It has been the ABC of every security breach in the last decade. The news breaks in the media: another large company falls victim to a cyber attack and the personal information of its clients has been stolen. An email arrives in a few hours. It is the company fulfilling its legal obligation to inform those affected, taking the opportunity to apologize and reaffirm its “commitment” to the security of their data. And what happens next? Afterwards nothing happens.
Regarding those affected by the breach, the company’s responsibility did not go further. Not even in holes as serious as that of Air Europa, which forced thousands of customers from several countries to immediately cancel their credit cards. Those affected could only wait for the more than likely scam attempts based on their personal information, hoping to remember that the caller could not be their banking agent but a cybercriminal who knows all their details.
There was nothing more to say, at least until now. Two new European standards have come into play to modernize preparation and response to cyberattacks and one of their key points is that they point directly to the senior management of companies when it comes to assuming responsibility for security breaches. In other words, it prohibits its senior executives from shifting the burden of cybersecurity to the company’s technical positions.
“The problem is that, although on paper there was a responsibility, in practice it never appeared clearly,” explains Marta Trabado, regulatory compliance specialist at the Spanish cybersecurity firm A3Sec. “Now what it is about is that the responsibility falls directly on management in the event of a cyber attack, because it is the one that must establish prevention strategies and supervise them. Therefore, they may have even criminal responsibility for the consequences of that incident,” he asserts.
Senior management may have criminal liability for the consequences of a cybersecurity incident
Marta Trabado
— regulatory compliance specialist
Although this conception of cybersecurity of utmost importance in the company’s strategy has been included in several new European regulations, the one that reflects the possibility of senior management is the NIS2 directive. This creates two categories of companies, “essential” and “important”, with different degrees of supervision by regulators.
Companies labeled “essential” are those that offer services or infrastructure crucial to the proper functioning of society and the economy. Energy, transportation (airlines, trains, logistics, etc.), health (also pharmaceutical), water, banking and telecommunications (both digital services and telecos) fall into this category and the authorities will be able to supervise their security measures both before a cyber attack occurs and after having suffered one.
The directive It particularly emphasizes that “any natural person responsible for or acting as a representative of an essential entity” must “be held responsible” for compliance with these rules.
The “important” ones are factories, such as those producing chemical products, medical or electronic equipment, food factories and large distributors, postal and courier services, and those that research new technologies. Their cybersecurity obligations are similar, but with less emphasis on constant oversight, and authorities will be able to hold them accountable after a breach.
This layer of supervision will be added to that already corresponding to the Spanish Data Protection Agency, which can impose fines if it detects that companies have not implemented adequate safeguards against the risks of a cyber attack. The problem, in this case, is that Spain has not yet defined how it will carry out this new surveillance more focused on the rest of the computer security factors.
Spain is late in the transposition
The deadline to transpose the measures provided for in NIS2 into the Spanish legal system was October 17. From the Ministry of the Interior, responsible for presenting the bill to the Council of Ministers that begins the parliamentary process, they assure elDiario.es that the text will reach the Commission of Secretaries of State “this same month of December.” “Its subsequent referral to the Council of Ministers does not depend on us, but we trust that it will be done immediately,” the same sources state.
The possibility of incurring criminal liability due to cybersecurity negligence must be included in the Spanish transposition to be effective. Also which organizations should supervise companies in the “essential” or “important” category.
However, Spain is not the only one in this situation. Quite the opposite: 23 of the 27 EU member countries have not yet transposed NIS2. To prevent delays in the implementation times of the directive, Brussels has published a implementing regulations which makes it “mandatory” even though it is not transposed,” says Marta Trabado.
“This makes you subject to sanctions in the event that you are an entity within the scope of NIS2 and do not apply it,” details the expert. “Failure to comply can have serious consequences, such as the loss of concessions or public contracts,” he adds.
In short, the arrival of NIS2 marks a turning point in the way companies must approach cybersecurity. It will no longer be enough to send an apology email after a cyber attack and move on; Senior management will have to assume active and direct responsibility, both in preventing and responding to these incidents.
#impunity #cyber #attack #senior #management #companies #responsible #security #breaches
