This website uses cookies. View our cookie policy


Organisations have legal and regulatory obligations to have in place data protection and cyber security systems and procedures. These laws and regulations often have international reach outside of the countries in which they are enacted. For example, on 25 May 2018 the European General Data Protection Regulation will apply across all member states of the EU. It will also extend the scope of the EU data protection law to all foreign companies providing services into the EU. It harmonises the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations.

The introduction of GDPR will impose severe penalties of up to 4% of worldwide turnover for non-compliance.

In addition to law and regulation, the Directors believe that businesses will increasingly have to provide assurance to their customers, regulators and stakeholders that their data protection and cyber security systems are adequate for the current risk environment and will therefore at the same time require evidence of adequate security from all the entities in their supply chains. For example, the payment card brands, through their acquiring banks, require businesses (and their suppliers) that process payment cards to meet the PCI DSS standard, and the UK Government already requires that organisations supplying it directly or indirectly should comply with Cyber Essentials (its own standard).

The PwC 2018 Global State of Information Security Survey (“GSISS”) contacted 9,500 executives in 122 countries found that: 44 per cent. did not have an overall information security strategy; 48 per cent. did not have an employee security awareness training program; and 54 per cent. did not have an incident response process. GSISS also found that many of the key processes for identifying cyber risks in business systems (including penetration tests, threat assessments, active monitoring of information security, and intelligence and vulnerability assessments) had been adopted by less than half of survey respondents.

During 2017 there were a number of publically reported and high profile instances of failures of data protection and cyber security including (i) the NHS in the UK where a number NHS Trusts were subject to ransom attacks; (ii) Uber in the USA, where customer data was stolen; and (iii) A.P. Moller-Maersk in Denmark, where there was a ransom attack that the company estimates will cost it $200 million to $300 million to rectify the damage.

GRC International Group Plc is not aware of the size of the global market for its products and services as generally available market estimates include hardware, software, outsourced services and consultancy in addition to amounts spent by businesses internally. However:

  • The Department of Business, Innovation and Skills commissioned a report in 2013 entitled “Competitive analysis of the UK cyber security sector” . This estimated that the cyber security market in the UK was worth approximately £2.8 billion in 2013 and overall would grow to £3.5 billion in 2017. The report also estimated that fastest growing part of the cyber security market would be governance, which would grow from £421 million in 2013 to £612 million in 2017;
  • Juniper Research published a report in 2017 that estimated that the global cybersecurity market would be worth $135 billion in 2020. This forecast includes all dedicated cybersecurity hardware and software purchases, as well as services revenues of managed security service providers. It does not include the wages for in-house cybersecurity staff used by an organization.

The Directors do not believe that there are any large companies offering the wide range of products and services that the Group provides either in the UK or elsewhere. The market for these products and services is global and they are provided on a limited basis by a large number of businesses which are either small and / or “reselling” products and / or services provided by other businesses such as those provided by the Group or are large but providing only a subset of the Group’s range offering.