[BreachExchange] New perspectives on cyber security: The regulatory challenge

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 30 19:41:39 EDT 2017


Strategic foresight must take a regulatory lens. The vast majority of
companies, institutions and other organisations underestimate both the
significance and impact of a (slowly) changing legislative landscape – and
therefore, often fail to respond to far-reaching challenges in proper time,
damaging their own business and reputation.

Due to the volatility, force and pace with which technological innovation
is moving through the global economy, cyber risk has become the biggest
contemporary threat to all actors, especially companies. About 72% of all
global CEOs do not think that they are fully prepared for a cyber attack.
Potential targets have to factor in multiple variableswhen building their
cyber defense capacities. And taking a regulatory perspective must be a key
part of the overall equation. As regulations are growing increasingly
complex, doing the minimum in compliance is not enough anymore.

A slow evolving cyber security regulatory framework – more damage than good?

In order to understand and act upon present and future cyber risks, it is
indispensable for companies, organisations and institutions to monitor the
regulatory frameworks of cyber and data security. However, companies may
face a number of challenges when it comes to the adaptation of these

The current internet infrastructure and regulatory frameworks are
ill-fitted to keep pace with the evolution of the internet and the digital
realm in general. Therefore, both severely lag behind present technology
and threat level awareness. This is because the internet infrastructure was
not designed to cope with present data quantities and the myriad of actors
challenging the very scope and content of it.

Cyber security related legislature is highly complex and takes place at
various levels: locally, nationally, and internationally. In addition, the
private business sector, outside of legal state frameworks, has
considerable influence. The latter has been the key driving force in this
respect over the last decade.

Cyber security legislation and compliance – if come into force – is
ever-shifting. Consequently, it is crucially important that companies
anticipate tomorrow‘s regulatory environment. In particular, when they are
active in multiple jurisdictions, it is fundamental to systematically track
evolving laws and regulations in order to be able to respond to legal and
political challenges on time.

The changing cyber security regulatory landscape in Europe

The change comes two-fold. First, the Network and Information Security
Directive (“NIS Directive”), which has come into effect in August 2016,
will provide legal measures to boost the overall level of cyber security in
the EU and strengthen Europe’s cyber resilience. This predicates on
bringing cyber security capabilities at the same level of development in
all EU member states and facilitates cross-border exchanges of information
and cooperation. Although, member states have 21 months to implement it.
Therefore, the overall impact is expected to come about in 2018.

Second, the EU General Data Protection Regulation (“GDPR”) will come into
force on 25 May 2018. This regulation will re-shape the way companies and
institutions, with operations in Europe, engage with data breaches and
their clients and users in general. Future legal obligations emerging from
GDPR will constitute a high-level issue affecting multiple departments
including IT security, legal, public affairs, communications and customer
engagement. This is because that the law changes the very rules and
responsibilities with regard to data governance and protection on the one
hand and disclosure requirements in case of data breaches on the other.

This means a company that has suffered a data breach, and knows of it, will
only have 72 hours to alert the authorities. Similarly, a target suffering
a breach that is likely to result in a high risk to the rights and freedoms
of individuals are obliged to notify affected customers and users
immediately without delay.

As a consequence, companies will need to be fluent in the new regulations
and ensure compliance more than ever when faced with an ever increasing
number of breaches that are becoming more visible in the light of higher
media and customer attention.

Due to the lacking legal obligation across Europe, with the exception in
Germany, to disclose an attack, many firms are still unaware of the
potential impact of GDPR. This is now about to change. Therefore, lacking
preparedness and inaction, in case of a cyber incident, will raise the
stakes for potential cyber targets and will dramatically escalate the
involved costs, not only leading to huge fines, plummeting revenue and
reduced net profits, but also to an increased hazard of reputational

More importantly, if a company, institution or any other organisation, hit
by an attack, mishandles a breach, the new legislation will make grounds
for claims for compensation by private individuals more likely.

The need for a global cyber security framework

Not since the biggest cyber-attack in history, the WannaCry cyber-attack in
May 2017, global cyber security regulation has to be significantly
improved. We already see more global co-operation between law enforcement
agencies than ever before, but legal black holes, in many parts of the
world, still dominate.

Against this backdrop, both the US and European legislation and
collaboration, part of the Working Group on Cyber Security and Cybercrime,
can serve as a role model for other regions in the world. Cyber security
regulation is primarily treated as a matter of single-state action –
despite many initiatives driven by international organisations such as
theWorld Economic Forum (WEF), the Federation and European Risk Management
Associations (FERMA), the Organisation for Economic Co-operation and
Development(OECD) or the Internet Governance Forum (IGF).

Many of these initiatives are non-codified, have no binding character and
are simple recommendations. Nevertheless, the governance for global cyber
security is changing and potential targets of cyber attacks must monitor
its evolution very closely to be prepared. The next attack will come and
those affected will need to be ready.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170530/15ca2032/attachment.html>

More information about the BreachExchange mailing list