Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

As there are currently no substantial laws on cybersecurity in Austria nor binding guidelines or best practices established on grounds of the data security requirements set forth in the GDPR, enterprises need to rely on industry standards and recommendations by various organisations and authorities.

The first contact in the field of cybersecurity in Austria is the CERT for private entities and the GovCERT for the public sector. Both institutions not only coordinate responses to cyberthreats but also advise on prevention measures. Thus, they constitute the most important contributors to a harmonised understanding of required and recommended cybersecurity measures. To facilitate intra-sectoral exchange of information, sector-specific CERTs are planned with the Austrian Energy CERT for the energy sector already being established. Additionally, sector-specific cybersecurity exchanges for providers of various critical infrastructures have been established in the form of the Austrian Trust Circles.

Further, interested parties can find a multitude of freely available publications on this topic; for example, from the Federal Ministry for Internal Affairs, the Chamber of Commerce or associations specialised in IT topics.

It remains to be seen whether or how far the relevance of these institutions and their recommendations will be affected by the planned Cybersecurity Act and whether they will participate in formulating recommendations in accordance with the GDPR, since the current draft of the NISG envisions the establishing of a new and separate authority for the purpose of reporting and coordination of cybersecurity events.

How does the government incentivise organisations to improve their cybersecurity?

Although the Austrian government is very active in promoting cybersecurity directly as well as indirectly (eg, by means of the GovCERT), there are currently no incentives in this context.

Judging from the discussions on the NISG and the current draft, it is currently expected that the Act will not change this situation but rather follow the ‘classical’ approach and penalise inadequate cybersecurity measures.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

In Austria, ÖNORM ISO/IEC 27001: 2017 07 01 (which can be obtained from the ASI against payment) as well as the recommendations of the CERT (available from their homepage: www.cert.at) can be regarded as the main industry standards and codes of practice in the field of cybersecurity.

Comprehensive guidelines summarising the relevant rules and recommendations, as well as a checklist created specifically for very small enterprises, have been created by the Austrian Chamber of Commerce and can be obtained from the microsite: www.it-safe.at.

Are there generally recommended best practices and procedures for responding to breaches?

Best practices and procedures can be derived from industry standards or recommendations of the CERT. They may vary depending on the type, severity and potential danger of a breach. Thus, there are no general rules apart from containing the breach and saving any information for later analysis.

After the incident it is considered best practice to have the existing data analysed by a trustworthy and independent third party to determine the methods and reasons for which the system could be breached and to take measures to prevent such occurrences in the future.

It is possible that further recommendations and best practices may arise owing to the GDPR.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Voluntary information on cyberthreats should be addressed to the CERT (or the GovCERT, in the case of a public entity) by means of an email containing:

  • details of where the incident has occurred (eg, IP address, website);
  • details of the nature of the incident (eg, a virus, a DoS attack);
  • details of how the incident has been noticed (eg, log files);
  • a request for feedback; and
  • an electronic signature.

As there are no recommended standard procedures that the notifying entity can follow in the meantime, it will need to wait for a response from the CERT. In any case, records of the incident should be saved in case they are destroyed or modified during the incident.

Unfortunately, there are currently no incentives to voluntarily disclose information on cyberthreats, apart from peer pressure within the industry.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

In the field of cybersecurity, cooperation between the private and the public sector has a long tradition in Austria, its first highly visible project being the CIRCA, established in 2003 by the ISPA and the Federal Chancellery.

Nowadays, the cooperation continues mainly within the Austrian CERT network, where the most important stakeholders from the private and public sectors are united either directly or indirectly through the participating CERTs. Within this network, not only is the collected information on incidents or threats exchanged, but the incident response and the advice on prevention measures are also coordinated.

The results are then propagated by the participants to other organisations, such as the Chamber of Commerce, which issue recommendations to their members, usually in the form of publications. Of course, the flow of information works both ways.

In December 2014, Curatorship Safe Austria, an independent association focused on issues related to internal security, organised a large-scale cybersecurity exercise focused on threats to critical infrastructures, in which, among others, the CERTs, the Federal Ministry for Internal Affairs and various private enterprises participated. The aim of the exercise was to optimise communication between the participants, especially the stakeholders as well as the organisations serving as information hubs for their respective sectors. Smaller exercises were conducted annually in the following years. The results and experience gained during those exercises were taken into consideration in white papers on cybersecurity published by the Curatorship Safe Austria in early summer of the following year, containing recommendations for the then planned Austrian Cybersecurity Act, now NISG.

Further cooperation is expected in the issuing of industry-specific recommendations according to the GDPR.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance against cybersecurity incidents, covering the costs of, for example, data recovery or downtime, are offered by every major insurer active in Austria. In detail, the covered risks, of course, vary from offer to offer, with some covering even in the case of negligence or fault.

Despite the availability, cybersecurity insurance is as yet far from common. It remains to be seen whether this will change upon the introduction of the NISG.