Who should bear the consequences of a data breach caused by a cyberattack? Until now, each company has addressed this question individually. However, new international directives have clearly defined who must ensure the implementation of security practices and their enforcement. The new trend of additional financial liability for the board, initiated in the United States, has the potential to spread to other countries.
On average, the CSIRT GOV Incident Response Team, led by the Head of the Internal Security Agency, receives 1,000 reports of cybersecurity threats daily. This highlights the scale of cybercriminal activity.
The main targets of these attacks are employees, including high-level managers who have access to confidential company information. According to the “2024 Data Breach Investigations Report,” about 68% of security breaches involved a human element, such as user error or successful social engineering attacks, indicating that the human factor remains a critical weak point in organizational security.
So far, it has been difficult to determine who should bear the consequences of a cyberattack. An innovative idea was proposed by Brad Smith, Vice President of Microsoft, during a hearing before the House of Representatives committee on corporate security issues. Microsoft will become one of the first companies where cybersecurity directly influences executive bonuses.
We’ve coupled this expansion of resources with important changes in the company’s security governance. In addition to the critical longstanding role of the company’s Chief Information Security Officer, or CISO, we have created the Office of the CISO with senior-level Deputy CISOs to expand oversight of the various engineering teams to assess and ensure that security is “baked into” engineering decision-making and processes.
Ultimately, culture change requires accountability. This is something all our senior leaders understand, starting with Satya as the company’s CEO. Rather than delegate overall security responsibility to someone else, he has taken on the responsibility personally to serve as the senior executive with overall accountability for Microsoft’s security.
This is also why we announced on May 3 that part of the compensation of the company’s Senior Leadership Team will be based on our progress in meeting our security plans and milestones. Since that time, we’ve worked to refine these compensation and other accountability steps for the next fiscal year, which begins on July 1. [1]– Brad Smith stated before the United States House Committee on Homeland Security.
Actions initiated by Microsoft are seen by analysts as having the potential to become a global trend. How is the situation in the European Union, which typically implements changes more slowly than the United States?
EU cybersecurity regulations introduced in 2016 were updated by the NIS2 directive, which came into force in 2023. The existing legal framework has been modernized to keep pace with increasing digitalization and the evolving cybersecurity threat landscape. EU countries are required to implement the new guidelines into national law by October 17 this year, for example, through legislation.
According to PwC estimates, the new directive will cover over 6,000 entities operating in 18 sectors of the economy in Poland.[2]
In Chapter IV of the directive, Article 20 states:
1. Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity risk-management measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.
The application of this paragraph shall be without prejudice to national law as regards the liability rules applicable to public institutions, as well as the liability of public servants and elected or appointed officials.
2. Member States shall ensure that the members of the management bodies of essential and important entities are required to follow training, and shall encourage essential and important entities to offer similar training to their employees on a regular basis, in order that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity. [3][
As we can see, the European Commission has introduced provisions holding senior management, including board members, accountable for ensuring organizational compliance with cybersecurity risk management requirements and incident reporting. The directive mandates that those in managerial positions ensure appropriate security measures and are responsible for their effectiveness.
The NIS2 directive encompasses a wide range of entities, both public and private, that provide services critical to the functioning of society and the economy.
Entities Covered by the Directive:
Essential Entities:
– Energy Sectors: Electricity, gas, oil
– Transport Sectors: Aviation, rail, water, road
– Banking and Financial Market Infrastructures
– Healthcare Sectors: Hospitals, healthcare providers
– Drinking Water and Wastewater Management
– Digital Infrastructure: DNS service providers, domain registries, cloud computing providers
– Public Administration: Central and regional entities
Important Entities:
– Postal and Courier Services
– Waste Management
– Production, Manufacturing, and Distribution of Chemicals
– Food Production: Entities involved in industrial production and processing
– Manufacturing Entities: Production of medical devices, computers, electronics, vehicles
– Digital Service Providers: Social media platforms, search engine providers
– Research Organizations
Essential and important entities must implement appropriate security policies to ensure a systematic and thorough risk analysis. These policies should include an all-hazard approach, addressing all possible threats, including those related to physical security. The responsibility for implementing these policies lies directly with the boards of these entities.
Do you want to discuss the cybersecurity of your company? Contact us.
[1] https://blogs.microsoft.com/on-the-issues/2024/06/13/microsofts-work-to-strengthen-cybersecurity-protection/
[2] https://www.pwc.pl/pl/uslugi/nis2-nowe-wymogi-dotyczace-cyberbezpieczenstwa.html
[3] https://eur-lex.europa.eu/eli/dir/2022/2555/oj