Cybersecurity in 2024: Legal Challenges and Management Strategies in the New Digital Landscape

Did you know that more than 400 thousand cyber attacks occur worldwide every day? That billion-dollar economic losses have been recorded and that the forecast is even greater?

Did you know that more than 400 thousand cyber attacks occur worldwide every day? That billion-dollar economic losses have been recorded and that the forecast is even greater? The figures are impressive and the fact is that as technology advances, we can be more vulnerable if we do not adequately manage these risks. Faced with the excessive growth in the severity of cyber threats, cybersecurity is essential.

 The speed of digital transformation and the interconnection of society in this context of digital revolution and artificial intelligence reveal that information becomes the main asset to be protected from risks that may affect its confidentiality, integrity, availability, authenticity and traceability. Cybersecurity is one of the most important risk management focuses for the governance and integrity of companies, their employees and their clients.

 Within this great challenge of reducing threats to network and information systems, the European Union has published Directive (EU) 2022/2555 on measures aimed at guaranteeing a high common level of cybersecurity – NIS2 Directive, whose transposition to Spanish regulations must occur before October 17, 2024. This Directive, which affects essential sectors, indirectly applies to suppliers throughout their supply chain and will be a reference for all other sectors on policies, procedures, governance and technical and organizational measures for cybersecurity risk management and notification to the competent authorities.

 In this new regulatory context and taking into account the high impact and risk that information security entails, Senior Management or any person who exercises management responsibilities at the level of general director or legal representative in said essential entity with management functions, has the responsibility to ensure compliance with this Directive, promoting an organizational culture that is more aware and committed to cybersecurity. Information security becomes a responsibility not only of the technology or information security team, but also of the management team, together with the support of Legal and Compliance, transcending the commitment throughout the organization.

 The main obligations included in the NIS2 Directive are:

 • Develop policies and procedures to evaluate the efficiency of cybersecurity risk management. Information security policies, information classification, encryption measures and procedures.

 • Establish supervisory controls over the acquisition of technologies and services for the development and maintenance of secure networks and information systems.

 • Have multi-factor authentication solutions, communications and secure systems for emergency communications.

 • Provide due diligence in supervising the supply chain, the entity-supplier relationship with compliance with cybersecurity measures. The security of an entity's information can be strongly conditioned by the security adopted by its suppliers, so it is essential to evaluate the risk of suppliers. Here, the collaboration of the Purchasing area is essential.

 • Ensure people's safety, access control and asset management.

 • Have defined an action protocol for security incidents that guarantees compliance with mandatory notification to the authorities within the established deadlines, including potential breaches.

 • Have continuity plans for the organization's activities, from backup management, disaster recovery and crisis management to the reestablishment of its activities.

 • Train all employees and, specifically, senior management in cybersecurity, to raise awareness and prevent threats and understand how they affect the company at a strategic, financial, social and reputational level.

 • Carry out a series of prevention measures that include carrying out drills and tests that allow putting into practice what has been established and verifying the effectiveness of the response.

 The Directive proposes a fairly severe economic and criminal sanctioning regime for non-compliance with these obligations, imposing large fines and direct liability on senior managers, and temporarily prohibiting the holding of senior management positions.

It is essential to detect cyber threats quickly to react appropriately and in this, the use of artificial intelligence is very useful. One fact that is of interest is the recent publication by the European Commission of a series of new calls for proposals for the Digital Europe program. A specific budget of €84 million is available for activities to support security operations centers with new applications of AI and other enabling technologies, for the implementation of EU cybersecurity legislation. The call for applications opened on January 16, 2024 and the deadline for submitting applications will end on March 26, 2024.

 Given the exposure to a large number of cyber attacks and threats, the obligations required in the regulatory and social sphere and their consequences, it is advantageous to create specific cybersecurity committees in organizations, made up not only of technical and information security experts, but also also by specialized legal teams. This mixed composition between the technical and the legal allows us to face challenges from complementary perspectives, ensuring a complete understanding of the technical security and legal aspects related to cybersecurity. Improves the capacity to respond to crisis situations due to a cyber attack, the development and approval of policies and strategic decisions in this matter. Every day the legal function in cybersecurity and supporting the information security team and senior management in these important challenges becomes more important.

 

 

Written by

Diolimar García
Diolimar García
02-05-2024 00:06:11
Contact