| 5 min read
Boards of directors (aka "boards"), those executive committees that govern and supervise the activities of a company or organization, who have not yet done so, will have to start cybersecurity training as soon as possible. At least this will be required from next year by the laws of the European Union (EU) member states.
Late last year, we gave an overview of new regulations proposed by the U.S. Securities and Exchange Commission (SEC) that will force boards to consider cybersecurity an organizational priority. These cybersecurity regulations are aimed squarely at getting organizations to report incidents on time and to disclose their risk detection and management strategies, as well as the governance guidelines, cybersecurity expertise and oversight role of their boards of directors. While these SEC regulations do not explicitly mandate anything beyond the disclosure of information, they implicitly encourage organizations to improve cybersecurity.
Although the above is a noteworthy initiative to be taken into account, it may be better to take the recent EU regulatory proposal as a gold standard, which establishes similar, albeit stricter, requirements. We refer to the NIS 2 Directive, which, for instance, states that cybersecurity training for the boards of organizations is an obligation.
What is and what does the NIS 2 Directive bring with it?
The Network and Information Systems (NIS) security directive (aka "NIS Directive") was implemented in mid-2016 by the EU. The NIS Directive, part of a broad package of strategies of that group of nations, had as its primary purposes to expand cybersecurity awareness, improve risk and incident management measures and increase the cyber resilience of organizations belonging to or related to the EU. (The latter refers to entities not established in the region but offering services to companies or individuals within it.)
Recently, in order to face new situations and challenges, such as the accelerated digital transformation of society and the subsequent expansion of the threat landscape, the EU found it necessary to apply innovative changes to that directive. It was then that in January this year, the EU launched a new version of the NIS Directive, the NIS 2 (aka "NIS2") Directive, which, in a nutshell, seeks to provide "legal measures to boost the overall level of cybersecurity in the EU," so as to reach a higher, common level in the region. This directive (here is the official document) will have to be transposed by the EU member states into their legislation by October 17, 2024.
Among the changes brought about by the NIS2 Directive is broadening the scope to involve more industrial sectors and, therefore, more public and private entities. These would mainly constitute a set of so-called "essential and important entities," which are classified as such according to new conditions that, in addition to the products or services provided, involve factors such as the number of employees and total revenues.
Essential and important entities (image taken from here).
Other modifications in this directive include strengthening cooperation between EU member states regarding threats and incidents, establishing shorter incident reporting times, applying stricter penalties for non-compliance with regulations and paying close attention to critical supply chains and their risks. However, the change we want to focus on most here is the obligation for directors or managers of organizations to take more responsibility for the cybersecurity maturity of their entities, for which, in particular, they must receive cybersecurity training.
What should boards of directors be trained in?
In a great deal of things. Boards need to start by recognizing what the NIS 2 Directive is and what it is intended to achieve and, from there, determine if they meet the requirements for the directive to apply to their organizations. Once this is confirmed, they must be prepared so that their entities can comply with the NIS2. Essentially, they must be trained to prevent cybersecurity risks and protect their organizations from cyber threats. (The NIS 2 Directive website, in fact, offers some basic courses on the matter.)
Article 20 ("Governance") of the NIS2 states that the boards or management bodies of the organizations under this directive must recognize and approve the cybersecurity risk-management measures to be implemented in their entities, oversee their proper application and even assume liability for breaches of the renewed cybersecurity legislation in their respective EU member states. Therefore, boards should receive training in this regard. Specifically, it is suggested that they should know about or obtain skills for the identification, approval and supervision of the following cybersecurity risk-management measures:
-
Inventory the network computing devices and software components and review their functionality, usability and dependencies. In addition, recognize the organization's critical services, operations and assets.
-
Know in detail the cyber threats the organization faces, their usual attack patterns and the potential impacts.
-
Implement security policies for acquiring, developing and maintaining IT systems (e.g., the correct encryption of information and the use of multi-factor authentication).
-
Apply strategies for risk assessment and solutions for detection, remediation and disclosure of vulnerabilities (the European Union Agency for Cybersecurity, ENISA, will establish a European vulnerability disclosure database), as well as monitoring and response to threats.
-
Understand and address the specific security risks in the supply chains associated with the organization. Even if the IT supplier is not within the scope of the NIS 2 Directive, when providing products or services to an organization within the scope, the latter must require the former to comply with specific cybersecurity standards.
-
Manage and report incidents, limiting their consequences as much as possible. Computer Security Incident Response Teams (CSIRT) or other competent authorities for incident reporting are established for organizations from the EU member states. The renewed NIS2 timeline states that within 24 hours, a first report must be given to the CSIRT or the competent authority. Within 72 hours, the report must be complete, including details such as the type of incident and the severity of its impacts. A final report is due one month later.
-
Seek to ensure business continuity by using and managing back-ups and disaster recovery plans or resilience programs.
-
Offer cybersecurity training programs for the organization's employees regularly. Forge a culture where everyone thinks about security and takes responsibility for it, recognizing the risks but also cyber hygiene and secure coding practices, among other preventive measures, as well as defensive and reactive measures.
Boards of directors will have to monitor compliance with cybersecurity measures such as those mentioned above and should be aware of and avoid penalties for non-compliance as far as possible. From their supervisory role, they will be able to evaluate and analyze their effectiveness and progress in a journey in which the level of cybersecurity maturity of organizations is sought to be continuously higher. Managers and employees, not only in the EU but around the world, must immediately understand that the survival of their organizations depends tremendously on having a strong and mature cybersecurity posture.
Still unaware of security vulnerabilities in your organization's applications and other IT systems? We invite you to access the 21-day free trial of our Continuous Hacking Essential plan. But if you want to get the best right away, purchase our Advanced plan to incorporate security testing by our tools and ethical hackers into your SDLC to beef up your organization's cybersecurity posture.
Recommended blog posts
You might be interested in the following related posts.
