Risk management in legal cyber-security
It is no secret that reliability and trust are the pillars on which all economic and societal activity can flourish. Not one season passes without a cyber-security breach at a national and sometimes global level around us.
Finland has faced its third largest data breach in last April when the Finnish Enterprise Agencies (Helsingin Uusyrityskeskus) was hacked. Sweden has tackled with an embarrassing leak in 2015 when the Transport Agency acted negligently in outsourcing its cyber capacity. The major incident, however, emerged two years later in 2017.
Today, Europe is determined to set herself in a new age of cyber-accountability: nations across the Union have welcomed the very first cyber-security legislation Network and Information Security (NIS) Directive in 2016 and became applicable in May 2018. With this new instrument, a high common level of security of network and information systems is aimed to be achieved within the EU. Member states are going to establish their own “Computer Security Incident Response” (CSIRT) teams.
How does it affect the industry players?
The law addresses two groups of industries: essential services in critical sectors and digital service providers. Sweden, alongside its fellow member EU states, is going to publish a list of “Operators in Essential Services” active in the following sectors: energy, transport, healthcare, banking, financial market infrastructure, digital infrastructure and drinking water supply and distribution. We expect the list to be published in early November 2018. Government agencies, municipalities, county councils, state and municipal-owned companies and individual companies are all going to be within the regulatory purview of the new law.
In Sweden, the Myndigheten för samhällsskydd och beredskap has the responsibility for the coordination of the work regarding this law. We are going to see the new Swedish law “Informationssäkerhet för samhällsviktiga och digitala tjänster”on August 1st, 2018. The law is going to require three major categories of action from the industry actors:
- incident responsiveness,
- breach notification, and
- taking the right security measures.
Fines … again?
It’s not so long ago that we heard how heavy the fines are going to be under the GDPR. Under this new law, too, there will be fines. Failure to comply with this new law is going to yield a penalty up to 10 million SEK. What is more, the breach data received by operators may be distributed to other EU member states through threat intelligence sharing channels. That alone could have implications as hard-hitting as the penalties.
What happens if a non-compliance with this new law cuts across the GDPR liabilities?
A security non-compliance under this new law may also mean a personal data breach under the GDPR. While not set in stone, it is expected that the higher of the penalties are going to apply as between the GDPR and the NIS.
Majority of the companies in Sweden are not prepared for this new set of cyber-security obligations. Public administrations are going to be affected the most as well as their suppliers in the essential services industries. A poorly-managed vulnerability may not only mean heavy fines but also a bad record throughout Europe. A gap assessment followed by the necessary transformations are meant to serve the industry players in all the essential sectors to ensure seamless business continuity, unharmed budget and spotless reputation.
For more information on how Tieto could do that, please contact:
Maria Nordgren +358 (40) 5009760
Cagla Salmensuu, Consultant, Security Services +358 (44) 0221983
Dario De Vivo, Consultant, Security Services +46 (070) 2835563