The recent introduction of the "Network and Information Security Directive 2" emphatically places responsibility for cyber security on corporate executives, amid growing concerns about cyber resilience.
The geopolitical threat is increasing with the entry of state hackers into cyberspace. The AIVD's Head of Resilience even states that China, which is otherwise known for its offensive cyber program, poses the greatest threat to the Netherlands (1). In order to promote the resilience of European companies, the "Network and Information Security Directive 2" was drafted, in which governance is given an active obligation. The editors of PONT Data & Privacy sat down with Yolanda van Setten, owner of consultancy Cum Sensu which advises in the field of cybercrime, to discuss board liability from the NIS 2 directive.
"Information security is mostly seen as 'something for the Chief Information Security Officer' (CISO), while directors' focus is primarily, not entirely surprisingly, on business operations, on the primary processes within a company. This while it is the director's responsibility to protect all of the company's interests.
Cybersecurity requires investments in people and resources. Investments that are difficult to translate into direct returns, in money, for a company. As was the case with fire safety years ago, people are not aware of risks until the risks actually occur.
Digital risks, the Cybersecurity Assessment Netherlands 2023 also notes, are part of an enormously broad, complex and dynamic risk palette. Administrators generally have little awareness of the magnitude of these. The NIS 2 brings this dilemma to the board tables, and that's a good thing. Directors will need to be educated not only by their CISOs, but also by legal experts and by staff, at the operational, strategic and practical levels. It is an organization-wide responsibility, where not only digital hazards are important for risk assessment, but also physical hazards with respect to systems, such as flooding, theft and fire.
An example for clarification. The NIS2 assumes a risk-based approach to information security, which includes business continuity and crisis management in the risk analysis. Making plans and preparing (including practicing) for incidents, as well as reporting those incidents, leads to a multitude of different functions within companies that need to be involved. To properly implement NIS 2, a company-wide project group must be formed. The board must take the lead on this, allocate budget, manage on outcomes. Approaching it bottom-up without board commitment will not lead to proper implementation."
"Good management requires much more knowledge than before. Directors now have to think and make decisions about sustainability of their products and processes, about hybrid working, for example, and also about cyber security.
After the initial implementation of NIS 2, the topic may not fall off the board table. The geopolitical threats, the rise of quantum computing and the democratization of artificial intelligence, are developments that continually compel choices in business operations and specifically cybersecurity. Quantum computing, for example, seems far from anyone's mind. What it will actually bring is that passwords will be cracked much faster and easier. It will then be up to managers, advised by their employees, to make the choice whether to adjust security, or to take the risk that security will be cracked.
The risk of 'cold' implementation of NIS 2, i.e. implementing only to the letter of the regulation, is that the focus is on 'ticking off' the list of activities a company must perform. Implementing measures without thinking about the underlying risks and impacts makes no sense. Each company will have to look at its own crown jewels to make an assessment. Determining the crown jewels is also eminently a task and responsibility for directors.
This does not require in-depth knowledge of administrators on technical matters, but above all the realization that this responsibility is also on their plate. So they need to invite the right advisors to feed them, from within their own staff. After all, a director does not need to be an accountant himself to understand the company's numbers either. The same goes for cybersecurity."
"The NIS 2 not only looks at information security, but also at increasing the resilience of organizations against attacks, with a focus on chain responsibility. Making choices includes choosing which partners to collaborate with, in what ways to collaborate and how to protect those collaborations.
Getting cybersecurity in order throughout the chain will make you stronger together. After all, the digitization of society means that everything and everyone is connected. Translating the conversation into a supplier's legal liability for not having cybersecurity in order is only a small part of security, and is more capstone than goal. In fact, when lawyers start talking about liability, it's already too late.
It is much more important to recognize together earlier what risks there are and how to address them. The NIS 2 also provides for this by explicitly bringing direct suppliers or service providers under the chain responsibility of companies. However, it does not end there. Companies can thereby also consider risks arising from the activities of suppliers at another level, thus achieving a waterbed effect.
You can thus start to notice the knock-on effect of that chain responsibility throughout the chain. The inclusion of conditions and agreements in contracts is then a means; the conversation about cybersecurity is perhaps much more important. Awareness and understanding that cybersecurity is "chefsache" is one of the most important milestones in becoming more cyber-secure and resilient across the board. As such, the topic should have a permanent place on the boardroom table agenda."
Want to learn more about the NIS 2 guideline? Click here for the course "NIS2 - Introduction and Practical Tools.
(1) https://www.computable.nl/2024/02/01/aivd-china-vormt-de-grootste-bedreiging-voor-nederland/
