IT Risk Space

Within the past two weeks, we have seen the issuance of two significant governmental initiatives addressing the risks of cyber attacks of various types on government and industry (and specifically financial services) infrastructure and systems. Please read below the high level summary:

European Union
The first initiative is the February 7 draft EU Directive on cyber security!
Assuming approval by the EU Parliament, it defines a mandatory obligation on the part of, among others, banking businesses, to report, and share information on, cyber attacks and security breaches. This reporting, yet to be fully-defined, will involve the European Network and Information Security Agency (ENISA), as well as authorities in member states. Cooperation with the US and other countries outside the EU is anticipated, including use of the existing EU –US Working Group on Cyber Security and Cyber Crime.

The goal is cyber-resilience and creation of an international cyber space policy. It will involve an obligation on businesses to take “appropriate technical and organizational measures to manage the risks posed”. The cyber security directive does not appear to distinguish between breaches resulting from criminal attacks and those involving unintentional data loss.

The directive must be further implemented through national member state legislation. It is intended to complement the recent draft EU Data Protection Regulation which already heightens standards for data privacy measures and creates greatly-increased data breach penalties. (Combined reporting under both EU directives may eventuate.)

United States
The second initiative is the President’s February 12 Executive Order on Improving Critical Infrastructure Cyber security!
This order creates a two-pronged program involving:

a) voluntary information sharing between government and industry (financial services is identified as a “critical infrastructure” (CI) industry) of cyber threats and incidents
b) the creation of a cyber security framework by the National Institute of Standards and Technology (NISTA).

This latter will involve extensive consultation with industry and particularly CI industries. At the same time, specific agencies will review their existing cyber security-related regulations for adequacy and report on this. This latter will include identification of areas in which the regulators determine that they lack adequate authority.

Both documents are rather lengthy and this summary is only a cursory overview. They both will involve future development of details as to implementation and standards. However, the basic elements and objectives of these measures should remain.