PwC Global Risk Survey – cyber risks and new regulations
Cybersecurity: Businesses need to respond to new regulatory environment
According to PwC Ireland’s latest risk survey, carried out globally and in Ireland, 33 per cent of Irish respondents said they were “extremely or highly exposed” to cyber risks – compared to 37 per cent globally. However, just 25 per cent of respondents said that they plan to invest in upgrading critical systems to be more resilient against cyber attacks in the year ahead, compared to 31 per cent of their global peers.
The survey shows that there is a lag in Ireland compared to elsewhere in how people react to and plan for cybersecurity. While organisations attempt to navigate the current state of play with cyber risks, they need to be mindful of a quickly changing regulatory environment that will introduce new compliance requirements.
NIS2 for critical services
The Network and Information Security Directive (NIS2) is an updated version of the inaugural NIS directive from 2018 that introduced greater cybersecurity standards for operators of critical services and infrastructure. NIS2 brings more of these types of services, such as transportation, water services and health services, into scope. The ‘essential entities’ covered by NIS2 are those in sectors like energy, transport, health, banking and public administration while ‘important entities’ covers waste management and postal services among others.
An essential entity is something that the country as a whole requires to be effective 24/7. Companies under the remit of NIS2 must carry out regular testing of their cybersecurity controls and demonstrate a robust incident response and reporting system and crisis management processes. The board needs to be aware of and approve the adequacy of cybersecurity risk management measures in an organisation. They can’t just accept what they’re told, they have to challenge and understand what is happening on the ground in terms of risk management.
Failure to meet these standards can result in some large fines, with essential entities facing sanctions up to €10 million or two per cent of global annual revenue, whichever is higher. Important entities can be fined €7 million or 1.4 per cent of global annual revenue, whichever is higher.
DORA for financial services
The Digital Operational Resilience Act (DORA) comes into effect in January 2025, again leaving companies with less than a year to reach compliance. DORA has a much tighter focus than NIS2, covering only the financial services sector, and it ensures that financial services organisations can withstand, respond and recover from all types of ICT-related disruptions and threats.
Crucially, the regulation also governs the way regulated financial services deal with third parties, many of which are outside the FS sector. This is all aimed at tightening up the supply chain around financial services. While, for example, a bank may be well fortified against cyber threats, a third party providing services like cloud computing and ICT services to that bank may not be as secure and outsourcing has increased significantly in the last number of years.
The scope of DORA is centred on the “critical or important functions” and it requires each organisation to define what those functions are to ensure that they understand their dependencies in the supply chain which may include third or even fourth parties. DORA provides the framework in which these functions should be appropriately safeguarded.
Compliance with these rules will introduce a great deal more complexity as well as greater costs for financial services firms operating in Europe. Furthermore, the change in the state of play could force many companies to renegotiate contracts with third parties, which is another costly endeavour.
In the age of digitisation, organisations are embracing technology to drive their businesses forward. However, with increased use of technology comes increased cyber risk. Regulatory bodies are responding to the ever-evolving cyber risk landscape and, while compliance with NIS2 and/or DORA will be a key focus for many organisations as we progress through 2024, more is on the horizon for companies as other new pieces of regulation, for example, the EU AI Act, are fast approaching.
Many organisations are feeling the burden of compliance but we all need to keep in mind that the ultimate aim is to have a digitally resilient EU marketplace that protects all of us as EU consumers.
For details, visit PwC.ie
