Analysis Finds GDPR Cybersecurity Compliance Saves Money for Business

Its analysis of the GDPR's economic impact on cybersecurity (specifically identity theft) calculated that $103 million-$251 million (90 million-291 million euros) in cyber damage losses in France were avoided since 2018, and around 585 million-1.4 billion euros at EU level.

Most economic studies on regulation focus mainly on costs and deal only marginally with benefits, CNIL said. In contrast, the CNIL analysis considered the GDPR's benefits.

In the cybersecurity economy, IT security is seen as a business investment choice, the watchdog noted. "This investment decision follows a profitability logic: investment in cybersecurity is weighed against its cost and the risk of cyberattacks."

However, this approach omits a "crucial" element: the impact of a company's investment on the rest of society, known as an "externality" in the economy.

Because of such externalities, the level of companies' spontaneous investment in securing information systems isn't optimal in the absence of regulation, CNIL argued.

Regulations, such as the GDPR, can remedy this market failure as they require safety rules that benefit not only potential victims of cybercrime, but also companies and their partners, CNIL said.

The analysis examined three externalities that influence cybersecurity investment: other companies, cybercriminals and customers/users.

The level of a company's cybersecurity depends on other businesses' cybersecurity investments, CNIL said. When a company invests in cybersecurity, it helps create a more global cybercrime-resistant environment.

However, CNIL said, companies have no incentive to consider the benefits that its cybersecurity investment brings to competitors, which limits their investment.

Regarding cybercriminals, CNIL said, when security measures aren't adequate, attacks are more successful. The higher the number of successful attacks, the more cybercriminals can demand large ransoms, while ensuring that some victims will pay.

Underinvestment in cybersecurity increases the profitability of cybercrime, CNIL said. It creates a vicious circle: it promotes successful attacks, increases cybercriminals' ability to demand higher sums, and ultimately raises the profitability and severity of cybercrime.

On the customer side, CNIL said, data leaks can be used for new cyberattacks such as phishing or spoofing. Companies reporting data leaks are often exposed to loss of reputation, valuation and consumer confidence and, in the absence of regulation, many choose not to report breaches.

The GDPR has made this failure to report illegal, and data controllers are required to inform the data protection authority and data subjects. By reducing the ability of companies to avoid reporting, the GDPR provides benefits for society.

Moreover, GDPR compliance makes it possible to combat cybersecurity underinvestment, the CNIL said. For example, requiring actors to reveal serious data leaks to data subjects may induce those people to stop dealing with companies with an insufficient level of cybersecurity. These businesses might then face their responsibilities and invest more in cybersecurity.

Considering the level of compensation for such losses and the impact of identity theft on customers' confidence online, "it can be estimated that 82% of these avoided losses benefit companies."