This week the EEC announced the first cyber security law , the Network and Information Security Directive . This is a security and reporting directive for companies in critical businesses sectors such as transport , energy , health and finance. This will also apply to to the likes of Google and Amazon .
The directive is primarily two fold :-
1.Requirement of companies to report cyber security breaches
2.Requirement of companies to ensure that they have a secure digital infrastructure in place.
A body of teams will be set up manage incidents in the shape of Computer Security Incidents Response Teams (CSIRTS).
This is likely to ensure greater visibility of cyber crime and data breaches within companies. The impact of which could have commercial consequences as to whether companies can be considered to have adequate cyber security in place by its trading partners . The emphasis of this law is clearly to encourage companies to address their cyber security and it would be prudent that companies are proactive now in order to be ready for the implementation of this law which is anticipated to come into force within the next two years .
This is a timely decision, as in the US this week , the Federal Trade Commsssion won a lawsuit against Wyndham Worldwide Corporation who failed to properly safeguard customers information . Three separate data breaches were suffered affecting 619,000 customers and led to $10.60M in fraudulent credit card charges. As a result of this Wyndham will be required to improve all aspects of their cyber security.
This new directive should not be confused with the General Data Protection Regulation which will bring unformity to data protection laws in the EEC and compulsory data breach notification for all businesses.
The impact of this new directive will no doubt provide insurers in the cyber liability insurance market with some much needed comfort as one of their focuses in their rating and assessment of exposures is the level of cyber security.
If this is going to improve it will eventually impact on premiums and conceivably exert downward pressure on premium rates.