What is Cyber Due Diligence?
It is the testing of digital processes and systems to assess the potential for a data breach of any stored personal data. This includes 3 main areas:
- risk management (PROCESS)
- compliance management / policy arrangements (PEOPLE)
- technical security (TECH)
What are Cyber Threats?
Cyber threats come from hackers and bots whom may use personal data for their own commercial gain or to damage the reputation of a company.
Who does this affect?
Any business that deals with customer information that is essential for the maintenance of critical social or economic activities is affected by the Directive on Security of Network and Information Systems (NIS Directive). Any business that holds, transmits and uses personal data is affected by the GDPR.
(This means: energy companies, water companies, all transport companies, financial services, healthcare, internet exchange, domain name providers and others are affected by the NIS Directive and all internet transactional companies by the General Data Protection Regulation (GDPR). If you are unsure – ask us.)
What are the consequences of a breach?
The NIS Directive says that digital service providers and companies “that provide a service which is essential for the maintenance of critical societal/economic activities” will be responsible for ensuring a level of security of network and information systems to prevent and minimize the impact of incidents on the IT systems used to provide their services.
The Directive does not define a threshold of what is a significant incident requiring notification to national authorities, but it does define three parameters which should be taken into consideration: the number of users affected; the duration of the incident; and the geographic spread.
Operators must be preparing now to implement the Directive’s requirements to ensure compliance and avoid potential penalties.
The law will come into effect in May 2018, but any breaches since summer 2016 may be liable for penalties as companies are to be gearing up during this period.
This is further to the existing GDPR which mandates protection and notification on personal data protection and requires a minimum level of security assurance for any personal data stored.
Does Brexit affect a UK company’s liability?
Not really. In the wake of Brexit, in practical terms, UK organizations should still look to be compliant with this new European legislative measure. Also, the UK will still be subject to this legislation where UK companies process EU citizens’ personal data in connection with their offer of goods or services, or if they provide “monitoring” activities. The same applies if a group company is located in the EU or have staff operating within any EU member state.
What if the report uncovers a breach?
Notification of an incident must be made to authorities “without undue delay,” normally expected within 24-72 hours after the breach is discovered.
What should businesses be doing/have done in light of this?
- Implementing advanced behavioural-based detection systems that are now the modern standard for prevention of advanced attacks;
- Preparing an incident response readiness programme that will comply with breach reporting requirements in a timely manner (24-72 hours after breach minimum);
- Utilizing an intelligence-based security strategy that can be integrated with new NIS threat intelligence sharing programmes;
- Adopting an internal security and response strategy and coordinating this with the board of directors, chief legal officer, and other senior executives;
- Reviewing all internal security processes and preparing self-audit capabilities required by national authorities;
It is important to recognize that mere “compliance” is not adequate to protect against modern advanced attacks. Real security is more than compliance—it is a comprehensive security programme that includes non-signature-based detection and advanced threat defences.
What does this mean for You?:
If you run, are involved in the running of, are invested in or are thinking about investing in a company that holds any customer data at all, you need to check that you are compliant. If you do not, then the following might impact the company:
- Value of the sale decreases
- Fines of up to 4% turnover
- Delays in operations whilst systems are updated
- Subsequent loss of revenue
- Loss of customer confidence
- Ongoing bad PR