to avoid dramatic impact on valuation of an organization. Lastly, the steps taken to be compliant could provide an organization with a better idea of its overall risk maturity, enabling the CFO to make stronger investment and allocation of resources decisions as well as document actions and reports for the Board of Directors.

Looking Ahead

Proposed U.S. legislation, along with the EU GDPR, could further raise the awareness of cyber exposures and solutions within companies around the world, helping CFOs better prepare their organizations to take on this risk. For instance, the bipartisan Cybersecurity Disclosure Act bill asks each publicly traded company to disclose information to investors regarding whether any board members are cybersecurity experts.

If not, why not? The Data Breach Insurance Act, introduced in September 2016, would provide a 15% tax credit on premiums paid for businesses that purchase data breach insurance and comply with the National Institute of Standards and Technology (NIST) Cybersecurity Framework or similar security standards.

While the EU GDPR is designed to protect EU citizens, compliance will also help U.S. -based corporations to mitigate the financial statement impact of a data breach. Data security is a business risk and potential source of corporate liability. Although three recent stockholder derivative claims against directors were dismissed against Home Depot, Wyndham Worldwide and Target, derivative suits against directors are likely to increase as the complex Internet of Things phenomenon develops and such heightened regulatory scrutiny as EU GDPR evolves. Prudent CFO’s will start the EU GDPR compliance process now.

Kevin P. Kalinich is the global cyber insurance practice leader for Aon Risk Solutions.