While many are not yet aware of the full breadth of the cybercrime phenomenon (cybercrime globally generates more revenues and is more profitable than drug trafficking!), there is a general consensus about the fact that certain breaches cannot be avoided. With a proliferation of connected devices operated remotely and a more pervasive use of data, companies are facing increasing (and more sophisticated) cyber threats. Such trend leads to increasing regulations fostering cybersecurity best practices. Here are our main takeaways from the cybersecurity seminar held in Milan last week.

  1. Privacy (by design) and Security Measures – Authorities (including our Garante per la protezione dei dati personali in Italy) are less inclined to accept a passive approach towards cybersecurity. Within this context the new EU General Data Protection Regulation (GDPR), which will finally be adopted in 2016, will play a key role in addressing a number of key risks, fostering throughout Europe increased security measures and a privacy by design approach, including a risk analysis to be carried out at a very early stage. Privacy compliance and security will increasingly be regarded as a market differentiator.
  2. Governance and Cyberinsurance – Directors do have a duty of care when it comes to cybersecurity, and a sound governance model will be very relevant for assessing their responsibility. Cybercrime response teams will likely be set up also beyond the key sectors in which they are already mandatorily required. While technological safeguards remain of paramount importance, governance models will be based on a more holistic approach, involving senior level employees covering a wider range of departments and expertise, addressing not only prevention and immediate crisis management, but also communication and mitigation measures (like, for instance, facilitating account monitoring services for customers affected by hacking of personal data). And when it comes to managing risks, also cyberinsurance will increasingly be taken into account (albeit there is some uncertainty in assessing premiums, as there is still a limited information as to the historical trends on damages).
  3. Intelligence Sharing and Training – Cybersecurity requires intelligence sharing at all levels, between States, sectors and companies. Such intelligence sharing will no doubt be enhanced by the EU Network ad Information Security (NIS) Directive, currently in its very final stages, which will improve co-operation between Member States. With the NIS, companies in critical sectors (energy, transport, banking and health), will adopt risk management practices and report major incidents. If this is combined with the general obligation provided by the GDPR to report data breaches (and other already existing sector specific obligations), there will no doubt be more intelligence gathering also by the local data protection authorities. While sector supervisors continue to impose sector specific standards to prevent hacking, also industry associations in Europe and throughout the world will increasingly promote industry-wide analyses and sharing of information on cyber threats and vulnerabilities (see, for instance, the Information Sharing and Analysis Center set by the Association of Global Automakers). “Intelligence”, or at least “awareness” will have to be shared at all levels also within also within the private organizations. Most secured environments have in fact been affected by employees that had not been aware of the consequences of certain behaviors (see, for instance, the risks/data hacks incurred in using personal email account for business purposes). Training at all levels will accordingly be key in actively implementing best practices for protecting data, such training to be addressed not only to top executives, but also to assistants, etc. that may have access to sensitive information.