Shielded: enhancing EU cyber resilience
August 2024 | COVER STORY | RISK MANAGEMENT
Financier Worldwide Magazine
August 2024 Issue
Cyber crime is a global threat – and one that is growing. While organisations have historically suffered relatively modest direct losses from an escalating number of attacks, some have experienced much more extensive harm to their digital devices or systems.
Unsurprisingly, the associated financial costs of cyber attacks are also extensive. According to Statista, the global cost of cyber crime is expected to surge in the next four years, rising from $9.22 trillion in 2024 to $13.82 trillion by 2028.
One jurisdiction that experiences a high number of attacks is the European Union (EU), where the threat landscape has reshaped itself since the start of Russia’s military aggression against Ukraine. As a result of the conflict, many hacktivists, cyber criminals and state-sponsored groups have been mobilised.
Cost-wise, attacks can be devastating, with the World Economic Forum’s ‘Global Cybersecurity Outlook’ putting the average cost of a cyber breach for an organisation operating in the EU at $3.6m. Moreover, targeted companies saw their stock prices fall and spent on average 280 days identifying and responding to a cyber attack.
“The EU continues to be faced with a range of threats and challenges when it comes to new and emerging cyber threats,” says Stuart Barnett, director of cyber threat intelligence at Orpheus. “Conflict in Europe has illustrated the range of threats from state-sponsored actors that routinely target critical infrastructure, government institutions and others, aiming for espionage or disruption.”
Significant threats
The threat landscape for cyber attacks is constantly changing and evolving. As such, it is helpful for organisations across the EU to understand the common ways in which it changes, as well as ways to keep on top of emerging and evolving threats.
“Cyber risks continue to evolve quickly,” concurs Ana Bruder, a partner at Mayer Brown LLP. “Hackers are more sophisticated and creative, increasing the pressure on organisations to protect their systems and data.”
According to analysis by the EU Agency for Cyber Security (ENISA), the cyber threats outlined below (in no particular order) are the most significant and prevalent across the EU.
First, ransomware attacks, whereby cyber criminals take control of a target’s asset and demand a ransom to restore its availability (approximately 60 percent of affected EU organisations may have paid ransom demands).
Second, distributed denial-of-service attacks, which prevent the users of a network or a system from accessing relevant information, services and other resources.
Third, malware, which describes malicious software such as adware trojans designed to damage, disrupt or gain unauthorised access to a device.
Fourth, social engineering attacks, which attempt to exploit a human error or human behaviour to gain access to information or services (approximately 82 percent of data breaches involve a human element).
Fifth, attacks to gain unauthorised access to data and to manipulate data to interfere with the behaviour of systems. Servers are the assets most often targeted by such attacks.
Sixth, attacks with an impact on the availability of the internet.
Seventh, disinformation and misinformation, whereby an intentional attack consists of creating or sharing false and misleading information to manipulate public opinion. Before Russia launched its invasion, mass disinformation campaigns were already targeting Ukraine.
Lastly, supply chain attacks which target an organisation through vulnerabilities in its supply chain, with the potential to induce cascading effects.
Of all these threats, it is ransomware that ranks highest across the EU. According to the European Council, more than 10 terabytes of data is stolen monthly, with phishing the most common initial attack vector.
“In recent years, ransomware attacks have become increasingly sophisticated, targeting businesses, hospitals and local governments,” notes Mr Barnett. “In many cases, this has caused significant financial losses and disruption to business.”
Another concern being introduced to the cyber threat landscape is the increasing use of artificial intelligence (AI) technologies, which have the capacity to open new avenues for manipulation and attack methods, while creating new challenges to privacy.
“In the last 18 months or so, AI has emerged as a significant risk from a cyber security perspective,” says Ms Bruder. “This is because of potential vulnerabilities in the source code of the AI system and because generative AI can be used by hackers to make phishing and social engineering attacks more effective.”
Key legislation
The Cyber Resilience Act (CRA). The CRA targets a broad swath of consumer products including the internet of things, cloud, communications, payments, automotive and more. Product developers will be required to protect their systems and networks from cyber threats, and report significant security incidents. The Act’s entry into force is expected in the second half of 2024.
Since 2019, the EU has made landmark efforts to bolster its defences against cyber attacks, with numerous pieces of legislation added to statute books.
“There has been a plethora of UK and EU legislation in the cyber security space and more is on the horizon,” affirms Beverley Flynn, a partner at Stevens & Bolton LLP. “That places wide-ranging cyber security measures on a larger number of organisations across a variety of sectors, with the intention of bolstering cyber security both for individual organisations and across the EU as a whole.”
Outlined below are key pieces of EU legislation – both extant and forthcoming – that aim to enhance cyber resilience and security preparedness.
The General Data Protection Regulation (GDPR). Described as the toughest privacy and security law in the world, the GDPR, although drafted and passed by the EU (coming into effect on 25 May 2018), imposes obligations onto organisations anywhere, as long as they target or collect data related to people in the EU. The regulation does not mandate a specific set of cyber security measures but rather expects ‘appropriate’ action to be taken.
The EU Cybersecurity Act. Entering into force on 27 June 2019, the core elements of the Act include a permanent mandate for ENISA, accompanied by the introduction of a uniform European certification framework for information and communication technology (ICT) products, services and processes. These are to be certified according to various criteria and assigned the predefined security levels of ‘low’, ‘medium’ and ‘high’.
The Digital Operational Resilience Act (DORA). DORA (which entered into force on 16 January 2023 and will apply as of 17 January 2025) solves an important problem with EU financial regulation. Before DORA, financial institutions managed operational risk mainly with the allocation of capital. After DORA, they must also follow rules for protection, detection, containment, recovery and repair capabilities against ICT-related incidents.
The Network and Information Systems (NIS) Directive 2. Required to be implemented by member states by 17 October 2024, the NIS 2 Directive repeals NIS 1, which sought to achieve a high common level of cyber security across the EU, with a focus on protecting critical infrastructure. NIS 2 builds on the NIS 1 framework to impose cyber risk management, incident reporting and information-sharing obligations on certain types of organisations in a range of sectors.
The Artificial Intelligence (AI) Act. The EU’s AI Act aims to ensure that AI systems placed on the European market and used in the EU are safe and respect fundamental rights and EU values. The Act has been designed to promote the adoption of trustworthy, human-centric AI. Requirements in relation to general-purpose AI models will take effect in Q2 2025. And from Q2 2026, most of the rules for high-risk AI systems with specific transparency risk will start to apply.
Each piece of legislation also comes with a significant sanctions regime for non-compliance. For example, non-compliance with NIS Directive 2 carries a fine of up to €10m or 2 percent of annual turnover for essential entities, and up to €7m or 1.4 percent of annual turnover for important entities. As regards the EU AI Act, the penalties are potentially even more severe, with fines as high as €35m or 7 percent of annual turnover.
“Overall, these rules and regulations represent a patchwork of new and existing legislation which can lead to a challenging combination of compliance obligations for organisations,” notes Ms Flynn.
Building resilience
With the legislative measures to tackle cyber security risks across the EU expanding, organisations within scope need to assess obligations, monitor national adoption, follow cyber security authorities’ guidance and fortify measures to manage related risks.
However, despite increasing legislation and the compliance obligations they demand, organisations in the EU, depending on their size and cyber security maturity, are often slow to identify breaches and therefore unable to respond accordingly.
Compounding organisations’ slow response is a general lack of investment in cyber security across the region. Indeed, according to ENISA, organisations need to be investing substantially more in cyber security, as budgets have not been increased in accordance with the uptick in cyber risks observed in recent years.
“Without effective monitoring in place, organisations can have a hard time knowing when they have been hacked,” acknowledges Mr Barnett. “The more complicated and ever-changing the IT environment is, and the more advanced cyber threats are, the longer it will take to detect them.
“To keep systems safe, organisations need to establish robust cyber security processes and policies in order to manage their cyber-related risks,” he continues. “It is essential for organisations to conduct regular cyber risk assessments to identify vulnerabilities, to implement multilayered cyber security measures such as firewalls and antivirus software, and to enforce up to date access controls and password management protocols.”
Moreover, organisations need to have incident response plans in place to allow them to swiftly address and mitigate cyber incidents. Such measures also need to be proportional to the threat.
Also important is for organisations to ensure their workforce is properly trained to identify and appropriately deal with potential cyber security issues. “Given the increasing need to involve the boardroom in cyber security matters, organisations need to have a cross-functional approach involving a nominated board director, an information secretary, and legal and IT functions,” adds Ms Flynn. “They may also wish to involve external advisers, which has the advantage of helping to maintain legal privilege.”
Cyber insurance
Despite the increasing number of cyber incidents affecting them, many organisations, particularly essential services operators (OES), have difficulty accessing cyber insurance coverage due to outstanding premiums and disadvantageous coverage.
“There has been a shift in the approach to insurance on cyber security issues,” observes Ms Flynn. “Cost has meant that some organisations are choosing to self-insure. For those that do choose to insure, two key points to understand are the scope of cover and the notification obligations under the policy. The latter is especially important as NIS 2 requires entities falling within its scope to provide an ‘early warning’ to supervisory authorities within 24 hours of becoming aware of certain cyber security incidents.
“There can be an obligation to notify the insurer before notifying any other party, and it is particularly important to be aware of that in the face of tight supervisory authority notification timescales,” she continues. “A good insurance broker is an invaluable resource, and will be well placed to advise on the type of policy that is best suited to each individual organisation.”
In its 2023 ‘Demand Side of Cyber Insurance in the EU’ report ENISA outlines recommendations for policymakers and organisations, including the community of OESs, to: (i) make progress toward the maturity of risk management practices; (ii) allocate or increase budget to implement processes on identification of assets and key metrics, and conduct periodic risk assessments, security controls identification, and quantification of risks based on industry best practices; and (iii) improve knowledge transfer and sharing.
“Organisations should make sure they know what the cyber insurance policy covers, including how much it costs, policy limits, deductibles and coverage extensions,” says Mr Barnett. “Coverage should be regularly reviewed and updated to adapt it to evolving cyber threats and regulatory changes, ensuring adequate protection.”
A cyber resilient EU
According to the EU, to improve collective resilience against cyber threats, investment will need to be doubled under the next European Commission mandate from the €214m allocated for 2024. In addition, in March 2024, lawmakers and member states backed measures to improve responses by setting up EU-wide infrastructure with cyber hubs across the bloc.
“Investment in cyber security measures across the EU is likely to surge in the coming years as threats continue to escalate,” suggests Mr Barnett. “Heightened awareness of the significant impact of breaches and increasing regulatory pressure, notably from the GDPR and NIS 2 Directive, will likely drive organisations to allocate more resources to cyber security.
“As cyber risks increasingly appear on boardroom agendas, organisations will need to prioritise cyber resilience-building measures and foster a more proactive approach to cyber security,” he concludes. “Collaboration between public and private sectors, coupled with innovative technologies, will contribute to creating a more cyber-resilient Europe, bolstering defences against evolving threats and safeguarding digital infrastructure.”
© Financier Worldwide
BY
Fraser Tennant