The management of legal risks related to the threats of cyber attacks, together with the implementation of a system of resilience to such attacks, represent a critical service for public and private organizations.
Legal advisory and strategic assistance of cyber security is offered both in the prevention of computer incidents, and in the reaction, throughout the delicate phase of Incident Response.
Personal Computers, mobile devices, electronic transactions and any type of Smart Device connected to the Network, are a valuable resource for any business model, especially for those characterized by a strong online presence.
However, the downside is represented by the exposure to significant and critical risks of cyber attacks.
This type of cyber attack exploits both human error, which is essential to minimize by conducting staff training and education, both the vulnerabilities posed by new technologies.
One of the most worrying phenomena is represented by the “crime-as-a-service“, offered in the Dark Web, characterized by the presence of specific groups of expert cyber criminals, who offer their services with high technological qualification cyber-crime to other criminals.
The issue of information security has become the crucial point for the reliability and, therefore, for the development of the entire world of information, which covers the entire human experience, from the daily activities of private life, to the industrial infrastructures, all the way up to self-driving cars and any device connected to the Internet of Things (IoT).
This makes cyber risk management even more important, in relation to the disastrous consequences that the loss of control over cyber-physical systems could bring back to the real physical world, in addition to the digital one.
We highlight the most critical consequences of a cyber attack from a corporate perspective:
- Reputational damage
- Business interruption
- Economic and financial losses
- Theft of critical information
- Dissemination of critical confidential information
- Institutional investigation activities
- Financial penalties and disqualifications
- Implications for Data Protection (privacy of employees and customers)
- Theft of trade secrets
- Reducing the Value of Intellectual Property
- Compulsory post-accident compliance and procedures
All these consequences obviously involve economic and financial losses which, in some cases (as recently demonstrated by the chronicles) can lead to catastrophic consequences on a business and social scale.
In the age of big data, the value and volume of the information have literally exploded, because the more efficient the Business Intelligence will be in accessing the information of the market and of the clientele, the greater will be the competitive advantage.
This data superstructure corresponds to an overexposure to the risk of data breaches and cyber attacks.
The legal component in preventative and post-incident management is of the utmost importance.
From a regulatory point of view, the NIS Directive, the GDPR Regulation on data protection, the Minimum ICT Security Measures for Public Administrations of the AGID, represent only some of the various rules and regulations which regulate the matter of Cyber Security and cyber protection in Italy.
All these disciplines exert an extremely significant impact on business processes and regulatory compliance.
The EU Directive 2016/1148 (so-called NIS) deals with the European strategy for strengthening cyber security and cyber resilience, bringing measures for a common high level of security of networks and information systems in the Union.
It came into force on August 2016, with a grace period for implementation by Member States scheduled for May 2018, plus a further 6 months for the identification of operators of essential services, as required by the parent directive.
Network and information system security is the core of the European legislative framework, for which the creation of a common minimum capacity is foreseen, as well as the introduction of minimum measures on planning, information exchange, common obligations, cooperation for:
-operators of essential services
– digital service providers
In Annex 2 of the NIS Directive, in order to allow the identification of “essential service operators”, a number of categories are indicated:
- Banking Sector
- Drinking water (supply and distribution)
- Financial Market Infrastructure
- Digital Infrastructures
Three conditions are indicated, under which the public and private operators of the categories highlighted are qualified as O.S.E. (essential service operator):
- The economic entity provides a service essential to the maintenance of basic social and economic activities
- The provision of this service is dependent on the network and information systems
- Verification of an accident would have negative effects on supply
An element of significant regulatory impact is the provision of the application of the discipline also to Digital Service Providers (DSPs), which can be identified by means of a reference to Directive 2015/1535 and Annex 2 of the NIS Directive.
- Online Marketplace
- Search engines
- Cloud Computing
Among the provisions of the discipline, it is worth mentioning the creation of a CSIRT, i.e. an Intervention Group in the event of an IT security incident, the establishment of a supranational Cooperation Group, the development of a Security Culture in the critical economic-social segments, the introduction of technical-organizational measures proportionate and appropriate to risk management (more detailed for digital service providers).
More specifically, the security of systems and plants, the treatment of accidents, the management of business continuity, testing, monitoring and auditing, compliance with regulations and international standards on IT security must be guaranteed.
Another profile of extreme importance, on which the assistance of a lawyer expert in information security is extremely critical, is that relating to the fulfilments and obligations of notification in the event of an accident.
The directive in fact provides for the obligation to notify the competent authority, without undue delay, any incident that has:
(O.S.E.) Relevant impact on the continuity of services provided
Relevance of the disturbance =number of users involved, time duration, geographical extension
(F.S.D.) Substancial impact on the provision of a digital service
Substantiality of the accident =number of users, duration, geographical spread, extent of disruption, extent of impact on socio-economic activities.
The possibility of informing the public is provided for only in the case of FSD incidents, but only after having notified and consulted the relevant authorities, which will assess together with the FSD whether or not such an operation is appropriate.
It is in this very delicate phase that the consultation of the legal and business profiles allows a correct evaluation of the company reputation profiles and of the exposures related to the accident.
Another element of significant impact is the provision of a voluntary accident notification procedure for those who do not fall within the scope of the discipline; this tool can allow (if properly managed with a view to balancing costs and benefits) a more effective management of crises and a containment of risks related to leaks of information.
CYBERSECURITY, LEGAL ADVICE AND ASSISTANCE
It is important to underline the close interconnection and overlapping of the various regulations that have repercussions on information security, in particular the relationship between the NIS directive and the GDPR regulation on the protection of personal data.
The requirements of compliance with the various disciplines make the management of internal organisational policies and models (e.g. Model 231, Privacy Model, Whistleblowing, delegations, ISO Models, etc.) extremely complex, and the very delicate phase of Crisis Management/Incident Response even more complex.
Precisely in the management of these dynamics extremely impacting on organizations, the lawyer finds himself having to coordinate the intervention of the various internal and external professionals involved:
- Top Management
- IT Office
- Communication Office
- Legal Office
- Compliance Office
- Safety & Security Manager
- Institutional Authorities
- Potential Claims
We conclude with an illustrative overview of the most significant types of malware:
- Web application attacks
- Web based attacks
- DOS Denial Of Service
- Insider Threat
- Physical Loss/Damage/Theft
- Data Breaches
- Exploit Kits
- Information Leakage
- Identity Theft
- Information Leakage
- Cyber Espionage
It is clear that, due to the heterogeneous and constantly evolving nature of cyber threats, it is impossible to completely eliminate cyber risk.
Public and private organizations must therefore prepare and implement plans focused on RISK MANAGEMENT and MINIMIZATION of risk, which also include the PERMANENT TRAINING of personnel.
Considered the impossibility of obtaining a ZERO RISK in terms of cyber security, the preparation of proper and responsible INCIDENT PLANS will be equally important.
Reach out for any further information.