Expansion, the increasing complexity of operations and the growing international reach of CEE businesses has made cybersecurity one of the most pressing concerns for general counsels and boards of directors in this region.
The standards for cybersecurity in the European Union are set by the EU’s General Data Protection Regulation (GDPR) and the Network and Information Security (NIS) Directive, which demand state-of-the-art and high-level security solutions, covering technical, organizational and administrative areas.
In partnership with LegalWeek Intelligence, CMS surveyed respondents from across CEE to examine how businesses are responding to cyber threats, levels of risk awareness and planning, and who in each organization is responsible for cybersecurity.
The survey, entitled “Cybersecurity Challenge in Central and Eastern Europe”, revealed that most companies face at least two cybersecurity incidents yearly, with 52% of cyber incidents resulting in litigation. And 67% of respondents reported a significant increase in the time spent managing cyber risk over the past 12 months.
Companies can strengthen their defenses against cyber threats, even after an attack. The first step is to conduct a “cybersecurity health check” followed by the introduction of risk mitigation measures, which should include policies for internal privacy and IT security policies, plans for business continuity and disaster recovery, an IT security strategy, and breach management procedures.
The vetting and ongoing management of vendors are also important, since contracts often contain elaborate language on security and compliance that is not always put into practice or regularly tested. If a breach does occur, a risk analysis should be conducted, based on the Personal Data Breach Severity Assessment Methodology developed by the European Network and Information Security Agency (ENISA).
Surprisingly, the cybersecurity challenge report found that only 37% of respondents have specific insurance coverage relating to cybersecurity incidents or payments to service providers.
Already, CEE has been the target of numerous cyberattacks. In October 2105, when Bulgaria held municipal elections and a national referendum on the electoral code, hackers hit the Central Election Commission website with a distributed denial-of-service (DDoS) attack.
In the Czech Republic, the Ministry of Foreign affairs was attacked in one of the most infamous cyber incidents in the region, when unknown agents hacked and downloaded the email accounts of several public servants.
Between June and August 2018 in Romania, hackers used Advanced Persistent Threat techniques to eliminate withdraw limits and extract money from bank accounts in several of the nation’s financial institutions.
And in Hungary, the NAIH, the nation’s data protection authority, imposed a EUR 32,250 fine against the Budapest Transportation Authority (BKK) for security lapses in its online ticket system that made the personal data of registered users particularly vulnerable. Specifically, investigators found that the BKK did not provide proper instructions and data security requirements to its IT system provider.
The ability of CEE businesses to grow and develop in the future depends on multiple factors. For CEOs and their fellow board directors, cybersecurity may not appear to be critical since many consider it a defensive, rather than a proactive, policy. Furthermore, there is no automatic or tangible added value derived by implementing it.
But recent history has proven that a carefully crafted, well-executed and regularly updated cyber strategy is integral to future success. Although risk cannot be completely eliminated, it can be significantly reduced and implementing cybersecurity measures can save businesses millions of euros.
Just as importantly, taking cyber threats seriously is an opportunity to protect customers, shareholders and employees. It can preserve the integrity of the brand and enhance a business’ reputation, both nationally and internationally.