Without common global frameworks, keeping up with varying data protection and privacy laws is likely to remain a challenge TMT companies for years to come, especially as financial penalties and sanctions toughen. But related risks and uncertainty may be tempered if European GDPR standards, continuing to inspire regulators globally, become a de facto global standard.
Technology, media and telecom companies also should expect a rough ride if they are perceived to engage in anti-competitive practices, either in terms a market dominance (a bigger problem for technology companies) or mergers and acquisitions that might be seen as anti-competitive or against consumer interests.
Meantime, all TMT companies need to be alert to environmental, social and governance (ESG) issues with regulatory and legal implications highlighted in the earlier trends. In combination, how TMT companies handle these issues will have a profound impact on corporate brands and reputations, according to TMT executives. Areas of risk and uncertainty include:
Intellectual property infringement, a perennial problem, has been complicated by the global pandemic. Improvised technical arrangements combined with careless or bored home-bound employees have fueled new waves of IP loss or theft. Third-party business partners also have infringed on IP rights, in some cases by calculating that the benefits outweigh the cost of legal defense.
More broadly, public policy leaders and regulators have focused on the comparative market positions of leading tech companies, and even when smaller telecom and media companies pursue mergers and acquisitions that are suspected of limiting competition or consumer choice. The pattern is global, with regulatory actions stepping up pace in Europe and Asia as well as the United States.
Reputational risk is in some ways harder to measure and harder to define. It can come from any direction. Consumers are rightly concerned about how their data is gathered and used, and sloppy data protection and privacy practices can cause serious long-term damage to an image – or a balance sheet. If a merger is seen as a move to jack up prices or limit consumer choice, the parties may pay a heavy cost both in terms of reputation and in dealing with new barriers to a transformational strategic shift. Forward looking business are including brand impact and financial consequences in every business decision.
The uncertain direction of data protection and privacy laws and regulations is among the top risk management issues that face technology, media and telecom companies, according to our research and interviews with TMT executives.
Regulation and legal exposures are spreading as more countries seek to control the gathering and use of web content and personal data while applying stiffer financial penalties for violations. At the same time, consumers are more attuned to privacy and data protection issues, fueling further regulation and consumer protection laws.
Carlos Pereira – Willis Towers Watson Group Data Protection Officer, EMEA
There is a significant change of paradigm with the introduction of comprehensive privacy laws such as the EU’s General Data Protection Regulation (GDPR). To thrive ...
Read more
Jose Mercado – Willis Towers Watson Latin America TMT Industry Group Leader
Global regulators may apply more onerous requirements for companies when it comes to identifying and mitigating cyber risks, especially when the risks involve ...
There is a significant change of paradigm with the introduction of comprehensive privacy laws such as the EU’s General Data Protection Regulation (GDPR). To thrive, organizations must embed privacy in their DNA rather than approaching it as a one-off compliance exercise. I suspect this point is often lost by organizations.
We are seeing a global proliferation of privacy laws, many of these GDPR-like laws as the GDPR quickly becomes a global standard. There is increasing awareness and interest in privacy topics by individuals and clients, fines for violations are more severe and enforcement actions more common. This poses a financial and reputational risk for organizations, but it also presents an opportunity. A robust privacy programme that treats personal data lawfully, transparently and fairly can be a trust accelerator with individuals, clients and regulators, and can become an innovation enabler and a competitive differentiator for organizations.
With the sharp rise in remote working arrangements due to Covid-19, organizations face increased cybersecurity risks. As organizations embrace more permanent flexible working regimes after the lockdowns, these risks are likely to persist and should be considered carefully.
In addition to increased cybersecurity risks, I anticipate that other challenging areas for organizations in the foreseeable future will include the following: (i) cross border data transfers due to increasing data localization requirements, data sovereignty issues in the context of the cloud and recent developments such as the Schrems II judgement in the EU; (ii) use of artificial intelligence and machine learning tools, due to potential risk to the rights and freedoms of individuals; (iii) online behavioral advertising activities, just to name a few areas. Data ethics and the need to create ethical frameworks around
these tools and use cases is therefore an increasing area of focus for regulators and organizations.
Organizations will need to shift gears from reactive to proactive on privacy matters and embed privacy in their business operations by, amongst other aspects, creating good data governance and improving the quality of the data they handle. For example, consider implementing privacy by design and by default controls that consider privacy protections at the outset of a new product or IT application. This is a good building-block for a good privacy programme.
Organizations that make the step change and factor-in privacy considerations in their strategy from the outset will thrive. Those that don’t adapt will likely be caught in the compliance trap.
(continues on next page)
Growing reputational risks are also expected by TMT executives as their companies adjust to environmental, social and governance criteria that are increasingly applied by investors, customers and other stakeholders, as well as regulators.
Our research also confirms heightened concerns in other areas, including:
The findings surfaced in research conducted by Wharton students in the Mack Institute for Innovation Management’s Collaborative Innovation Program.
Global regulators may apply more onerous requirements for companies when it comes to identifying and mitigating cyber risks, especially when the risks involve personally identifiable information (PII). Technology, media and telecommunications firms should expect increasing scrutiny of cyber risk management programs and brace for greater pressure to demonstrate that they are addressing emerging regulatory concerns in a timely way.
Although global regulations are in general moving in the same direction, TMT companies will continue to be challenged by a global patchwork of regulatory and legal requirements that may vary widely from country to country and among regions.
It is crucial that risk managers and information officers, as well as their Boards understand how the regulatory framework is evolving and to identify and implement steps needed to embed emerging regulatory expectations as fully as possible into existing cyber risk programs.
Spotlight on artificial intelligence and machine learning (AIML) Artificial intelligence and machine learning (AIML) pose distinctive risks in part because different regulators tend to think of AIML in different ways. This results in the risk of over or under-regulating AIML and is thought by some experts to be inhibiting firms adopting new AI systems.
Mark Lewis, senior consultant at Macfarlanes LLC, has noted that part of the challenge is the absence of specific AIML regulation outside of certain limited areas, such as the EU’s General Data Protection Regulation (GDPR). He reckons that, overall, regulated firms are often unclear that their systems and governance processes for technology, digitization and related services will remain viable when applied to AIML.
In looking at regulations emerging in the UK financial services, Lewis has identified likely areas of regulatory focus, including:
Human and machine-learned bias.
Digital exclusion, as when less online presence might exclude a consumer from certain products and services or favorable pricing.
Data monopolies among larger firms.
Transparency and subject consent to use of new data types.
A recent example of data and privacy legislation America’s most populous state, California, set the country’s tone for data protection with its 2018 California Consumer Privacy Act. Other states have begun taking similar actions, recently including New York State.
The New York example is instructive. A Willis Towers Watson analysis notes that a proposed state law, the New York Privacy Act, or NYPA, would provide state residents transparency and control over their personal data and include new privacy protections. Companies that collect information on large numbers of New Yorkers would be required to disclose the purposes of any data collection and collect only data needed for those purposes.
A Consumer Data Privacy Bill of Rights in the pending legislation would guarantee New Yorkers the right to access, control and erase their data, the right to non-discrimination from providers for exercising these rights, and the right to equal access to services.
Other requirements include disclosure of methods that companies use for de-identifying personal data, placing special safeguards around data sharing and allowing consumers to obtain the names of all entities with whom their information is shared, reminiscent of the GDPR’s consent requirement.
For TMT companies, the NYPA presents an inherent conflict with a requirement that companies act as data fiduciaries. Boards of directors have a duty to act in the best interest of shareholders; however, as data fiduciaries, they would have to act in the best interest of consumers as well.
Until a federal privacy law is passed, businesses in New York and other states will continue to face significant compliance complexities. Aiming to comply with an assortment of federal and state data privacy laws that are continuously changing is more challenging than ever.
Cyber risks insurability The insurability of cyber risks will remain challenging for most TMT companies. Rapid technological changes, notably digitalization, have already transformed the characteristics of these risks. AI, 5G and other technological advancements will further expand – and muddle – the cyber risk landscape.
System or supply chain disruption or failures, distributed denial of service, hacking and ransomware attacks also compound risk while posing increased costs and lost revenue. The timing and severity of these issues can be difficult to predict, with companies increasingly looking to their insurance policies to cover related business interruptions while increasing demand for cyber insurance.
As cyber risk is one of the most dynamic perils facing the industry, companies must carefully manage their cyber exposures within a broader cyber risk management strategy. The strategy must accommodate divergent views about risk financing, including clarity around the terms, conditions and cost of insurance policies counted on for protection. Insurers regularly re-evaluate their underwriting approach to stay abreast of cybersecurity innovations and other attack vectors, and a likely outcome is that insured companies face higher costs as market demand for cyber products is increasing.
Data protection and privacy issues are not new to technology, media and telecom companies. However, the size and frequency of data and privacy-related fines and sanctions point to risk management gaps within many industry sectors.
“It’s fair to ask what TMT businesses are doing wrong to be hit with so many financial penalties or face reputational damage related to data protection and privacy,” said Lay See Ong, divisional TMT director at Willis Towers Watson. “TMT companies need to do a better job anticipating regulatory developments and moving proactively to deal with them.”
A global data and privacy model is the European Union’s General Data Protection Regulation. The EU is in the process of significantly expanding its body of regulations as it considers a new Digital Services Act and Digital Markets Act. The regulations, among other things, will carry the EU deeper into the realm of content moderation and add additional user safeguards.
Until recently, the U.S. has taken a comparatively relaxed approach at the national level with privacy laws covering identifiable individual financial or health data. California and other U.S. states have begun adding tougher legal and regulatory regimens with the threat of financial penalties.
Asian countries are taking similar actions with emphasis on cross-border data flows and rising interest in establishing more consistent data and privacy standards across the region. The Asian Business Law Institute acknowledges that many companies find it difficult to follow local laws and regulations that change too frequently for translations to keep pace. Compliance risk is an obvious outcome.
In Latin America, data protection and privacy efforts are also gaining traction in several countries, including Mexico, Brazil, Argentina and Chile. But as in Asia and the United States, the lack of regulatory consistency poses risk.
For some TMT companies, one risk mitigation strategy is to apply European or California-like privacy standards to operations in other regions, shaping de facto national or even international standards. Microsoft made an explicit affirmation of this in announcing its support for California’s privacy and data protection regulations, a position that reflects a sensible effort to stay ahead of spreading privacy concerns. The U.S.-based technology company had previously committed to applying Europe’s GDPR standards to its global customer base.
Industry research in a study of 600 major companies after CCPA’s enactment, found that media and telecom companies were extending CCPA rights to all consumers. Technology companies tended to lag, possibly because of their larger business-to-business model.
Most companies are making whatever technical accommodations are necessary to ensure that data gathering occurs within legal and regulatory guidelines. But over-reliance on technical solutions can leave a company poorly positioned to anticipate new regulations or abrupt shifts in consumer expectations around data management and privacy.
The best technology won’t be effective if a company doesn’t proactively instill privacy and data protection as part of the corporate culture and standard business practice.
“We want to integrate a concern for data security and customer privacy into all aspects of our business,” said one TMT executive. “It has to be a mindset that seeps into everything.”
Paraphrased content from: After Covid-19: Cyber and the coming remote work revolution Tom Finan – Director FINEX Cyber/E&O
When the world emerges from the COVID-19 pandemic, cybersecurity will never be the same. The reason? People. While companies have traditionally extended work-from-home ...
Tom Finan – Director FINEX Cyber/E&O
When the world emerges from the COVID-19 pandemic, cybersecurity will never be the same. The reason? People. While companies have traditionally extended work-from-home privileges to only select individuals, they now find that remote work is the expected employee norm.
Cybercriminals will adjust their tactics accordingly. Hackers are already shifting their targets from relatively well-defended corporate environments to home offices and other offsite locations that lack similarly strong protections. The recent surge in phishing attacks aimed at quarantined remote workers is just one sign of this impending change.
Three trends are emerging around where and how work will be performed post-pandemic. Each of the following will alter the cyber risk management landscape:
HR leaders rising as essential cybersecurity players and joining forces with their Chief Information Security Officer (CISO) colleagues.
Companies that fail to embrace this changing reality may face increased exposure to damaging cyber incidents. Injured parties, counsel and courts may come to recognize human-caused cyber incidents as largely avoidable and – in many cases – negligent. Insurance underwriters may be similarly unsparing when assessing client suitability for cyber and other critical lines of insurance.
To protect themselves, companies should start now with building and funding the people-focused cyber risk management strategies they’ll need to avoid major financial, legal and reputational loss.
Over the last several months, hackers have spread malware and launched other cyberattacks. For example, ransomware has been embedded in emails fraudulently advertising coronavirus protection and detection techniques.
As cybercriminals shift their tactics, the need to better manage the human element of cyber risk will come to the forefront. Companies will likely need to build more robust cyber risk cultures that focus on aspects of employee experience that correlate to higher cyber risk. They will not only have a strong defense against future claims of cyber negligence but will likely qualify for cyber insurance on more attractive terms.
Content moderation is another growing area of legal and regulatory interest. The Brookings Institution, a public policy think tank, lists efforts in France, Germany, Brazil, the U.S. and elsewhere to have social media companies better monitor “hate speech” and other content. The legislative and regulatory efforts have faced strong opposition from free speech proponents. Public policy mavens, as Brookings points out, are trying to strike a balance for users who feel besieged by “disinformation, harassment, and threats of violence.”
Intellectual property infringement is another risk that isn’t going away. In our latest research, IP infringement risks have expanded into two relatively new areas. The first is connected to the remote working arrangements that many companies adopted to help control the spread of the COVID-19 pandemic.
Improvised technical arrangements and isolated, often less-supervised workers can open the door to IP loss or theft. Jones Day, a U.S.-based international law firm, lists the following as among the risks of remote working:
Unauthorized copies of information disclosed, intentionally or not.
“These risks are not unique to remote working arrangements,” according to Jones Day, “but extended periods can greatly reduce visibility and control over how employees work and their handling of trade secret information.”
The larger problem of IP infringement, some TMT executives say, surfaces when companies find it necessary to work with third party organizations that might be infringing on IP rights for their own business objectives. Third party infringement may occur because of technology shortcomings or internal processes that do not fit the standards of the IP owner. There is also the risk of “efficient infringement”, when a company calculates that the benefits of IP infringement are greater than the legal costs of defending against litigation.
Mergers and acquisitions remain in favor with TMT companies that need to shift their business models or improve profitability. But antitrust concerns are increasingly common if a company is seen as squeezing out competition. In the United States, federal agencies and various states have targeted the tech companies with what the Wall Street Journal describes as “competition-focused probes”.
The larger tech companies are well positioned with the financial wherewithal to defend themselves against government probes and litigation. Media and telecom companies may find themselves in a bigger squeeze because regulatory and legal pressures slow, or complicate restructuring efforts aimed at reshaping their businesses.
It took AT&T nearly two years to acquire Time Warner, an acquisition that was a key part of its strategy to combine content with AT&T’s extensive customer relationships, pay TV subscriber base and scale in TV, mobile and broadband distribution. A big technology company may feel that it can afford to consider Justice Department scrutiny as just another cost of business, but legal or regulatory scrutiny takes on more ominous overtones for media and telecom companies at the forefront of TMT convergence.
“When thinking about the ‘unknown’ risks, don’t just look at what’s regulated. Ask yourself, ‘What could be regulated?’ Especially in an M&A situation, you have to consider what’s on the horizon of regulation,” advises Sara Benolken, Willis Towers Watson Global TMT Industry Leader.
Antitrust actions are not confined to the United States. The European Commission is taking a hard look at TMT M&A for any trace of anti-competitive behavior, as when it concluded in a 2020 “preliminary view” that Amazon might be using non-public business data of independent sellers “to the benefit of Amazon’s own retail business.” In China, the government launched an antitrust action against the Alibaba Group.
Rising geopolitical tension and national security fears further muddle the TMT regulatory and legal risk picture. U.S. concerns about security risk with Huawei’s 5G technology put Europe under pressure to exclude or limit the company’s involvement in the 5G rollouts.
Fredrik Motzfeldt – Willis Towers Watson Great Britain Industry Leader Technology, Media & Telecommunications
If we ever thought we could survive without the technology sector, we now know otherwise. As countries worldwide went into lockdown beginning in the winter and spring ...
If we ever thought we could survive without the technology sector, we now know otherwise. As countries worldwide went into lockdown beginning in the winter and spring of 2020, technologies that did not exist even a decade before became our lifelines. Videoconferencing, cloud computing and high-speed internet at employees’ homes enabled at least some parts of the economy to carry on. New technologies became the main channel through which many of us reached out to loved ones and obtained news and entertainment.
For technology companies, 2020 was a year of heightened risk. COVID-19 and trade disputes disrupted the global supply chain of the major technology companies and in certain cases shut down entire production lines and supply chains for extended periods of time.
Rising political risk is at the top of executives’ list with companies feeling increased regulatory and political pressures in areas, such as access to talent (work visa restrictions), intellectual property and political challenges to alleged dominant market position and ownership structure.
While the prospects for the global technology industry looks promising in 2021 and beyond, the implications of the increasing political tensions and worsening trade disputes facing the sector globally are likely to have profound and disruptive effects on society as a whole and on the environments in which companies, their customer, and countries operate.
There was a time when technology companies may have taken comfort in operating under the radar of government restrictions. Tech moved quickly; public policy moved slowly. That situation
is changing, with governments taking an increasingly assertive stance on technology regulation even as civil society raises difficult questions about the political and outsized economic role played by new technologies. Even as they bash some tech giants for their market power, the United States, Japan, Europe and China also like the idea of having “national champions” in the TMT industry as they seek to enhance the position of their respective countries, value systems, and technological standards.
Perhaps as result, we have seen the technology sector become an increasingly large share of our book of business for political risk insurance. In an effort to understand this phenomenon, we commissioned Oxford Analytica to conduct research into the new political risks facing technology companies.
Oxford Analytica convened a panel of external affairs and risk management professionals at five of the world’s largest technology companies. Firms headquartered in the U.S. and Europe were selected. Oxford Analytica then conducted in-depth interviews with this panel of executives, to produce a risk radar (and that also appears in our Managing the new political risks in the technology sector report).
Scholars were commissioned within Oxford Analytica’s global expert network to produce peer-reviewed essays on three of the top risks that the panel identified:
Willis Towers Watson recommends that technology industry executives apply a four-to-five-year view of the political risk landscape, looking through a different window/lens at a world that is continuing to change dramatically and with the recognition that the economic uncertainty, yet to be fully felt, could well require a rapid shift in strategy.
The five forces shaping the “next normal” include the metamorphosis of demand; an altered workforce; changes in resiliency and expectations; regulatory uncertainty and the evolution of the virus. These forces should be reflected in technology companies’ approach to insurance and risk management strategy and solutions. Willis Towers Watson advises business leaders worried about the future to take action to manage risk more proactively today.
The high level of uncertainty and changes to their global operating environment mean that increased agility and a heightened awareness of risks will be key to success.
The Economist finds that it’s one thing to separate software and the internet but quite another to separate hardware. The latter is more integrated and involves $1 trillion of physical plant and $400 billion of inventories, according to the publication. A split will have formidable financial and risk management implications. Willis Towers Watson, in its latest political risk survey, also finds political risks arising along with trade tensions.
Failure to understand and address legal and regulatory risks can have implications beyond paying fines. A company brand or reputation will suffer if consumers lose trust that their privacy will be preserved, or that an M&A might drive up consumer costs while reducing competition and innovation.
Karl Sawyer – Willis Towers Watson Great Britain TMT Industry Expert
“Tech sovereignty” has become a hot topic for European leaders as they grow increasingly alarmed at the European Union’s heavy dependence on foreign technology and ...
Environmental, social and governance criteria also pose reputational risks if investors and other stakeholders conclude that a company is falling short of its ESG commitments to ethical outsourcing, reducing carbon emissions, or a governance failure behind data losses or breaches of privacy. Twitter, Facebook and other social media platforms can spread damaging information (accurate or not) at light speed. As one of our research participants noted, “Reputational risk is challenging to manage because it’s not always fact-based.”
In any case, executives are obliged to more actively monitor and maneuver through the political and regulatory landscape. They must more rigorously identify, measure and mitigate risks that surround data security and privacy, M&A or other actions that show up on the regulatory radar.
On December 24, 2020, the European Union and the United Kingdom agreed on an EU-UK Trade and Cooperation Agreement (TCA). The TCA governs the future relationship between the EU and the UK following the end of the Brexit transition period and consists of a Free Trade Agreement, a partnership for citizens’ security and a horizontal agreement on governance.
The European Union (Withdrawal) Act 2018, in combination with the European Union (Withdrawal Agreement) Act 2020 and the Agreement on the Withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union of October 2019 (Withdrawal Agreement) provide some clarity around certain areas of the law specifically affecting businesses operating in the TMT sector and in many respects ensures “business as usual” for many businesses operating in the sector. According to techUK, the UK’s technology trade association, key elements
for TMT companies operating in the UK and EU to monitor are as follows:
Access a full list of documents, including the full agreement and a summary document, provided by the UK Government
Go to next chapter
“Tech sovereignty” has become a hot topic for European leaders as they grow increasingly alarmed at the European Union’s heavy dependence on foreign technology and the digital leadership asserted by American and Chinese companies.
The EU expects to invest billions of euros into core technologies, such as semiconductor chips and telecoms infrastructure as well as quantum computing, artificial intelligence and blockchain. French President Emmanuel Macron has said, “If we don’t build our own champions in all areas — digital, artificial intelligence – our choices will be dictated by others.”
Motives are complex and entangled. Political leaders want to see more vibrant home-based technology companies protect themselves if trade tensions worsen. They are watching with concern as the U.S. and China both move to build up their own tech economies and shut out foreign competitors. Leading EU politicians also argue that tech sovereignty is needed to protect “European culture and values”. Officials talk about “human-centered” autonomy, with which individual citizens control use of their own data and interactions with artificial intelligence.
In her November 2019 inauguration speech, European Commission President Ursula von der Leyen ranks technology together with climate change as the EU’s top priority for the next five years.
Steps toward European tech sovereignty have already been taken. France and Germany launched the Gaia-X project last year to create a computing network with distinctive European security standards but accessible by customers who might switch from U.S. providers. Something called the European Battery Alliance is behind raw-materials extraction and processing.
A lot of debate surrounds the implications of tech sovereignty, which some cynics see as protectionism, plain and simple. We tend to think the issue is more complicated than that with Europeans watching American and Chinese rivalry with concern. We advise our clients to keep close eyes on tech sovereignty developments from any source, European or otherwise.
Back to reading page
