-
Transactional advisory services
Find out more about the transactional advisory services of Grant Thornton Financial Advisory Services
-
Valuations
Find out more about the valuations services of Grant Thornton Financial Advisory Services
-
Mergers and acquisitions
Find out more about the merger and acquisition services of Grant Thornton Financial Advisory Services
-
Forensic and investigation services
Find out more about the forensic and investigation services of Grant Thornton Financial Advisory Services
-
Recovery & reorganisation
Find out more about the Recovery & reorganisation services of Grant Thornton Financial Advisory Services
-
Business risk services
Find out more about the business risk services of Grant Thornton Financial Advisory Services
-
Business consulting
Find out more about the business consulting services of Grant Thornton Financial Advisory Services
-
Capital market
Capital market
-
Corporate and business tax
Find out more about our corporate and business tax services.
-
Direct international tax
Find out more about our direct international tax services.
-
Global mobility services
Find out more about our global mobility services.
-
Indirect international tax
Find out more about our indirect international tax services.
-
Transfer pricing
Find out more about our transfer pricing services.
-
Litigation
Our lawyers and accountants can manage all defense measures provided not only by the Italian law, but also by EU regulations and conventions
-
Family business
Find out more about our Family business services.
-
Legal
The client can be assisted in every need and with the same care both on important operations or disputes and on simple matters
-
Back office outsourcing
Find out more about our Back office outsourcing services
-
Business process outsourcing
Find out more about our business process outsourcing services.
-
Compilation of financial statements
Find out more about our compilation of financial statements services.
-
Tax compliance
Find out more about our tax compliance services.
-
Electronic invoicing
Find out more about our electronic invoicing services
-
Electronic storage
Electronic storage is an archiving procedure that guarantees the legal validity of a digitally stored electronic document
-
Revaluation of corporate assets
Find out your civil and fiscal revaluation of tangible, intangible and financial assets
-
Human resources consulting
Find out more about our human resources consulting services.
-
Payroll
Find out more about our payroll services.
-
HR News
HR News the monthly information newsletter by Grant Thornton HR
-
Cybersecurity
GT Digital helps clients structure information security management internal functions, also through partially or totally outsourced functions
-
Agile and Programme Management
GT Digital provides support in the adoption and implementation of different portfolio management
-
Robotic Process Automation
Our “BOT Farm” can rely on digital workers able to help clients in routine activities, allowing employees to deal with more added-value activities
-
Data strategy and management
GT Digital can support clients in seizing the opportunities offered by Big Data, from the definition of strategies to the implementation of systems
-
Enterprise Resource Planning
We support clients in selecting the most appropriate ERP System according to their specific needs, helping them also understand licensing models
-
IT strategy
GT Digital supports clients in making strategic choices, identifying innovation opportunities, comparing themselves with competitors
-
IT service management
We can support with software selection and with the implementation of dedicated tools for the management of ICT processes
-
DORA and NIS 2
The entry into force of the DORA Regulation and NIS2 represents a major step towards the creation of a harmonised regulatory framework
It’s time to merge cyber security and data privacy into one digital risk function
The development of digital information has multiplied the possibilities for businesses of all shapes and sizes to carve out a competitive advantage. Just consider how companies are harnessing technology to improve their performance, collecting customer data to create personalised services and targeted marketing campaigns, or scrutinise employee performance data or supply chain information to drive productivity to improve efficiency.
This offers huge potential, but also creates vulnerabilities and interdependencies between previously discrete threats. This is particularly the case for cyber security and data privacy risks, which are now linked due to the increased use of personal data. For example, data breaches can result from a cyber-attack, but have data privacy implications.
But business leaders’ attempts to come to terms with the changing nature of these threats is hampered because the past three years have seen businesses around the world bogged down in data privacy compliance. Still getting to grips with GDPR in Europe, they face new regulation in Australia, in California, in Canada.
No wonder two-thirds of businesses surveyed for Grant Thornton’s latest International Business Report (IBR) are focusing more on privacy than cyber security. And the majority (59%) are actively preparing for the next wave of privacy regulation. But cyber security threats have also soared. The number of cyber-attacks causing losses in excess of $1m have increased by 63% during the past three years.
So it is critical for businesses to effectively and efficiently get to grips with both risks: data privacy and cyber security. Yet they are struggling, because data privacy and cyber security are often managed by different teams. The CPO takes responsibility for the former; the CISO or CTO for the latter.
In this perspective, Alessandro Leone, Partner at Grant Thornton Financial Advisory Services in the Business Risk Services area, stated: “Is it right to manage cyber security and data privacy separately? These two subjects are strongly interrelated, thanks to the technology development which has led to a management of data (included personal ones) based on complex IT systems, which are often held by different suppliers. In fact, for example, companies are increasingly using algorythms to predict consumers behaviour, based on a high quantity of data collected from both digital and “physical” activities (e.g. monitoring movements through devices localization, etc.).”
“Although an integrated management of cyber security and of data privacy” – continued Alessandro Leone – “many companies still do not do it, sometimes due to a lack of specialized skills in one single function. The situation is even more critical in those organization where cross-functional communication channels are insufficient. So it could be necessary to create a new professional figure, i.e. a chief digital risk officer, having specific IT and legal skills and able to support executives in pursuing their strategies through the management of digital risk.”
It would be far better for both to be managed by the same team. After all, a lot of work that ensures compliance with data privacy can be used to bolster cyber security, and vice versa. In addition to helping businesses manage digital risks, this approach adds value by enabling them to start digital transformation initiatives quicker.
Optimising data classification
A single digital risk team will also ensure that the data classification companies are undertaking across the business for various purposes is aligned and coordinated.
companies could use the data classification conducted to aid compliance with data privacy regulations such as GDPR to enhance cyber security. Similarly, they could categorise data according to its value to the business. And identifying the most valuable data means it can be better protected with more sophisticated cyber defences.
Where privacy and cyber security merge
Assessing data privacy and cyber security risk within one digital risk function is even more relevant in case of a data breach. Businesses need to know how the breach occurred and which cyber defences (if any) failed. They also need to understand how data were compromised , valuating the risk for people rights and freedom and, if so, it will need to be disclosed.
However, today, most businesses are not fully equipped to do this. Only 28% of surveyed businesses are ‘highly satisfied’ with their ability to protect against the risk of a serious breach and just 26% with their ability to respond consistently to a major breach across the entire business, no matter when or where it takes place.
Integrate privacy and security into one function, and businesses will be able to respond more effectively to data breaches due to their combined resources and more wholistic understanding of the threat.
Third-party assurance
The increased interconnectedness of cybersecurity and privacy has implications for how third-party assurance is conducted.
For example, data privacy regulation such as GDPR requires businesses to get robust guarantees from suppliers that handle data on their behalf. And since businesses also have to check whether their suppliers are vulnerable to cyber attack, why not assess also privacy compliance?
A single function that conducts comprehensive assessments of third-party digital risk, cyber, and privacy is better positioned to ensure a higher consideration of risk. This approach should also be helpful in the supplier selection process.
Although such integrated approach is clearly advantageous, it is actually not so widespread.
Board oversight is key, combined management essential
The case for an integrated digital risk function is clear. But who should manage it?
At the moment, there is confusion about where responsibility ultimately lies, and this is hampering digital risk management. Tellingly, surveyed businesses say that a lack of understanding about which risks individuals and teams are responsible for is their second-greatest weak point in managing digital risk.
Like financial risk, digital risk’s severity means that the board must take an active role in overseeing it. Ideally, a specific digital risk committee should be established within the board to oversee this risk, with representation from experts.
Most companies put the chief risk officer or chief technology officer in charge of the day-to-day management of these risks. But effective digital risk management relies on a lot more than technology. Chief risk officers typically focus on financial risks, and so may not possess the expertise needed to effectively manage digital risk. That’s why there is the need to establish a chief digital risk officer, i.e. a figure that is comprehensively responsible for all aspects related to digital risk.
Three steps to integrated digital risk management
- Work out who is responsible for managing cyber security and data privacy risk, map out their activities and daily workflows, and see if there is any overlap. Strip out duplicated processes.
- Ensure that digital risk processes are managed on an end-to-end basis. For example, third-party assurance should assess both cyber security and data privacy. Both factors should also be evaluated when classifying data.
- Create an integrated digital risk management team or function that has the skills to manage both cyber security and data privacy threats. Head it up with a chief digital risk officer capable of championing digital risk and ensuring it’s factored into strategic and operational decisions across the business. Make sure that the board actively oversees digital risk.