In February, the European Commission published a strategy document on cyber security (here). This non-binding, yet indicative, document can be seen as the European counterpart of the US executive order signed by President Obama the very same week which aims at protecting the computer networks of crucial American industries from cyber attacks.
Along with this strategy document, the Commission is proposing a new legal instrument with a directive on network and information security (NIS Directive). This could become law in the 27 member states in less than three years. They will have 18 months to transpose the directive into their legal systems once it has been adopted by the Council and the European Parliament (possibly a year from now).
Under the proposal, strategic sectors to the economy and society (energy, transport, banking, healthcare and key internet companies) will need to manage risks and report significant incidents. To be regarded significant, the incident will have to impact heavily the core services of the operator and compromise its availability, like an outage or a cyber attack.
The competent national authorities will be the reporting entities but public disclosure is not mandatory. Let’s hope that it won’t change during the Parliament phase. Reputational damage is indeed the worst nightmare of a company suffering such an attack, and confidentiality between the national regulators and the market operators is a way to ensure an effective and reliable reporting system.
FERMA has already been involved in sharing knowledge, experiences and awareness of this problem within the risk management community. In January, we published research conducted in association with Zurich and Harvard Business Review Analytic Services: “Meeting the Cyber Risk Challenge” (available here).
The main lesson from this work was that the success of a cyber risk company strategy lies in the creation of an organisation-wide plan to address the risks. It needs not only the IT department but also the full involvement of the board, top management and every employee. There must be training, communication of common sense measures and adequate investment in data protection and backup solutions.
Reporting incidents does surely prevent further damages but it is a small part of the equation. On Thursday 15 March, global insurance broker Marsh released a report (article) stating that the demand for cyber coverage jumped 33% in 2012. Now it is up to FERMA to discuss those findings with the EU authorities.