Commercial Updates

Cyber-attacks are now a threat to large corporates and SMEs alike

A recent report commissioned by the Department for Business Innovation and Skills reported that 90% of large organisations and 74% of SMEs had experienced a cybersecurity breach within the last year (up from 80% and 60% respectively a year ago) and 59% of businesses expected to suffer further cyber breaches in the year ahead. Cyber-attacks cost UK businesses £34 billion a year, consisting of £18 billion in lost revenue and £16 billion on increased IT spending as a result of breaches. These startling statistics demonstrate that whilst large corporates remain obvious targets for hackers and almost invariably suffer cyber breaches, increasingly SMEs are also being targeted due to their increasing digitisation and relative lack of adequate cybersecurity safeguards. Businesses both large and small need to put in place effective cybersecurity procedures to safeguard their finances, data and reputation.

US Regulator to fine organisations for lax cybersecurity

The US Securities and Exchange Commission's enforcement unit has announced that financial organisations that have lax cybersecurity practices can expect a crackdown from regulators. International financial institutions with operations in the US could be affected if they do not have in place adequate cybersecurity procedures. Whilst this policy is currently restricted to the US, it is feasible that similar measures will be introduced in Europe to encourage compliance with the new cybersecurity legislation that is due to be implemented.

Legal Updates

Draft Network and Information Security (NIS) EU Directive

The proposed NIS Directive aims to implement the European Union’s strategy for cybersecurity across Europe. While its scope of application is still under discussion (in particular whether it will apply to digital service providers such as Facebook and Google), it is likely to apply to designated service providers that provide essential services such as energy, transport, financial services, internet exchange points, food supply chain and health. In trilogue meetings in June and October 2015, the European Council, Parliament and Commission reached an agreement on the main provisions of the draft Directive, namely:

  • the establishment of a network of national Computer Emergency Response Teams (CERTs) to assist with cybersecurity coordination between Member States (MS), whilst allowing MS the flexibility to use existing competent authorities to establish and administer the required 'institutional infrastructure';
  • the introduction of criteria to allow MS to develop national, sector-specific guidelines on what would constitute a reportable incident;
  • the Parliament has also broadly accepted the Council's preference for voluntary cooperation and information sharing. However, there will be a limited requirement to share information where an incident impacts continuity of service in another MS;
  • information society providers will be governed by a different set of rules from providers of essential services; and
  • MS will have discretion to determine which designated service providers are deemed to be providing 'essential services' and won't have to provide a list of essential companies for security purposes.
    • The latest update from on the Directive from the Department of Culture Media and Sport stated that the final form of the Directive is expected to be agreed by the end of 2015. Whilst no date has been set for the implementation of the Directive, companies which take proactive action early will be best placed to protect themselves from the increasingly sophisticated range of cyber threats, whilst simultaneously taking the lead in reassuring their customers, partner businesses and insurers that they have appropriate safeguards in place to protect the data and finances of their stakeholders.

US Department of Justice Guidelines on cyber incidents

In April 2015, the US Department of Justice published best practice guidelines to adopt in the event of cyber incidents. The guidelines highlighted the importance of having an actionable plan ahead of a cyber-attack. The guidance divides its recommendations into three stages, the preparation, the response and the recovery. Whilst these guidelines apply to the USA and not the EU, they form a useful blueprint to design company specific responses.