On August 8, the U.K. government announced it was considering fines of up to £17 million, or 4% of global turnover, for companies that fail to implement cybersecurity measures set out in the Network and Information Systems Directive (NISD). But what is the NISD, and how does it apply to transportation companies?
The threat landscape
The transportation industry is evolving technologically at a rapid pace. Automation, cloud computing, predictive analytics, the Internet of Things and advanced telematics are just some of the developments positively transforming business models and operations; however, each new technology exposes transportation companies to an ever-expanding array of cyber threats.
And just within the last year, several major transportation companies have found themselves victims of high-profile, costly cyberattacks and network outages.
The legislative response
The European Parliament adopted the NISD in response to the growing cyber threat across industries. The directive is aimed at preventing and managing loss of service and network downtime, whereas other cyber legislation, such as GDPR, is concerned with loss of data. All E.U. member states must implement the NISD into national law by May 2018.
The NISD will apply to all organisations that rely on network and information systems to provide services that are ‘essential for the maintenance of critical societal and/or economic activities.’ It will require all such organisations to implement certain measures to assess and prevent risks, ensure security of systems and establish response strategies.
Will transportation companies be affected?
In short, yes. The transportation industry is more than just a mover of goods and people; it has intimate ties to the global economy and the functioning of society. The air transport industry alone supports around 60 million jobs globally. The estimated annual economic impact of the liner shipping industry is $436.6 billion.
Given this close relationship to the global economy, the E.U. has classified transport providers as ‘essential service providers.’
So far, only the U.K. government has announced its proposed fines; however, given the significant focus on improving cybersecurity across the E.U., we expect similar sanctions to be considered by other member states.
As for the U.K., authorities have made it clear that fines will be a last resort and will not apply to companies that have ‘assessed the risks adequately, taken appropriate security measures and engaged with competent authorities, but still suffered an attack.’
We recommend that transportation companies examine their procedures within the three ‘buckets’ set out by the European Parliament:
- Assess: Evaluate and understand the vulnerabilities inherent within employee behaviour
- Protect: Make sure you have the right talent and systems in place to mitigate cyber risk
- Recover: Ensure that business continuity plans are prepared for multiple network disruptions across the supply chain
Find out more
To read more on the challenges and opportunities the NISD will present to transportation companies please visit our full briefing.
Learn more about comprehensive cybersecurity from Willis Towers Watson.