Safety that concerns everyone
Cyber security is a term which is relatively new and still not unambiguously defined. Previously referred to as “Information Security” or even “IT-Security” it has now become the new term for everything that has to do with computer, data and process security including the aspects of resilience. Whilst being a “specialist topic” in previous years with only some experts in IT departments taking care about it, it has become more mainstream and moved into consciousness and attention of a broader population. Regular media reports make cybersecurity more visible and as the effects of cyber breaches become tangible for companies as well as normal users, this also increases the attention for the topic: almost everyone already had some experience with malware, some have gone through the hard times of a crypto locker and normal people as well as companies become victims to cyber fraud and experienced losses.
However, cyber security goes beyond the individual troubles of an encrypted hard disk or a singular data breach. If security breaches affect critical infrastructures or they have a widespread impact like some of the last ransomware attacks, then cyber security gets an economic and societal dimension. If a cyberattack hits the essential nerves of our society, its impact goes beyond just the directly affected company. Blackout energy providers, banks that cannot hand out money to their customers because of a cyberattack, hospitals that cannot work with patients dying - all of these we have already witnessed. Due to this reason, lawmakers have recognized that cyber security is a topic which cannot be left to complete discretion of those who should be responsible for it. They began to realize that there is need for addressing risks which can go beyond the sphere of an individual company and therefore need to be regulated.
This was the birth of the first Network and Information Security Directive in the European Union, which went into effect in August 2016. This first of its kind regulation on cyber security in the EU mandated companies which are considered as critical infrastructure (the so-called “Operators of Essential Services”) to comply with a number of requirements with regards to cyber security: first and foremost to implement adequate security measures according to the state-of-the-art, but also the mandatory notification of serious cyber security incidents to a state authority (the “NIS-Authority”). The European Union was comparably late with this regulation. In the USA there are several cyber related regulations, the Health Insurance Portability and Accountability Act (HIPAA) dating from 1996, the then came the Gramm-Leach-Bliley Act in 1999 and the Homeland Security Act in 2002, which included the Federal Information Security Management Act (FISMA). These three regulations mandate healthcare organizations, financial institutions and federal agencies to protect their systems and information.
All these regulations are limited to certain critical sectors: banking, healthcare, telecommunications, etc. But the developments of cyber threats in the last years have shown that it is not enough to mandate cybersecurity to the top tier of critical companies. Also other sectors are heavily impacted and small and medium businesses are the backbone of any economy. As the primary goal of the cyber security strategy of the European Union is to protect the digital single market, it became obvious that cyber hygiene has to be applied to those sectors as well. The sectors covered by the initial NIS Directive will therefore be extended in the next revision to provide a comprehensive coverage of the sectors and services of vital importance for key societal and economic activities within the internal market. This broadening and harmonization of target groups will extend the scope of the network and information security regulation in Europe significantly. At the same time the specification of security requirements will be concretized and extended: covered entities will have to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems, considering the state of the art and being appropriate to the risk. The goal is to mandate baseline security to broader parts of the information security society in order to create a more resilient ecosystem on national and European level.
Still, sectors of critical infrastructures will continue to remain under special scrutiny. One of the strongest regulated sector is the financial industry: it is not only affected by the NIS directive but furthermore subject to the Payment Security Directive 2, which defines specific security measures for payment services and banks in general. Due to this reason, it is the first accept “lex specialis” on a European level, where sector specific regulations prevail the requirements of NIS, because they are considered equal or stricter. But even for the financial sector new and stronger cyber security regulation is in sight: “DORA”, the regulation on digital operational resilience for the financial sector, aiming on further harmonization of security rules and strengthening of operational resilience in the financial sector.
Non-secure products and services are still the Achilles heel of digital security. Digital products and services that are not secure are a fundamental cause of cyber incidents. They make it easier for attackers to carry out successful attacks. Therefore the European Commission issued the Cybersecurity Act in 2019, introduced for the first time an EU-wide cybersecurity certification framework for ICT products, services and processes. The European Union Agency for Cyber Security, ENISA, was mandated to create a candidate cyber security certification scheme which defines the necessary requirements for future certification of products, services and processes in three levels: basic, substantial and high. For the time being, those certifications remain voluntary but the commission has expressed their vision of moving towards a more mandatory regime of baseline security in the future.
Overall, we see a strong move towards baseline cyber security on a legal and regulatory level with a broadening scope of target companies. Notwithstanding the fact, that cybersecurity and resilience should be a core interest of any company using technologies (and who doesn’t?) in order to resist and the effects of a severe cyber attack, cyber security will become a lesser field of choice in the future. Regulatory requirements will diffuse into further sectors and it will also reach SMEs in the near future, either directly or via the supply chain of operators of essential services. If the topic was not yet on the radar, it should be now.
If you want to learn more about the topic of cyber security and cybercrime, please click here.