Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

As of today, business and private sector operators may refer to industry best practices. However, public administrations usually rely on national CERTs’ indications (ie, with particular reference to those coming from CERT-PA), the Italian Digital Agency’s (AgID) sector-specific set of guidelines or other similar soft law tools aimed at reducing risks for computer and networks, in compliance with applicable statutes on cybersecurity. It has been noted that NIS Directive Italian Decree has established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions and organisation will be described by a forthcoming government decree.

In spite of this, it can be said that the Italian legal system is not aware of any particular additional cybersecurity protection that goes beyond what is mandatorily prescribed by the laws and regulations in force.

How does the government incentivise organisations to improve their cybersecurity?

For the operating expenses of the Italian CSIRT, the NIS Directive Italian Decree has authorised expenditure of €2.7 million for 2018, of which €2 million for investment expenses, and €700,000 annually from 2019.

The Cybersecurity Decree only foresaw generic provisions on incentivising and funding cybersecurity in the private and the public sector or by means of private-public partnerships. Current spending on cybersecurity is quite likely to remain unchanged unless future and more specific provisions are adopted by the government or in light of possible European initiatives (eg, statutes on defence spending, research and development funding).

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

Industry codes of practice and standards may greatly vary from sector to sector; however, as at the time of writing, none have been updated to meet the evolving legal scenario. This notwithstanding, it is likely that the forthcoming government decree on the functions and organisation of the Italian CSIRT will have a significant impact on current and future industry standards promoting cybersecurity and cyber resilience at a national level.

Are there generally recommended best practices and procedures for responding to breaches?

Post-breach response strategies may vary greatly. They may depend on the degree of cybersecurity awareness that legal entities of both the public and the private sector have. As a general remark, it could be said that intervention of third-party forensic firms is not uncommon, although often within the sole framework of the performance of defensive and preventive investigations.

In all cases involving personal data, apart from the general rules set forth under articles 33 and 34 GDPR (the first providing for the notification procedure of the data breach to the national supervisory authority, the other regarding the communication of the breach to the data subject, in case the latter is likely to result in a high risk to the rights and freedoms of natural persons), the Italian Data Protection Authority’s jurisprudence (with particular regard to its Guidelines, which apply to the use of emails and the internet in the context of employment) also provide some useful indications on notice to employees and the adoption of ad hoc internal policies on data security and cyber resilience. In the case of breaches or cyber incidents, evidence of the adoption and implementation of such policies may be relevant from a burden of proof perspective (ie, either from a civil, criminal or administrative standpoint).

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Article 18 of NIS Directive Italian Decree provides that entities that have not been identified as operators of essential services and are not digital service providers may notify, on a voluntary basis, incidents having a significant impact on the continuity of the services that they provide (likewise article 20 of NIS Directive provision). Furthermore, the Cybersecurity Decree of 17 February 2017 provides for mandatory mechanisms of constant update and communication between private operators, CSIRTs, CERTs, intelligence services and the government (ie, article 11).

Such mechanisms do not foresee the details of the practices or the procedures for communicating cyber incidents or cyberthreats; although the decree states that this can also happen by means of competent ministerial institutions (ie, through the offices of the Ministry of Defence and the Ministry of Economic Development). In addition, a lack of communication may also lead to sanctions of an administrative, civil or criminal nature.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The NIS Directive Italian Decree has appointed the DIS as the ‘single point of contact’ under article 8 of NIS Directive, which represents the liaison between member state authorities and the Italian competent authorities (ie, the ministries listed in article 7 of NIS Directive Italian Decree) to ensure cross-border cooperation on the security of network and information systems. The NIS Directive Italian Decree has also established the Italian CSIRT to replace the national CERT and CERT-PA, whose functions and organisation will be described by a forthcoming government decree.

While waiting for the government to define the organisation and functioning of the CSIRT, the national CERT and CERT-PA shall enhance their respective activities to cooperate to carry out jointly the functions and the role of the CSIRT.

CERT, operating on the basis of a public-private cooperative model, supporting citizens and businesses through actions to raise awareness, prevention and coordination of the responses to large-scale cyber events, has presented a significant example of how government and the private sector can cooperate in the field of cybersecurity, especially with respect to the cyber resilience of critical infrastructure and essential services. However, there is no particular way in which private and public partnerships or collaborations are meant to be developed.

To this extent, the Cybersecurity Decree of 17 February 2017 has also improved such collaboration by strengthening the link between CSIRTs, the government and internal intelligence agencies in the management of cyber incidents and the drafting of best practices and procedures, also applicable to the private sector.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Cyber insurance is a fast-growing sector in Italy and it is offered by all the major insurers operating at a national level. Despite great availability and choice, such products are far from common among all kind of operators of both the public and the private sector. Existing cyber risk insurances usually cover first- and third-party liability for negligence, accidents or faults. Furthermore, they have variable costs depending on the extension of the coverage and the kind of informational, data or ICT assets they are linked to.