Organisations could face fines running into millions if the EU’s proposed cyber risk directive is passed.
Proposed in early 2012 with amendments made this year, it would permit each European Union member state to fine up to two per cent of a company’s global revenue for data loss incidents.Dwayne Melancon, chief technology officer at Tripwire, said: “The new EU Directive has the potential to have a huge global impact because it applies to any organisation which operates in the EU, even if they are headquartered elsewhere in the world.
“Countries have been given two years to put the EU directive into place and organisations should be using this time to tighten their security programs; ensure that incident detection and response processes are in place and effective; and harden their systems, applications, and networks to reduce the risk of breaches.”
A survey by Tripwire and the Ponemon Institute of 1,320 IT security professionals found that over a quarter (28 per cent) of organisations do not have a formal risk management strategy applied consistently across the entire enterprise, while only 51 per cent assess risks, 58 per cent assess vulnerabilities and 58 per cent identify threats. Also, only 13 per cent said that they have regularly scheduled meetings with senior executives to discuss the state of the security risk with senior management.
Speaking to IT Security Guru, Robert Bond, notary public partner at Speechly Bircham, said that it is “frankly worrying” in terms in how businesses don’t have risk management, however the Cyber Security Directive is drafted by each member state who pass their own local law where businesses are in critical infrastructure areas.
He said: “The directive talks about fines up to two per cent of global turnover, but each member state will need to appropriate fines and the directive doesn’t mention any figure, but it does go parallel with regulation which does say two per cent and the key thing is when the EU passes regulation, it is binding on member state, but it means nothing until it is passed in a member state.
“The directive will saying it is up to each country to determine what to do if they are not complying with local law. Some will be complicated and others will be lax; with 28 member states that is 28 versions and 28 acts bound by regulation. In terms of the message it gets across, it does the right thing in highlighting that businesses are not focusing on it and businesses are not picking up on it, and it will have significant impact.
“The message is if businesses are not up to speed with hackers, it may cost for security and compliance but it will cost more if you do nothing.”
In terms of the sizes of the fines, American retailer and Asda parent Wal-Mart has a global revenue of $469.2 billion, so the fine would be as high as $9.384 billion, more than half of their profit for 2013. Meanwhile BP has a global revenue of $388.3 billion, so the fine could be as high as $7.766, which is over three quarters of their profit for 2013.
“The size of the fines connected with the Directive are so big they will definitely get the attention of CEOs and boards,” continued Melancon, “It is incumbent upon senior business executives to seek clear answers about security risks from information security leadership to ensure appropriate steps are taken to enable compliance with this directive before it takes effect.”