Ludovic Van Egroo Manager Gestion des Risques Cybersécurité et Conformité
Published in Eurofenix revue @insoleurope
The pandemic has generated the emergence of new vectors of cyber-threats, such as the increased use of telecommuting, the increase in remote exchanges and the digitalization of most business sectors.
The deterioration of the geopolitical context has seen an increase in “sleeping” cyberattacks of state origin, as well as a professionalization of cyber malicious actors, as illustrated by the Atlas of Cyberattacks produced by Thales.
ANSSI, the French cybersecurity agency, has identified a 37.7% increase in attacks in Europe between 2020 and 2021.2 This increase in cyber-attacks goes hand in hand with the development of intrusion techniques and rebound attacks. The latter consists in infecting subcontractors and partners of the target companies, such as software editors and service providers. There are now entire ecosystems becoming targets.
In this context, the European institutions and Member States are continuing to secure the European market in terms of cyber-security with the adoption of a second version of the NIS Directive adopted in 2016 (Network Infrastructure System No. 2) to cover new sectors, including energy, transport, financial markets, health and digital infrastructure. The proposals aim to strengthen security requirements by imposing a risk management approach.
The NIS2 directive is strengthened by a new Act called the Digital Operational Resilience Act (DORA), specifically dedicated to financial actors. This regulation presents a major evolution in the definition of financial actors, which is extended to the broadest sense to subcontractors. The DORA regulation aims to cover the cyberrisk of the entire value chain of the financial sector. Analysis based on Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 of 24 September 2020 which will be adopted this year in accordance with the ordinary legislative procedure.
Who are the new actors concerned by this regulation? What are the changes for the actors of the financial sector? What are the consequences for insolvency professionals?
In practice, this regulation will allow the companies concerned to:
One of the key success factors of compliance for organizations is the development of a transverse governance framework, including management, legal and compliance departments, information systems departments and information systems security departments.
In case of non-compliance, the DORA regulation provides for several types of sanctions:
To carry out their missions, the regulatory authorities will be able to:
Facing systemic risks that cyberrisk represents Facing systemic risks that cyberrisk represents for the economies of the Member States, the European Union continues to secure its digital borders by involving economic players.
Insolvency professionals are particularly affected by this regulation, as the companies concerned are no longer just major players in the financial sector. Finaitioner will need to consider these cyberresilience requirements to the extent that the defaulting business is engaged in activities that define it as a financial actor. The insolvency practitioner will need to verify the company’s cybersecurity compliance. As such, insolvency practitioner will be able to request documents attesting to the good governance of cyber-risks, including the documents mentioned above, if needed. These documents can be added to the file as a guarantee of the compliance of the financial activity.
In order to carry out his/her mission, the insolvency professional may rely on the expertise of a consulting firm to conduct a compliance audit of the DORA regulation. In the event that the company is not in compliance, it is up to the insolvency practitioner to request that the company be brought into compliance with the identified discrepancy.
The second issue concerns the control of cyber-risk with the company’s service providers. The insolvency practitioner will be responsible for verifying that the service providers do not pose a risk to the business, beforehand, by identifying the critical services, then by checking the security devices implemented.
The difficulty here lies in the ability to defend the cyber-security requirements of the business in a difficult context for the latter, where faced with third parties critical for its activity, but very often in an already degraded relationship. It is in this difficult context intersecting legal, financial and also security issues exogenous to the company that the practitioner will b able to employ his/her skills before the court of jurisdiction.
Facing systemic risks that cyber-risk represents for the economies of the Member States, the European Union continues to secure its digital borders by involving economic players.
The European regulation responds to the need to harmonize the response measures, but also the resilience capacity of financial players in order to avoid the scenario of serial bankrupt of the economic fabric, faced with a risk of continuous change in order to guarantee the security of the common market and the interests of European consumers.
As illustrated by the measures defined in the regulations, cyber risk is a cross-functional risk, both within companies and in terms of law.
Of note, however: law is one of the first preventive measures to secure cyberspace.
--------------------------------
p/o Virginie Gastine Menou
RISQUES ET VOUS
https://www.linkedin.com/company/risques-et-vous
✍🏼Proposer une offre de job : https://www.graces.community/recruteur
💈Consulter les offres qui vous correspondent : https://www.graces.community/candidat
Inscrivez-vous et accèdez à l’ensemble de l’actualité GRACES.Community.