On 7 December 2015, the EU Council reached an informal agreement with the EU Parliament on the draft Network and Information Security (NIS) Directive.The draft Directive sets out cybersecurity obligations for operators of essential services in the healthcare, banking, energy and transport sectors, and also digital service providers (including e-commerce platforms, search engines, social networks, internet payment gateways, and cloud services). These operators will be required to take measures to manage cyber risks and report major security incidents.
Recent high profile security incidents illustrate that no institution or business is immune from cyber attack. A cyber attack on the White House in 2014 resulted in a partial shutdown of its email system. In a reported attempt to extort money from the ECB, email addresses and other user contact information were stolen in 2014. Confidential movie scripts and emails about staff and movie stars were released as part of the 2014 Sony hack. Already this year, the Carphone Warehouse security breach in early August and the more recent Ashley Madison hack have received extensive media coverage.
“The next big financial shock will arise from a succession of cyber-attacks on financial services firms.”
This is the case according to the Chairman of the International Organisation of Securities Commission as cited by the Central Bank of Ireland’s Deputy Governor, Cyril Roux, during a recent address to the Society of Actuaries.
Symantec released their annual Internet Security Threat Report (the Symantec Report) last week (available at http://www.symantec.com/security_response/publications/threatreport.jsp) and it makes for alarming reading. The risk of cyberattack is one that has been brought to the forefront of popular consciousness by the devastating cyberattacks on Sony Pictures Entertainment in 2014 and the Symantec Report shows that 2014 saw a worryingly exponential increase in the number, severity and sophistication of such attacks.