New cyber-security regulation will force key companies to adopt risk-management practices and report major security breaches to the authorities, according to the European Commission.
The Network and Information Security Directive, though proposed in 2013, is in the final stages of approval in Brussels between the European parliament and council.
The directive will affect companies in the energy, transport, banking and health sectors. Internet service providers could be included too, but the extent to which they will be affected remains unclear.
The UK’s department for business estimated in 2014 that 80% of large companies have suffered some kind of breach in information security.
Though the European directive is yet to be finalised, Whitehall has already published a ten-step guide to improve cyber-security.
The guide was updated in January this year to include a paper on what a cyber-attack looks like and how they are typically executed.
In a statement the government said: “We believe understanding the cyber environment and adopting the 10 Steps are effective means in protecting your organisation from these attacks.”
It adds: “Assess the risks to your organisation’s information assets with the same vigour as you would for legal, regulatory, financial or operational risk.
“To achieve this, embed an information risk management regime across your organisation, supported by the board, senior managers and an empowered information assurance (IA) structure.
“Consider communicating your risk management policy across your organisation to ensure that employees, contractors and suppliers are aware of your organisation’s risk management boundaries.”
The government says cyber-security is a “critical” board-level responsibility, and that attacks could “impact” share value, mergers, pricing, reputation, culture, staff, information process control, brand, finance and technology.
It suggests these questions for boards:
- Have you identified key information assets and thoroughly assessed their vulnerability to attack?
- Has responsibility for the cyber-risk been allocated appropriately? Is it on the risk register?
- Do you have a written information-security policy in place, which is championed by the board and supported through regular staff training? Are you confident the entire workforce understands and follows it?
Brussels’ security directive demands greater cooperation between EU states and creates a mechanism for an early warning system to share intelligence on cyber-attacks.
But it also places a responsibility on companies in the key infrastructure sectors. The directive demands they put in place risk-management systems, and report attacks to authorities.
Once the reports are received national authorities may then choose to go public with the news, depending on the significance of the attack.
This will hinge on the number of users affected, whether the attack went on for long and its geographical spread.
Writing for ComputerActive magazine, William Long, a partner at law firm Sidley Austin, says that national authorities will have the power to investigate non-compliance with the directive, which could include imposing a security audit.
He adds: “The NIS Directive will also require many businesses to apply procedures that will demonstrate effective use of security policies and measures.
“Failure to do so may result not only in loss of customer trust and damage to reputation, but also breach European data protection and information security requirements and enforcement actions.”