May was a very busy month in the world of cyber-security, with new legislation and guidance placing heightened importance on the need to ensure that all systems, from national infrastructure down to SMEs, are adequately protected from growing cyber threats.
While last month's headlines were dominated by the news that the EU General Data Protection Regulation is now in force and will take effect on 25 May 2018, another key piece of EU cyber-security legislation is now one step closer to entering into force - the Network and Information Security Directive ("NIS Directive") – was approved by the European Council on 17 May 2016 and is expected to enter into force in August 2016.
The NIS Directive is designed to improve the security of network and information systems across the European Union and increase cooperation between member states on the issue of cybersecurity. It recognises the vital role that network and information systems play in our interconnected society, and the threats posed by actors that wish to damage or disrupt those systems.
Acknowledging the varying levels of preparedness across the EU, the NIS Directive aims to bring member states' capabilities in line, by setting out security obligations for operators of essential services in critical sectors (e.g. energy, transport, health, water supply, digital infrastructure and finance) and for digital service providers (e.g. online marketplaces, search engines and cloud services). Each member state must also appoint a national authority and establish a strategy for dealing with cyber threats, to which operators of essential services will be obliged to report major security incidents.
Back home, TheCityUK, in conjunction with Marsh, published a report on making the UK financial and professional services sector more resilient to cyber-attacks. The report recognises the importance of the financial sector and the fact that it is a "perfect target" for cybercrime – it has vast amounts of data and money, a high public profile, and is critical to the national infrastructure.
Building on the work already done by the UK government, the report includes recommendations for practical steps firms can take individually, and collectively, to improve their cyber resilience. It focuses on cyber as a board level issue, and sets out a ten-point cyber risk checklist for boards to put to management, to ensure that cyber risk is part of a firm's high level strategy. Other recommendations include the establishment of a financial sector cyber forum and the encouragement of information-sharing between financial services firms.
To view the report click here.
ABI calls for database of cyber incidents
On the issue of information sharing, the Association of British Insurers (ABI) has called this month for a national, not-for-profit database of cyber incidents to be established to help insurers to properly price cyber risk insurance. It envisages that the database would contain anonymised details of all cyber insurance incidents, including business interruption losses, ransom demands, loss of confidential data and data to IT systems. The ABI argues that cyber insurance cannot properly develop without data, and such a database would provide the data to help the UK to become a world leader. While the value of such data to insurers is clear, the extent of the data sought by the ABI goes beyond that envisaged by mandatory notification requirements in the GDPR, and, given the risk of damage to reputation, we suspect the ABI may have a hard time convincing companies that have suffered cyber incidents to share the nature or extent of their cyber losses with the insurance industry at large, even if it is in an anonymised form.
For more information see here.
Guide to cyber insurance for SMEs
The ABI also released a guide to cyber insurance for SMEs this month, which sets out the key coverages to look for in a cyber-insurance policy and potential exclusions to be wary of.
The guide can be found here.