Legal RISK management related to cyber attackthreats, along with the implementation of a system of resilience to such attacks, are a critical service for public and private organizations.
Cyber security advice and legal assistance is offered both in the PREVENTION of cyber incidents, and in the REACTION, in the very delicate phase of Incident Response.
Personal computers,mobile devices, electronic transactions and all kinds of smart devices connected to the Network, are a valuable resource for any business model, especially for those with a strong “online” presence.
However, the downside is exposure to significant and critical risks of cyberattacks.
This type of cyberattack exploits both human error, the reduction of which the conduct of staff training and training is essential, and the vulnerabilities of new technologies.
One of the most worrying phenomena is the “crime-as-a-service” offered in the Dark Web, characterized by the presence of specific groups of cybercriminals, who offer their services with high qualification cyber-crime technology to other criminals.
The question of cybersecurity has become the crucial point for reliability and therefore for the development of the entire world of information, covering the entire human experience, from daily activities of private life, to industrial infrastructures, up to self-driving cars and all devices connected to theInternet Of Things (IoT).
This makes cyber riskmanagement all the more important, in relation to the disastrous consequences that loss of control over cyber-physical systems could bring back to the real physical world, in addition to the digital one.
From a CORPORATE perspective, we highlight the most critical consequences of a cyber attack:
- Reputational damage
- Business disruption
- Economic and financial losses
- Theft of critical information
- Disclosure of critical confidential information
- Institutional assessment activities
- Economic and interdictional sanctions
- Data Protection Implications (Employee and Customer Privacy)
- Subtraction of trade secrets
- Reducing the value of Intellectual Properties
- Post-incident mandatory requirements and procedures
All these fallout obviously result in economic and financial losses which, in some cases (as the recent chronicle shows) can lead to catastrophic business and social consequences.
In the era of BIG DATA,the value and volume of information has literally exploded, as the more efficient the business intelligence company will be in accessing market and customer information, the greater the competitive advantage.
This data superstructure corresponds to an overexposure to the risk of data breaches and cyber attacks.
The legal component in preventive and post-incident management is of utmost importance.
From a regulatory point of view, the NIS Directive,GDPR Data Protection Regulation, ICT Minimum Security Measures for AGID Public Administrations, represent just a few of the various rules and regulations governing cyber security and cyber security.
All of these disciplines have an extremely significant impact on business processes and regulatory compliance.
The EU Directive 2016/1148 (c.d. NIS) deals with the European strategy of strengthening cyber security and cyber resilience, taking measures for a high common level of security of networks and information systems Union.
It came into force in August 2016, but the grace period for implementation by the Member States is scheduled for May 2018, plus a further 6 months for the identification of the operators of essential services, as provided for by the Mother Directive.
The security of networks and information systems is the core of the European legislative framework. planning, information exchange, common obligations, cooperation for:
– essential service operators
– digital service providers
In Annex 2 of the NIS Directive,in order to enable the identification of “essential service operators”, a number of categories are listed:
- Drinking water (supply and distribution)
- Financial Market Infrastructure
- Digital Infrastructure
There are 3 conditions, in which public and private operators of the highlighted categories are qualified as O.S.E.(essential service operator):
- The economic entity provides an essential service to the maintenance of fundamental social and economic activities
- The provision of this service is dependent on the network and information systems
- Verification of an accident would have negative effects on the supply
This is an element of significant regulatory impact, the provision of the application of the regulation also to digital service providers (F.S.D.) , which can be identified by means of a referral to the 2015/1535 Directive and Exhibit 2 of the Directive NIS.
- Online Marketplace
- Search engines
- Cloud computing
Among the forecasts of the discipline deserve reporting, the creation of a CSIRT, i.e. a Cybersecurity Incident Intervention Group,the establishment of a Supranational Cooperation Group, the development of Security Culture in critical economic and social segments, the introduction of measures proportionate and appropriate risk management (more detailed for digital service providers).
In particular, the safety of systems and facilities, the treatment of accidents, the management of operational continuity, testing, monitoring and auditing, compliance with the regulations and international standards for Security.
Another extremely important profile, on which the assistance of a experienced cybersecurity lawyer is extremely critical, that related to compliance and reporting obligations in the event of an accident.
The directive requires that you report to the relevant authority, without unwarranted delay, any incident that may have:
- (O.S.E.) RELEVANT impact on continuity of services provided
Relevance of disruption
number of users involved, time duration, geographic extension
- (F.S.D.) SUBSTANTIAL impact on the provision of a digital service
Substantiality of the accident
number of users, duration, geographical spread, extent of disruption, scope of impact on socio-economic activities.
The possibility of informing the public is provided only in the event of FSD incidents,but only after the relevant authorities have notified and questioned, who will jointly assess with the FSD whether or not to do so.
It is precisely in this delicate phase that, the consultation of legal profiles with business profiles, allows a correct evaluation of the company’s reputation profiles and exposures related to the incident.
Another significant impact element, the provision of a voluntary incident notification procedure, for those outside the scope of the discipline; This tool can enable (if properly managed from a cost-benefit balance) more effective crisis management and a reduction in the risks associated with leaks.
It is important to emphasise the close interconnection and overlap of the various regulations that involve cybersecurityconsequences. GDPR personal data protection.
Compliance compliance with different disciplines makes it extremely difficult to manage internal policies and organizational models (e.g. Model 231, Privacy Model, Whistleblowing, Delegations, ISO Models, etc.) and even more complex is the very delicate phase of Crisis Managment/ Incident Response.
Precisely in the management of these highly impactful dynamics for organizations, the lawyer is having to coordinate the intervention of the various internal and external professional figures involved:
- Top management
- IT office
- Communications Office
- Legal Office
- Compliance Office
- Safety & Security Manager
- Institutional Authorities
- Potential Claim
We conclude with an example overview of the most significant types of cyber threats:
- Botnets, New
- Web application attacks
- Web based attacks
- DOS Denial Of Service
- Insider Threat
- Physical Loss/Damage/Theft
- Data Breaches
- Kits Exploit
- Information Leakage
- Identity Theft
- Information Leakage
- Cyber Espionage
It is clear that, due to the heterogeneous and ever-changing nature of cyber threats,it is impossible to completely eliminate cyber RISK.
Public and private organisations must therefore prepare and implement PLANS focused on RISK MANAGEMENT and risk MINIMIATION, which also include permanent STAFF FORMATION.
Precisely because of the impossibility of obtaining a RISK ZERO in terms of cyber security,equally important will be the preparation of INCIDENT RESPONSE PLANS.