Understanding the challenges of digital trust and resilience

In an ever-connected world, digital trust and resilience is increasingly important for organisations and their stakeholders. Implementing robust capabilities on this front can give organisations an edge while helping to mitigate the organisational, financial and reputational effects of breaches, data leaks or discriminatory or un-ethical practices.

Increasing regulatory pressure

In the European policy and regulatory landscape, digital trust and resilience has four key elements: data protection, AI ethics, technology resilience and cybersecurity, and national security and resilience. Organisational maturity varies among these elements with cybersecurity and data privacy usually having the highest maturity. As organisations become more digitally interlinked, solving for only one or few of the digital trust elements is no longer sufficient.

This is also reflected in regulatory acts e.g., the European strategy for data sets out four pillars – data protection, fundamental rights, safety and cybersecurity – as pre-requisites. The GDPR requires “appropriate technical and organisational protection” and sets boundaries for “automated decision-making” and the recently cybersecurity-focused EU legislation reference respect of EU data protection rules.[1] Also, the proposed EU AI Act requires both secure and privacy-preserving measures and outlines the European Data Protection Supervisor as the supervisory authority of the Act for the EU institutions.

Structuring a robust digital trust framework

There are five common elements across the EU regulatory frameworks that can be leveraged to develop a digital trust framework:

The requirements on transparency for individuals around processing of personal data is a key requirement of GDPR and is recurring as a concept in new regulatory acts. Building awareness and robust transparency and data management capabilities can ensure organisations can quickly and cost effectively implement regulatory requirements.

Implementation of regulatory requirements call for well managed cross-functional governance structures. Most organisations focus on compliance and implement the different digital trust elements as silos. As maturity increases, digital trust elements should permeate through all important functions. Developing a governance structure where data privacy and AI ethics experts work alongside engineers to develop products allows organisations to be more agile and can foster regulatory-compliant innovation.

European companies will need to up their game with regards to technical and organisational protection measures. Cyber threats are increasing in frequency and severity. Similarly, the increased use of AI applications in Europe creates new risks both for data privacy as well as for potential discrimination or other un-ethical behaviour. Security and ethics-by-design including regular monitoring are a requirement for organisations that want to achieve resilience and trust.

While all consumers, when asked, say that they care about their privacy, security and data ethics, they currently do not always put their money where the mouth is. That does not, however, mean that organisations should neglect the wish for customer rights. Customers increasingly do care.[2] Companies should start working on meeting these increasing expectations practically and in a structured manner.

In a connected world, companies are vulnerable also to third-parties’ management of their data and IT infrastructure. Both increasing regulatory liability and consumer expectations require increased supply-chain control.

Value of digital trust and resilience

The long-term effect of bad practices within large organisations is not always easy to spot. The regulatory fines after cyber breaches in Europe don’t necessarily make a lasting impact and customers usually forget about data breaches over time. However, neither our society nor large organisations are immune to organisational, financial, and reputational consequences of poor practices.

Operational effects

Cyber breaches or data privacy violations can impact operations severely and remove the focus from the core business, increase regulatory scrutiny and may even result in restructuring of organisations and land in a competitive disadvantage.

Financial effects

Fines and lawsuits have a short-term financial effect on organisations after a breach or data leak. It has, furthermore, been shown that the stocks of breached companies underperform even two years after the breach occurred.[3] On the flip side, there is also a financial upside to being a digitally trusted organisation. In a global benchmark of organizations, digitally trusted organisations showed higher revenues and EBIT than companies that were not digitally trusted.[4]

Reputational effects

Even though breaches are often forgotten quickly, repeated breaches will leave lasting bad impressions on customers. Customers often stay with breached organisations due to a lack of viable alternatives but may switch as soon as a good alternative emerges.

Conclusion

If organisations want to unlock their full potential, digital trust and resilience needs to be embedded throughout the organisation and interlinked into one coherent strategy. It has been shown that organisations with solid strategies show higher revenues and EBIT while breaches have shown to damage financial performance. Furthermore, negative incidents can erode reputation causing customers to switch to viable alternatives as they emerge. As a consequence, investing in digital trust and resilience early can help organisations reap benefits over time and stay on top. Such investments should focus on the key areas: transparency, governance, technical and organisational protection, customer rights and third-party management and oversight to maximise their benefit.

Authors

The authors would like to thank Jim Boehm, Liz Grennan and Andreas Kremer for their contributions to this article.

Henning Soller is a partner in McKinsey’s Frankfurt office, Andreas Kremer is a partner in Frankfurt, Jim Boehm is a partner in London, Liz Grennan is an expert associate partner in Stamford, Malin Strandell-Jansson is a senior expert and associate partner in the Stockholm office and Sheila Zingg is an associate in the Zurich office.

References

[1] The Directive on measures for a high common level of cybersecurity across the Union, the Directive on Security of Network and Information Systems (NIS2), the Digital Operational Resilience Act (DORA), and the proposed European Cyber Resilience Act.

[2] “Why digital trust truly matters”, McKinsey & Company, September 2022

[3] Comparitech, 2021

[4] “Why digital trust truly matters”, McKinsey & Company, September 2022