New European data privacy regulation will create many opportunities for cybersecurity companies. The European Union is to introduce new regulation on data security and consumer data privacy. This General Data Protection Regulation (GDPR) is to replace the outdated Data Protection Directive, and will go into effect in May 2018. Companies will need help to comply.
As technology progresses, enterprises and consumers use and provide more digital services. As we continue to move to the Mobile Internet and increasingly use cloud services, it becomes harder for consumers to control where their data are stored, and who can access and control that data.
Due to new technologies, such as cloud computing, social media and Big Data (i.e. advanced data analytics), more consumer data is stored in systems around the world, to be processed and analyzed. As these systems are typically available online, we also see more attempts to steal that data, through hacking attacks and security breaches.
General Data Protection Regulation is new EU legislation that wants to enable EU citizens to have better control over their personal data, including where their personal data is being stored, the purpose, and the ability to erase that data. While this is a European law, it will apply to organizations anywhere in the world that do business with anyone in the EU, and will therefore have broad-reaching impacts globally. It requires organizations to categorize, record and specify how long an individual’s data has been held and when it will be erased (‘the right to be forgotten’).
Consumer trust is key. Companies need to find a balance between utilizing data and maintaining consumer trust in the longer term. However, the attitudes towards sharing data and trust in a company differ per age group. For example, millennials appear to be more accepting of the idea that they ‘pay’ for the free services that are provided by the large Internet platforms with their data, and that a lack of privacy on the Internet is part of modern life.
A Veritas study published earlier this year showed that while 31% of companies thought they were already GDPR compliant, once pressed further, only roughly 2% were actually prepared. This is concerning given the severe penalties for non-compliance (up to EUR 20 million or 4% of the company’s global annual revenues, whichever is greater). Even more alarming is that Gartner predicts that by the time the legislation comes into effect, only 50% of organizations will truly be compliant. We think this presents an opportunity for security software companies, as many organizations will likely need to modernize their existing infrastructure, or consider a cloud-based alternative.
GDPR does not give a specific formula or checklist of technical capabilities required to be in compliance. The three critical items we think could translate into more security spending are: (1) a requirement to be ‘state of the art’; (2) the need to be able to disclose breaches in less than 72 hours; (3) the potential reputational damage from breaches. State of the art is of course subjective, but it could prompt companies who have run security appliances past their useful life to refresh in order to be perceived as compliant. The need to disclose breaches in less than 72 hours could prompt companies to invest in a higher security operations headcount (in-sourced or out-sourced), and related tools such as data security compliance, threat analytics or intrusion prevention. Perhaps the item that could be most impactful is the potential reputational damage as a result of a breach. This could drive security spending to reduce the probability of a breach happening.
GDPR represents an additional investment burden for businesses and creates opportunities for vendors including software providers that help customers comply with these new rules. Many organizations will likely need to modernize their infrastructure, or consider a cloud-based alternative. According to International Data Corporation, the total spending opportunity related to GDPR will be USD 2.3 billion in 2017 and USD 3.3 billion in 2018, with continued spending at similar levels through 2021. However, given the magnitude and scope of the regulation, we think that actual spending may be much higher.
We consider GDPR’s impact on our portfolios in two ways. We have exposure to the providers of cybersecurity. We also maintain an open dialogue with companies affected by GDPR to understand how they are preparing for the new regulation. This is an extension of a dialogue we’ve been having with ICT companies on data privacy since 2016. Key topics in the discussion include the type of information companies collect, how this information is used and stored and how the company mitigates the risk and severity of data breaches.
The content displayed on this website is exclusively directed at qualified investors, as defined in the swiss collective investment schemes act of 23 june 2006 ("cisa") and its implementing ordinance, or at “independent asset managers” which meet additional requirements as set out below. Qualified investors are in particular regulated financial intermediaries such as banks, securities dealers, fund management companies and asset managers of collective investment schemes and central banks, regulated insurance companies, public entities and retirement benefits institutions with professional treasury or companies with professional treasury.
The contents, however, are not intended for non-qualified investors. By clicking "I agree" below, you confirm and acknowledge that you act in your capacity as qualified investor pursuant to CISA or as an “independent asset manager” who meets the additional requirements set out hereafter. In the event that you are an "independent asset manager" who meets all the requirements set out in Art. 3 para. 2 let. c) CISA in conjunction with Art. 3 CISO, by clicking "I Agree" below you confirm that you will use the content of this website only for those of your clients which are qualified investors pursuant to CISA.
Representative in Switzerland of the foreign funds registered with the Swiss Financial Market Supervisory Authority ("FINMA") for distribution in or from Switzerland to non-qualified investors is Robeco Switzerland AG, Josefstrasse 218, 8005 Zürich, and the paying agent is UBS Switzerland AG, Bahnhofstrasse 45, 8001 Zürich. Please consult www.finma.ch for a list of FINMA registered funds.
Neither information nor any opinion expressed on the website constitutes a solicitation, an offer or a recommendation to buy, sell or dispose of any investment, to engage in any other transaction or to provide any investment advice or service. An investment in a Robeco/Robeco Switzerland product should only be made after reading the related legal documents such as management regulations, articles of association, prospectuses, key investor information documents and annual and semi-annual reports, which can be all be obtained free of charge at this website, at the registered seat of the representative in Switzerland, as well as at the Robeco/Robeco Switzerland offices in each country where Robeco has a presence. In respect of the funds distributed in Switzerland, the place of performance and jurisdiction is the registered office of the representative in Switzerland.
This website is not directed to any person in any jurisdiction where, by reason of that person's nationality, residence or otherwise, the publication or availability of this website is prohibited. Persons in respect of whom such prohibitions apply must not access this website.