japanja
EU data protection regulation to boost the cybersecurity sector

EU data protection regulation to boost the cybersecurity sector

20-12-2017 | インサイト

New European data privacy regulation will create many opportunities for cybersecurity companies. The European Union is to introduce new regulation on data security and consumer data privacy. This General Data Protection Regulation (GDPR) is to replace the outdated Data Protection Directive, and will go into effect in May 2018. Companies will need help to comply.

  • Michiel  Plakman
    Michiel
    Plakman
    Portfolio Manager Robeco Global Stars Equities
  • Daniëlle Essink
    Daniëlle
    Essink
    Engagement Specialist

Speed read

  • New EU consumer data privacy and security regulation as of 2018
  • Very few companies are prepared, risking severe penalties
  • We invest in cybersecurity providers, which will greatly benefit
最新の「インサイト」を読む
最新の「インサイト」を読む
配信登録

As technology progresses, enterprises and consumers use and provide more digital services. As we continue to move to the Mobile Internet and increasingly use cloud services, it becomes harder for consumers to control where their data are stored, and who can access and control that data.

Due to new technologies, such as cloud computing, social media and Big Data (i.e. advanced data analytics), more consumer data is stored in systems around the world, to be processed and analyzed. As these systems are typically available online, we also see more attempts to steal that data, through hacking attacks and security breaches.

What is General Data Protection Regulation (GDPR)?

General Data Protection Regulation is new EU legislation that wants to enable EU citizens to have better control over their personal data, including where their personal data is being stored, the purpose, and the ability to erase that data. While this is a European law, it will apply to organizations anywhere in the world that do business with anyone in the EU, and will therefore have broad-reaching impacts globally. It requires organizations to categorize, record and specify how long an individual’s data has been held and when it will be erased (‘the right to be forgotten’).

Consumer trust is key. Companies need to find a balance between utilizing data and maintaining consumer trust in the longer term. However, the attitudes towards sharing data and trust in a company differ per age group. For example, millennials appear to be more accepting of the idea that they ‘pay’ for the free services that are provided by the large Internet platforms with their data, and that a lack of privacy on the Internet is part of modern life.

Companies hardly prepared for data protection regulation

A Veritas study published earlier this year showed that while 31% of companies thought they were already GDPR compliant, once pressed further, only roughly 2% were actually prepared. This is concerning given the severe penalties for non-compliance (up to EUR 20 million or 4% of the company’s global annual revenues, whichever is greater). Even more alarming is that Gartner predicts that by the time the legislation comes into effect, only 50% of organizations will truly be compliant. We think this presents an opportunity for security software companies, as many organizations will likely need to modernize their existing infrastructure, or consider a cloud-based alternative.

GDPR does not give a specific formula or checklist of technical capabilities required to be in compliance. The three critical items we think could translate into more security spending are: (1) a requirement to be ‘state of the art’; (2) the need to be able to disclose breaches in less than 72 hours; (3) the potential reputational damage from breaches. State of the art is of course subjective, but it could prompt companies who have run security appliances past their useful life to refresh in order to be perceived as compliant. The need to disclose breaches in less than 72 hours could prompt companies to invest in a higher security operations headcount (in-sourced or out-sourced), and related tools such as data security compliance, threat analytics or intrusion prevention. Perhaps the item that could be most impactful is the potential reputational damage as a result of a breach. This could drive security spending to reduce the probability of a breach happening.

The investor perspective

GDPR represents an additional investment burden for businesses and creates opportunities for vendors including software providers that help customers comply with these new rules. Many organizations will likely need to modernize their infrastructure, or consider a cloud-based alternative. According to International Data Corporation, the total spending opportunity related to GDPR will be USD 2.3 billion in 2017 and USD 3.3 billion in 2018, with continued spending at similar levels through 2021. However, given the magnitude and scope of the regulation, we think that actual spending may be much higher.

We consider GDPR’s impact on our portfolios in two ways. We have exposure to the providers of cybersecurity. We also maintain an open dialogue with companies affected by GDPR to understand how they are preparing for the new regulation. This is an extension of a dialogue we’ve been having with ICT companies on data privacy since 2016. Key topics in the discussion include the type of information companies collect, how this information is used and stored and how the company mitigates the risk and severity of data breaches.

重要事項

当資料は情報提供を目的として、Robeco Institutional Asset Management B.V.が作成した英文資料、もしくはその英文資料をロベコ・ジャパン株式会社が翻訳したものです。資料中の個別の金融商品の売買の勧誘や推奨等を目的とするものではありません。記載された情報は十分信頼できるものであると考えておりますが、その正確性、完全性を保証するものではありません。意見や見通しはあくまで作成日における弊社の判断に基づくものであり、今後予告なしに変更されることがあります。運用状況、市場動向、意見等は、過去の一時点あるいは過去の一定期間についてのものであり、過去の実績は将来の運用成果を保証または示唆するものではありません。また、記載された投資方針・戦略等は全ての投資家の皆様に適合するとは限りません。当資料は法律、税務、会計面での助言の提供を意図するものではありません。

ご契約に際しては、必要に応じ専門家にご相談の上、最終的なご判断はお客様ご自身でなさるようお願い致します。

運用を行う資産の評価額は、組入有価証券等の価格、金融市場の相場や金利等の変動、及び組入有価証券の発行体の財務状況による信用力等の影響を受けて変動します。また、外貨建資産に投資する場合は為替変動の影響も受けます。運用によって生じた損益は、全て投資家の皆様に帰属します。したがって投資元本や一定の運用成果が保証されているものではなく、投資元本を上回る損失を被ることがあります。弊社が行う金融商品取引業に係る手数料または報酬は、締結される契約の種類や契約資産額により異なるため、当資料において記載せず別途ご提示させて頂く場合があります。具体的な手数料または報酬の金額・計算方法につきましては弊社担当者へお問合せください。

当資料及び記載されている情報、商品に関する権利は弊社に帰属します。したがって、弊社の書面による同意なくしてその全部もしくは一部を複製またはその他の方法で配布することはご遠慮ください。

商号等: ロベコ・ジャパン株式会社  金融商品取引業者 関東財務局長(金商)第2780号

加入協会: 一般社団法人 日本投資顧問業協会