European proposals to counter growing threats to cybersecurity
November 2013 | PROFESSIONAL INSIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
The European Commission has proposed bringing in additional new laws to try and deal with the growing threats to cybersecurity. It is undoubtedly the case that the number and severity of cyber-attacks are on the rise. Financial institutions, large and small, are increasingly a target of sophisticated attempts to steal their data and compromise their systems. But are more laws the answer? Will the new laws just add to the regulatory burden of those doing business in Europe?
What are the proposals?
The European Commission published a proposal for a Directive on Network and Information Security on 7th February 2013. This was accompanied by a cybersecurity strategy (or ‘Communication’), which contains non-legislative measures on a broad range of issues.
The European Commission feels that whilst some countries are taking effective measures to combat cyberthreats, others are not. The European Commission wants them to raise their game and proposes to deal with that by introducing a new European Directive. The way in which the Directive system works is that the European Commission would introduce a model law and give each country in the European Union a set time by which they would have to introduce that law.
The second part of the proposals would be directed toward businesses. The new Directive would introduce security breach reporting requirements for a broad range of sectors, including the finance sector, public administration, the energy, transport and health sectors, as well as to “providers of Internet society services”, which include app stores; cloud service providers; social networks; and e-payment providers. These proposals would mandate a report to the National Competent Authority (to be set up under the first part of the Directive by each country in the EU), but with no threshold detailed in the Directive. This would operate in a similar way to the breach reporting requirement that exists in another new European Directive for telecommunications companies. It would also be similar to the European Commission’s proposals in the new Data Protection Regulation. The National Competent Authority could then make the report public without the reporter’s consent, share details with other EU authorities or take other measures.
The European Commission estimates that its proposals would affect some 42,000 businesses. The European Council published a progress report on 28 May, however, which questioned some aspects of the European Commission’s impact assessment. The interim report said: “Most Member States also raised the issue of the perceived significant costs involved in the implementation of the Directive and regretted that [it] fails to sufficiently assess the possible benefits. At a more fundamental level, Member States requested further justification from the Commission why a legislative, rather than a voluntary approach, would be the preferred option to tackle the uneven level of security capabilities across the EU and the insufficient sharing of information on incidents, risks and threats, which the Commission perceives as being the root causes of the situation.”
The European Data Protection Supervisor (EDPS) Peter Hustinx also expressed some reservations in a paper he published on 17 June 2013. He stressed the significance of cooperation with other countries, notably the United States. He also expressed concern at the potential overlap and conflict with the proposed Data Protection Regulation.
The UK response
The UK has been one of a minority of EU member states to comment publicly on the proposals. On 6 September 2013 the government published a summary of responses to its call for evidence on the Directive. The summary document stretches to some 50 pages. The government summarises a number of issues highlighted by industry in the UK and asks the Commission in particular to give reasons for some aspects of its proposal, including an analysis of the costs burden that businesses are likely to bear. In addition, concern has been expressed about the inter-relation of the proposed Directive and other breach reporting obligations which exist in the financial services sector, including to the Information Commissioner and under sector-specific requirements which apply to financial institutions. For example, in March 2013 the Financial Conduct Authority reminded regulated financial institutions of the legal and regulatory responsibilities they had to safeguard their customers’ data. The FCA said that its predecessor body had started inspecting firms’ data security procedures in 2008 and it continued to assess the systems and controls of regulated entities. It is not yet clear how these varying obligations to report would be harmonised (if at all).
When will new laws come in?
As with other European proposals, it is challenging to predict a timeframe for these new laws to come into effect. Not every EU member state has announced its formal position. The negotiation process for the Directive could take another 12 to 18 months, with a further period of around the same length for implementation. European elections in 2014 could delay the process even more. These proposals may also be delayed whilst the European Commission gives priority to its wide-ranging data protection reforms. Legislation could therefore be expected around 2016 at the earliest.
It is, however, important to note that existing laws across Europe already have obligations to keep personal data secure. Some countries (including Germany and Austria) have general data breach reporting obligations. Others use existing obligations in data protection legislation to enforce good cybersecurity practice. For example, in the UK, recent enforcement action has included: (i) a £150,000 fine for Glasgow City Council after two laptops were stolen; (ii) enforcement action against an Armagh-based medical practice after a hack led to the compromise of 175 patients’ email addresses; and (iii) a £250,000 fine to Sony Computer Entertainment Europe Limited after the hack of its PlayStation Network Platform in what the regulator called “a determined criminal attack”.
Proposed new US laws
At the same time there are a number of broadly similar proposals doing the rounds in the US. One would call for publicly traded companies to include disclosures related to information security risks in their filings with the US Securities and Exchange Commission (SEC). Another Bill to increase cyberthreats information-sharing between the government and the private sector has already started its journey through the legislature. In addition the Obama administration is developing a cybersecurity “framework” consisting of voluntary standards for the private sector.
Do the proposed laws make sense?
From a personal view it seems that we should be wary of overregulation in this area, particularly where it affects businesses. Most organisations are much more engaged than they have ever been on cyber risk and the UK is doing some great work in leveraging the expertise in places like GCHQ into the private sector. We should not underestimate the threat especially from other nation states looking to destabilise us. Business leaders often shy away from topics they feel are ‘too difficult’. By issuing new and complex legal obligations the Commission is likely to make it more likely that cyber issues return to the ‘too difficult’ box. There is a real danger that the proposals could have the opposite of their required effect.
Additionally, many financial institutions will also have worries about any central or shared log of vulnerabilities. Most sophisticated financial institutions have lawyers as part of their breach response team. As a result we see first-hand the increased level of sophistication of attacks in the last 18 months or so. Some countries are weaker than others in terms of cybersecurity. Those who seek this data will know that too. Europe’s security will only be as strong as its weakest link. Good security costs money and there is no evidence of a large budget being available to make this a priority.
Just cataloguing incidents also requires resource. GCHQ told us in July that Britain is facing 70 advanced cyber attacks per month. Even assuming the eventual Directive limited reporting to major attacks, assuming each EU member state receives roughly the same number of attacks, countries like Malta or Croatia would need to catalogue around 23,500 attacks a year. At a time of public sector cutbacks, some would rather this resource was spent preventing attacks than cataloguing them. Many will feel that we need an army of cyber-defenders not cyber-librarians.
What the proposals have done is brought more of a spotlight across Europe on the very real risks that are out there. If nothing else, that may be a worthwhile task.
Jonathan Armstrong is a partner at Duane Morris LLP. He can be contacted on +44 (0)20 7786 2117 or by email: firstname.lastname@example.org.
© Financier Worldwide
Duane Morris LLP