With a continued rise in cybercrime, and considering our global economy is dependent on data driven decision-making, the EU has published new legislation that will have an impact on every business: the new Network and Information Security (NIS) Directive and General Data Protection Regulation (GDPR).
The NIS Directive is focused purely on security, to promote a culture of risk management and ensure that the most serious incidents are reported, and applies to (i) “operators of essential services”- organisations that provide elements of a country’s critical national infrastructure – i.e. operators in energy, transport, health, banking …; and (ii) “digital service providers” - Cloud providers, internet exchanges, online marketplaces, which are not micro- and small enterprises.
The GDPR is focused on data privacy, aiming to bring data protection legislation up-to-date and into the modern age, and applies to all companies that process EU citizen data, except organisations with fewer than 250 employees with regard to record-keeping, and some exceptions that relate to national security.
By the end of May 2018, the NIS Directive (as it is an EU directive, rather than a regulation, needs to be implemented as local legislation before 9th May 2018 in each EU member state) and the GDPR will have entered into force in the European Union, giving organisations covered by these pieces of legislation until this date to establish compliance. Till then, organizations need urgently to plan and improve its overall security strategy to comply or potentially, in the event of a breach (NIS has notification requirements around security incidents, whereas GDPR on personal data breaches) an entity will likely have to defend its use — or lack of use — of a range of technologies and procedures.
The penalties for non-compliance are substantial, the primary effect of which will be to raise network information security and data protection as a business risk attention directly into the boardroom. No board member will want to have to explain to shareholders why profits and stock price have fallen due to a security or data breach resulting in a substantial fine. In the case of the NIS Directive, it is the responsibility of each EU member state to determine penalties, but the Directive does specify that penalties must be “effective, proportionate and dissuasive”. NIS grants authorities the power to initiate audits of private industry for suspected non-compliance. Enforcement will be combined with related regulations, in particular the penalties and fine included in the GDPR: dependant of the type of infringement, the fine will reach up to €10m or 2% of global turnover; or up to €20m or 4% of its annual worldwide turnover.
Security Requirements: “State of the Art”
NIS and GDPR have different rules and scope, but regarding their respective security requirements stated for the operators of essential services, digital services providers, data controller or data processors, both pieces of legislation require public or private entities to “have regard to”1 and “take into account”2 state of the art (NIS and GDPR, respectively) for their cybersecurity. Organisations must therefore take into account technologies and practices that are state of the art in security in deciding how to invest in mitigating risks associated with the protection of essential services that have a dependency on network and information systems (in the case of the NIS directive), and with data protection (in the case of GDPR).
However, neither piece of legislation defines clearly the term or explicitly requires use of specific technologies. Surely the reason is because security capabilities and IT evolve and mature relatively quickly, while legislation is typically long term.
As the NIS Directive requires each EU member state to implement it locally, maybe we could expect greater precision in future legislation. The NIS Directive indicates3 that member states shall encourage the use of European or internationally accepted standards and specifications relevant to the security of network and information systems, and that ENISA, in collaboration with member states, shall draw up advice and guidelines regarding the technical and security requirements. In the case of GDPR4 , associations and other bodies representing categories of controllers or processors may prepare codes of conduct, or amend or extend such codes, for the purpose of specifying the application of this Regulation. It seems you would need to continuously monitor such standards and codes of conduct, or to follow ISO standards, PCI DSS…, to obtain some kind of guidance and be compliant.
Companies must therefore have a view on what “state of the art” means to them and be prepared to conclude that they don't need to deploy it based on an assessment of risk, or to defend that view in the event of a breach, aiming to avoid the penalties and fine, and more importantly, not to harm your customers and Brand Reputation.
This is what IDC and Palo Alto Networks have recently called the “State of the Art Paradox”, a research on how businesses in Europe perceive the upcoming EU requirements of “state of the art” cybersecurity. The study found that many companies don’t have a clear understanding of the concept of state of the art, have no processes or metrics in place to measure their alignment with it, and lack a form of review of their position on it with sufficient frequency. IDC conducted research into companies with more than 250 employees based in France, Germany, Italy, Spain and the United Kingdom.
Moreover, if you don’t know how to tackle the security requirements of GDPR, so do as well the 82 percent of global IT and business professionals responsible for data security at both SMBs and enterprises, according to Dell global survey on the European Union’s new General Data Protection Regulation (GDPR), revealing that organizations ‒ both SMBs and large enterprises ‒ lack general awareness of the requirements of the new regulation, how to prepare for it, and the impact of non-compliance on data security and business outcomes. 97% said their companies didn’t have a plan in place to implement the new privacy law.
Be prepared and know how to address “state of the art” at your organization is critical: in any post-breach investigation a company will have to defend its use — or lack of use — of a range of technologies or procedures. You need to have a view on what “state of the art” means to your organisation, and be prepared to defend that viewpoint.
Boardroom issue: what should CEOs, CIOs, CISOs, CDOs, CPOs or DPOs do to incorporate “state of the art” into your cybersecurity/data privacy strategy?
Urgently build a Readiness Plan in order to address this knowledge gap, asking some fundamental questions about your companies’ readiness for NIS Directive and/or GDPR, as suggested by IDC/Palo Alto Networks Call to Action recommendations – Download the full report from IDC.
Basically, as recommended also by Palo Alto Networks Executive Advisory Report, ask your CISO and Chief Privacy Officer (or Digital Protection Officer (DPO)5 - new data-focused post required by GDPR) these questions:
- Does GDPR or the NIS Directive, or both, apply to our company? Who in the business is accountable for these legislative requirements?
- What is the company view on state-of-the-art security? How did we define it, and who advised us on this?
- What is the timescale for us to reach compliance, and what actions need to be taken now in order to achieve compliance by the deadlines?
- How will the business continue to maintain compliance, and what metrics will the business use to validate this to itself and, when required, to any third parties?
This new regulation provides uniform data protection rights across the EU, and, to be in compliance, both European organizations and those outside of Europe that do business there must adopt an adaptive, user-centric, layered security model approach around the tenets of predict, prevent, detect and respond. To be NIS and GDPR-compliant, you will need “state of the art” security solutions and Partners that enable you to predict and prevent attacks, detect a potentially dangerous presence in your networks, respond quickly to that threat, and analyze and report on the health of your networks in real time. By 2020, 60% of digital businesses will suffer major service failures due to the inability of IT security teams to manage digital risk – Gartner, June 2016.
Additionally, every organisation should consider taking out a cyber-security insurance policy. GDPR introduces the concept of continuous compliance, in which an organization must regularly carry out audits of compliance. This means not once a year, or even once every six months, but arguably on a weekly or even daily basis. At any point an auditor can ask your company to demonstrate compliance, and your company must be able to do that more or less immediately. Insurers will demand a certain standard of security and may be unable to quote you properly if you cannot demonstrate the greater consistency of your security framework. A £5 million indemnity limit is common and it is yet to be seen if the insurance industry increases it to cover the potential €20 million fines, which data protection regulators will be able to impose from 2018.
In summary, you will need to launch a Readiness Plan, be sure you have the most modern (state of the art) technology and processes to address the NIS Directive and GDPR legislation, work with the best (state of the art) Partners, and take out a cyber-security insurance policy, so that it can be proven to whomever needs to know that your organization is doing it all correctly.
ElevenPaths Partners Program: State of the Art Partners
We have recently announced during our Security Innovation Day 2016 the launch of our ElevenPaths Partners Program, as we believe in the idea that “together we are stronger", aiming to continue and to innovate together in the fields of security and privacy. We have defined five Type of Partners, and we are continuously evaluating the market to partner with those ones that better will help us to integrate our experienced security services with your security strategies, in order to help you to keep your critical information safe and your business resilient while you focus on your business.
At ElevenPaths we strive to partner with state-of the art technologic and start-ups companies, aiming to develop and combine together modern, innovative and disruptive security products, helping you to ensure the security of your network and information systems, to report your incidents, and to manage your data privacy, as required by NIS Directive and GDPR respectively. This is what we call our Paths, on which we work every day to offer security today and in the future for these challenges:
- Identity and Privacy: To give people control over their personal information and privacy in their digital lives. Identity and access management (IAM) is an important category of technology in the delivery of GDPR compliance, because through effective IAM an organization is able to show who has or had access to what, why, when, and what they did with that access; it is a core principle of defense of important data;
- Data Protection: A data protection solution which achieves compliance with GDPR and covers the lifecycle of your company’s information, both in cloud and hybrid or private environments, helping to protect the most valuable asset: information;
- Mobility: A secure mobility solution designed to help companies manage and secure access to corporate information from anywhere, at any time and from any device;
- Risks and Security Management: A comprehensive and efficient managed security solution for security governance from strategic business units, to help you address the GDPR concept of continuous compliance, in which an organization must regularly carry out audits of compliance;
- AntiFraud: A comprehensive, convergent and adaptive solution based on the application of intelligence to detect digital fraud, both in advance and at the moment it is being committed;
- CyberThreats: A solution which helps you continuously prevent, detect and respond to potential cyber-threats that can have a major impact on your organizations' business model, addressing therefore the adaptive security approach suggested by the NIS Directive;
- Vamps: A Persistent Vulnerability Assessment & Management solution to help you identify security threats and potential attack methods against your network and systems and allowing a quick management of their correction;
- Sandas: A behavioural analysis solution which categorizes and reports incidents and allows you to visualize that information, providing you with automatic responses in real time; and
- Sandas GRC: A Government, Risks and Compliance solution which helps you to support your business strategy, to increase your visibility of risk assessment and improve your operational performance, reduce operational risks and ensure regulatory compliance with NIS Directive and GDPR.
As the NIS Directive and GDPR will enter into force soon, time is running out to get your house in order. The timescale for achieving compliance is tight, and we think that organizations of any sizeable scale and complexity will struggle with even the first steps in compliance, such as understanding what information security technologies and procedures should be implemented, and what data they have and its sensitivity. Don't put off early consideration of NIS Directive and GDPR by the less than two-year implementation period. The scale, complexity, cost and business criticality of both legislation means that it will take (at least) two years for most companies to achieve full compliance. You need to start now.
Although both laws may require substantial investments for companies to reach compliance, both the NIS Directive and GDPR represent an opportunity for your Boardroom to re-build your security capabilities with a focus on better mitigating cyber risks, become cyber-resilience, and together create a safer digital world.
Pablo Alarcón Padellano, Alliances & Partnerships
1Arts. 14.1 and 16.1 of NIS Directive
2Arts. 25.1 and 32.1 GDPR
3Standardisation Art.19.1 NIS Directive
4Codes of Conduct Art. 40.2 h) GDPR
5The DPO is responsible for conducting regular audits of GDPR compliance, which means that firms will have to demonstrate their compliance on a regular basis. The DPO's job will be to watch over in an independent manner how data is stored, used and shared and to advise their organisation on data protection issues.