New perspectives on cyber security: The regulatory challenge

New perspectives on cyber security: The regulatory challenge

Cyber security is a rapidly evolving sector. Oftentimes, regulatory frameworks lag behind the latest developments. And when legislators finally act, companies, institutions and other influencing stakeholders must be fully aware of newly implemented regulations. In 2018, the new European Union (EU) regulation on data, cyber and information security will be a game changer. Here’s why.

Strategic foresight must take a regulatory lens. The vast majority of companies, institutions and other organisations underestimate both the significance and impact of a (slowly) changing legislative landscape – and therefore, often fail to respond to far-reaching challenges in proper time, damaging their own business and reputation.

Due to the volatility, force and pace with which technological innovation is moving through the global economy, cyber risk has become the biggest contemporary threat to all actors, especially companies. About 72% of all global CEOs do not think that they are fully prepared for a cyber attack. Potential targets have to factor in multiple variables when building their cyber defense capacities. And taking a regulatory perspective must be a key part of the overall equation. As regulations are growing increasingly complex, doing the minimum in compliance is not enough anymore.

A slow evolving cyber security regulatory framework – more damage than good?

In order to understand and act upon present and future cyber risks, it is indispensable for companies, organisations and institutions to monitor the regulatory frameworks of cyber and data security. However, companies may face a number of challenges when it comes to the adaptation of these frameworks.  

The current internet infrastructure and regulatory frameworks are ill-fitted to keep pace with the evolution of the internet and the digital realm in general. Therefore, both severely lag behind present technology and threat level awareness. This is because the internet infrastructure was not designed to cope with present data quantities and the myriad of actors challenging the very scope and content of it.

Cyber security related legislature is highly complex and takes place at various levels: locally, nationally, and internationally. In addition, the private business sector, outside of legal state frameworks, has considerable influence. The latter has been the key driving force in this respect over the last decade.

Cyber security legislation and compliance – if come into force – is ever-shifting. Consequently, it is crucially important that companies anticipate tomorrow‘s regulatory environment. In particular, when they are active in multiple jurisdictions, it is fundamental to systematically track evolving laws and regulations in order to be able to respond to legal and political challenges on time.

The changing cyber security regulatory landscape in Europe

The change comes two-fold. First, the Network and Information Security Directive (“NIS Directive”), which has come into effect in August 2016, will provide legal measures to boost the overall level of cyber security in the EU and strengthen Europe’s cyber resilience. This predicates on bringing cyber security capabilities at the same level of development in all EU member states and facilitates cross-border exchanges of information and cooperation. Although, member states have 21 months to implement it. Therefore, the overall impact is expected to come about in 2018.

Second, the EU General Data Protection Regulation (“GDPR”) will come into force on 25 May 2018. This regulation will re-shape the way companies and institutions, with operations in Europe, engage with data breaches and their clients and users in general. Future legal obligations emerging from GDPR will constitute a high-level issue affecting multiple departments including IT security, legal, public affairs, communications and customer engagement. This is because that the law changes the very rules and responsibilities with regard to data governance and protection on the one hand and disclosure requirements in case of data breaches on the other.

This means a company that has suffered a data breach, and knows of it, will only have 72 hours to alert the authorities. Similarly, a target suffering a breach that is likely to result in a high risk to the rights and freedoms of individuals are obliged to notify affected customers and users immediately without delay.

As a consequence, companies will need to be fluent in the new regulations and ensure compliance more than ever when faced with an ever increasing number of breaches that are becoming more visible in the light of higher media and customer attention.

Due to the lacking legal obligation across Europe, with the exception in Germany, to disclose an attack, many firms are still unaware of the potential impact of GDPR. This is now about to change. Therefore, lacking preparedness and inaction, in case of a cyber incident, will raise the stakes for potential cyber targets and will dramatically escalate the involved costs, not only leading to huge fines, plummeting revenue and reduced net profits, but also to an increased hazard of reputational suicide.

More importantly, if a company, institution or any other organisation, hit by an attack, mishandles a breach, the new legislation will make grounds for claims for compensation by private individuals more likely.

The need for a global cyber security framework

Not since the biggest cyber-attack in history, the WannaCry cyber-attack in May 2017, global cyber security regulation has to be significantly improved. We already see more global co-operation between law enforcement agencies than ever before, but legal black holes, in many parts of the world, still dominate.  

Against this backdrop, both the US and European legislation and collaboration, part of the Working Group on Cyber Security and Cybercrime, can serve as a role model for other regions in the world. Cyber security regulation is primarily treated as a matter of single-state action – despite many initiatives driven by international organisations such as the World Economic Forum (WEF), the Federation and European Risk Management Associations (FERMA), the Organisation for Economic Co-operation and Development (OECD) or the Internet Governance Forum (IGF).

Many of these initiatives are non-codified, have no binding character and are simple recommendations. Nevertheless, the governance for global cyber security is changing and potential targets of cyber attacks must monitor its evolution very closely to be prepared. The next attack will come and those affected will need to be ready.

About Author

Christian Hellwig

Christian works as a strategic communications, policy analysis and public affairs expert and has been a longstanding contributor with Global Risk Insights on a wide range of issues since early 2015. Most recently, he has worked for CNC Communications & Network Consulting and Schneider Minar Jenewein Consulting, two companies with a strong European footprint in the fields of strategic communications, reputation, crisis & (cyber) risk management, public affairs and government relations. Christian holds a MSc in International Relations from London School of Economics & Political Science and a first class honours BA from a leading German university in Governance & Public Policy.