The EU directive on cybersecurity: a final shift in 2015

As 2015 drew to a close, there was yet another significant development in the global legal regime governing cybersecurity. The European Union (EU) is poised to adopt a cybersecurity directive early in 2016 aimed at improving members’ individual capabilities and cooperation on cybersecurity, and setting minimum standards for the security of companies that provide certain essential and digital services. The EU issued its proposal to the member states on December 18, 2015 and the directive will now go to the full Parliament and Council for approval.

The directive

The directive, though divided into five chapters, effectively addresses computer infrastructure at two levels, governmental and in private industry. The first half of the directive is aimed at strengthening EU member states’ national security. It requires member states to: (a) adopt a network and information security (NIS) strategy and establish a computer security incident response team (CIRT), and (b) enter into a cybersecurity information sharing group composed of representatives from the member states, the Commission, and the European Network and Information Security Agency. The directive also establishes a network of CIRTs to “promote swift and effective operational cooperation” on specific cybersecurity threats.

The remainder of the directive is aimed at private companies operating within the Union, regardless of their nationality. This could also include Swiss companies with EU based operations. It requires operators of certain, defined “essential services” to implement and ensure a security level appropriate to the risks facing them. Essential services are defined as including, among other things, providers of services in the energy, transportation, credit, security, healthcare, and digital infrastructure industries. In addition to taking appropriate cybersecurity steps, these providers are obliged to report serious incidents to their applicable national authorities. The directive does not set out the standards to which the essential service providers will be held. That is left to member states to decide and implement in harmony with existing EU law.

Concrete restrictions

The directive does, however, place some concrete restrictions on essential service providers. Firstly, it directs member states to establish or appoint an existing oversight authority with the power to audit essential service providers’ compliance with the security standards. Those authorities will have the power to require essential service providers to produce information needed to assess the security of their networks. The authorities also have the power to demand evidence of “effective implementation” of the companies’ security policies. That evidence may include an audit of their security by an outside auditor, such as PwC.  The directive also obliges essential service providers to notify the authority of incidents having a significant impact on the continuity of the services they provide, even when the incident arises at a third-party service provider. The companies are, however, shielded from any additional legal liability arising from their reporting of these incidents.

Digital service providers

The directive imposes similar requirements on what it terms “digital service providers” which include not only ISPs, but online marketplaces, cloud services, and search engines. These services will also be required to adopt certain, undefined, minimum security measures and to report incidents having a substantial impact on the provision of their services. However, in addition to the standards imposed on essential services, digital service providers will have to meet requirements for: (a) system and facility security, (b) incident management, (c) business continuity management, (c) monitoring, auditing and testing, and (d) compliance with unspecified international standards.

2015 – a conclusion

Of course, this EU agreement is just the most recent example during a year full of global policy developments governing cybersecurity. 2015 saw the loss of the EU data security safe haven with the US, and Israel’s elimination of its largely equivalent agreement, a similar safe haven provision. In the United States, they have adopted a new law called the Cybersecurity Act of 2015, which promotes public and private sector sharing of threat intelligence and defensive measures.

Switzerland has already developed a national strategy to develop its defences and protect against cyber risks (NCS). Currently, there is no urgent requirement felt in Switzerland for additional legislation (according to the NCS 2014 annual report). Nevertheless, it is still likely that Switzerland will adopt parts of this EU Cybersecurity Directive in order to continue to participate in the “Digital Common Market” of the EU reflecting the fact that cyber-attacks do not respect legal borders. For some Swiss companies providing critical infrastructure services that are important to the EU or to EU citizens, it will be compulsory to comply with the new EU Cybersecurity Directive (NIS).

2016 – an outlook

Swiss organisations working in the EU will need to consider the legislation and its mandatory requirements. Despite the uncertainty that remains in the legal landscape, 2016 is shaping up as a year full of promise and opportunity. The opportunity exists for nation states to work closely with each other to bolster their cybersecurity. The opportunity exists for businesses to work with each other and their governments to strengthen themselves and help others against increasing cyber threats. There is also the opportunity for all of us to step back and assess where we stand and what more we can go to protect ourselves, our clients, and our critical infrastructure.

We at PwC appreciate the opportunity to help you reach those goals. As a multi-disciplinary cybersecurity practice, we are uniquely placed to help you adjust to new regulatory environments. Our global data protection team includes lawyers, consultants, auditors, technical risk specialists, forensics experts and strategists. Feel free to contact us.

We wish you a happy New Year!

Consumer identity – 7 things you need to know

As we have noted in the latest Total Retail Switzerland 2015 Survey released in June, one of the current challenges facing retailers includes the digital disruption that has taken hold of the retail sector.

Consumer identity is the management of a consumer’s digital persona when they engage with a provider through whatever channel.

The consumer (user of products and services) and provider (deliverer/maker of products and services) relationship is a delicate one which requires trust in order to ensure that the right amount of personal characteristics and preferences are shared and used for an agreed and transparent purpose to support a positive consumer experience.

Consumers will have different requirements for the means by which they wish to engage with providers, depending on the context. A mutuality of benefits needs to be built through a willing buyer and willing seller dialogue.

This blog post will explore a number of topics that need to be considered prior to engaging a consumer identity programme.

Individually owned identity

In a world where a consumer will want the option to use a single identity to access a variety of services from multiple providers, they will want to control and manage it. Whoever they ‘lodge’ their identity with will have the responsibility to verify who they claim to be, and will ask the consumer to ensure that everything is kept up to date and require any changes to be communicated promptly. The onus for managing their identity will lie squarely with the consumer.

Users will want to control what they share

When a consumer connects to a service they will want to control what they share – date of birth, address – and for how long the service can retain the information. Organisations who recognise this will be more attractive to users than those who don’t consider the user’s privacy to be paramount.

Context is key

What information is required to authorise a transaction or request depends upon the level of the transaction and various environmental factors. This context is vital to protecting both the user and the provider from fraud and account misuse. Using an unknown device from an overseas location may prompt for additional verification to be provided. Providing enhanced levels of security based upon increasing uncertainty (location, device, time of day) will provide comfort to the user without seeming to be burdensome.

Organisations who design privacy will be trusted more than those who don’t

Determining the minimum amount of information required to undertake a transaction will increase the trust between the consumer and the provider by reducing the amount of information that the consumer is exposing. The provider should also inform the consumer what they will do with the information once the transaction is complete, how it will be protected, how long will it be retained or will it be shared with other parties? Privacy considerations should be considered at all stages of a service. Do they need to retain address, date of birth, place of birth, current location, device used, other than in a well secured audit log? The user should be offered the option to approve the use of additional information and then how long it can be used for.

Consumers will want to choose their persona

In the digital world as in real life, consumers will wish to present different personas depending upon the environment and the nature of the transaction. In real life we can choose to be anonymous by paying with cash, and to reveal elements of our identity through the use of intermediaries such as PayPal and various debit and credit cards. How we present ourselves socially as opposed to professionally will also vary. At the same time consumers may wish to use more than one identity to separate the different parts of their lives and to compartmentalise who knows what about them.

Consumers will demand more control over their data and the extent of the consent that they give

In recent times there has been an explosion in the amount of data that is collected, whether it’s how long you’ve slept, where you’ve been lately, and it will only increase to include measures such as heart rate, blood pressure, etc. An increasing amount of data is collected about the consumer so they will start to demand greater control over who has access to it and for what duration. Organisations who provide the consumer with choice and options concerning their data will be more trusted and therefore will command a greater share of the consumer’s time, money and IPR (intellectual property rights).

Consumers are now more aware of their digital footprint

Consumers are more aware of their digital footprint and so want to have better control on how and who their data is shared with. Having ownership of their digital persona will reap rewards whether it be through a more fulfilling digital experience or financial remuneration for the use of their data.

If you have any questions, please do not hesitate to contact me.

A new Internet tipping point – consumers getting more power… and responsibility

I’ve recently come of age in the world of the Internet, it’s 21 years since I first signed up for my Demon Internet account. Using a modem at speeds we wouldn’t recognise these days, I was just grateful to get online! The ability to email people outside of my organisation and to find pieces of code (yes I did purport to write code all those years ago) was invaluable.

It wasn’t long before we started to do minimal ecommerce, buying from Amazon and the like. For me this included discovering the wide range of books online that I could buy and learn from. As the ‘Information Super Highway’ – as it was then called – got more popular, so we were enticed onto the highway with a simple trade: our data in exchange for free access to content. And we all want something for free, thinking that it won’t ever cost us!

Read more…

If you have any further questions, please contact us.

Sanctions: US action on cyber crime

On 1st April, President Obama issued an Executive Order (“EO”) giving the US Government the right to respond to cyber attacks. The US is the first country to take the step of establishing a economic sanctions programme in response to alleged cyber attacks. This was not an “April fool” spoof, but the timing could have made people think twice.

The EO will potentially impact both individuals and other entities (called Specially Designated Nationals (SDNs) or “designees” for short) if they are seen as responsible for attacks that are based on “cyber enabled activites”which threaten the national security, foreign policy goals, economic health, or the financial stability of the US.

The White House blog has explained that the EO will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets.

Specifically, the EO authoriszes the Treasury Department’s Office of Foreign Assets Control (OFAC) to freeze the designees’ assets.

Although no one has have yet been named, we think this EO was issued with specific threat actors in mind and we may expect designations to follow shortly. Given the EO’s broad scope that covers “entities” (including foreign governments and their affiliates), it may also be used to helpdeter state-sponsored cybercrimes.

Once designees are announced, US persons, companies and financial institutions should then take steps to ensure they do not engage in prohibited dealings with them. Additionally, the EO suspends any entry into the US by any individuals determined by OFAC to meet the criteria for designation.

Designation could have much wider consequences for businesses outside of the US, because an entity in which an SDN has a 50 percent or greater interest is also blocked. This means U.S. persons and businesses may not engage in negotiations, or enter into contracts, or process transactions involving a blocked individual when that blocked individual is acting on behalf of the non-blocked entity that he or she controls.

As we have seen in the recent past financial institutions who do not comply with their sanctions related obligations can be exposed to significant criminal and civil penalties for violations of the US International Emergency Economic Powers Act (IEEPA) or other US state based state legislation.

Companies doing business in the critical infrastructure sectors listed below should also monitor any future designations of persons or entities as Specially Designated Nationals (SDNs), and consider developing an initial plan for compliance. If you are working in the industries or contracting with them in the US, then take note.

The US Government defines “critical infrastructure sector” as:

  • Chemical;
  • Commercial Facilities;
  • Communications;
  • Critical Manufacturing;
  • Dams;
  • Defence Industrial Base;
  • Emergency Services;
  • Energy;
  • Financial Services;
  • Food and Agriculture;
  • Government Facilities;
  • Healthcare and Public Health;
  • Information Technology;
  • Nuclear Reactors, Materials, and Waste;
  • Transportation Systems;
  • Waste and Wastewater Systems.

In addition, institutions that are targeted by cyber criminals will see an increase in government inquiries to assist them in building cases against potential targets of these new sanctions.

The EO does not define “cyber enabled activities,” but OFAC stated in its FAQs that it will likely define the term to include any act that is primarily accomplished through or facilitated by computers or other electronic devices.

Please contact me if you have any further questions.