Transcription of Networking and Information Security (NIS) …
1 February 2017. EY Financial Services Networking and Information Security (NIS) Directive An outline of consequences and next steps For further Information , Security and trust in the digital world are Specifically, it is applicable to operators of contact: the foundations of the digital marketplace. critical infrastructures, including amongst The provision of services via the internet others, financial services, energy Steve Holt are ever increasing, with millions of companies and transport organizations, 25 Churchill Place EU citizens making use of a wide array as well as key providers of Information London E14 5EY of offerings, from e-government and services and public administrators.
2 UK health care to online shopping and social Mobile: +44 7796 258 319 The minimum Information Security networks. Yet, as cybersecurity incidents Email: requirements imposed by the NIS. such as malicious attacks are increasing Directive crucially include new measures Tony de Bos at an alarming pace, the digital world is related to the use of personal data. In Antonio Vivaldistraat 150 frequently exposed as vulnerable. turn, these are designed to improve the 1083HP Amsterdam In December 2015, the EU reached an Security of the internet and the private The Netherlands agreement which resulted in the NIS networks and Information systems.
3 Mobile: +31 629 084 182 Directive. This has given rise to, for the Businesses may face challenges if they Email: very first time, a set of EU-wide rules and fail to take actions to implement the regulations regarding cybersecurity. Vincent Waart NIS Directive. In its enforcement, it will Antonio Vivaldistraat 150 The NIS Directive requires the adoption be combined with related regulations, 1083HP Amsterdam of appropriate steps to manage Security particularly the penalties and fines The Netherlands risks and report serious incidents. entailed in the European General Data Mobile: +31 621 251 299 Protection Regulation.
4 Email: NIS Directive is part of the EU's cybersecurity strategy. It tackles network and Security incidents and risks by imposing Security and reporting obligations on financial services. What are the implications of the NIS Directive? What are the next steps for organizations? The requirements will come into full effect on 10 May 2018. Implementing advanced behavioral-based detection systems that are now the modern standard for prevention of It is the first attempt to legislate cybersecurity, contrasting advanced attacks. with approaches of the US and UK, which opt for an industry- led or voluntary approach.
5 Preparing an incident response readiness program that will comply with breach reporting requirements in a timely manner. Non compliance with the NIS Directive will lead to financial loss, including the prospect of large fines and potential damage Utilizing an intelligence-based Security strategy that can be to business reputation. integrated with new NIS threat intelligence sharing programs. Non compliance with the NIS Directive might even result in Adopting an internal Security and response strategy and decreased customer confidence or loyalty and increasing legal coordinating this with the board of directors, chief legal officer, costs associated with the judicial and auditing process.
6 And other senior executives. Reviewing all internal Security processes and preparing self- audit capabilities required by national authorities. What are the consequences of the NIS How EY can help? Directive? The NIS Directive adopts a multi layered approach by placing obligations on all stakeholders across the industry in member states, authorities and Evaluate the NIS. Assist in the risk companies themselves. Strategy in line with the assessments around NIS. NIS Directive Directive requirements Establish a national NIS strategy and regulatory measures to achieve network Security . Establish a competent authority to monitor the application Design an internal of NIS Directive in their territory and across member states.
7 Analyze the processes and technology to How EY Security and response strategy and align The competent authorities in each member state are to support data breach notifications can help this with the board of directors be given authority to investigate cases of non compliance of Financial Services organizations with the NIS Directive. Financial Services organizations may undergo Security audits. Review of the internal Assess and implement a minimum level Security processess The European Commission and National Crime Agencies of Security (NCAs) to cooperate and coordinate against risks and incidents affecting network and Information systems.
8 Security obligations imposes a minimum level of Security for digital technologies, networks and services. Reporting obligations makes it compulsory to report significant cyber incidents to national regulators. NIS Directive: Financial Services organizations will need to demonstrate that robust cybersecurity defense programs are in place, including adequate preventative measures and the correct tools to deal with and report breaches. 2 | NIS Directive February 2017. Cyber attacks on Financial Services organizations are an emerging threat that could pose a systematic risk to the financial sector. 87% of board members and C-level executives have said they lack confidence in their organization's level of cybersecurity.
9 89% of organizations do not evalulate the financial impact of every significant breach. 49% have no idea what the financial damage of a cyber-attack is or could be. EY Global Information Security Survey 2016. Why EY? We have global experience in helping to translate and implement We have a deep understanding of the regulatory requirements and translate the NIS Directive requirements. With the adoption of and the impacts to risk and operating models. the NIS Directive, businesses should begin preparing: We have a proven track record of similar engagements EY is the most globally integrated organization in professional performed for peer organizations within the Financial Services.
10 Services. We have a global operating model and footprint Our global Cyber Program Management framework identifies and can therefore work with you across the globe either real risks assisting organizations to define risk exposure, cyber locally or remotely. This allows us to be flexible if your strategy and data protection strategy. requirements change. Our industry-leading insights in cyber economics and EY are global leaders in Information Security consulting and threat intelligence explains Information Security risk in understand the Security challenge from a risk, regulatory, financial terms. controls compliance and delivery perspective, leading our clients in end-to end Security transformation.