As of December 2022, there is a stringent European cybersecurity directive: Network and Information Security 2 (NIS2). This directive focuses on risks that threaten networks and information systems and can lead to a disruption of the economy and society. NIS2 must be incorporated into national legislation by the end of 2024. It is known that from China and Russia, among others, covert attempts are being made to map our critical infrastructure.
A brief inventory of the threats tells us that Europe, and the Netherlands in particular, is extremely vulnerable. For this reason, the critical sectors covered by NIS2 have been expanded considerably. They include organizations involved in energy, transportation, banking, infrastructure, financial markets, health care, drinking water, digital infrastructures, wastewater, government services, space and management of ICT services.
There are roughly three types of cybersecurity risks: data theft, ransomware attacks and hacks with the intent to disrupt society. NIS2 was created primarily to mitigate risks from the latter category. NIS2 prescribes three obligations. Conducting a risk assessment and taking appropriate protective measures based on that assessment (duty of care). Incidents must be reported to the supervisor within 24 hours (duty to report). And the duty to be checked by the regulator for compliance with the foregoing requirements. Failure to comply could result in hefty fines (1.4 to 2 percent of global revenue).
The following measures should be placed on the boardroom agenda by the CFO:
Board and management awareness of cybersecurity and the impact of NIS2 on their business
Risk analysis and drafting of protective measures
Establishing a business continuity plan and crisis management protocols
Identifying alternative supply chains and scenario planning
By conducting regular crisis drills, the CFO can ensure that everyone knows how to act in the event of a disaster. Acting quickly is essential to prevent worse. In addition, it allows any gaps in the playbook to be identified.
This is an expert quote from Johan Traa, partner Finance and Technology, Boer & Croon.