Chances are you’ve heard about the GDPR (General Data Protection Regulation), but how about its lesser known cousin, the Network Information Systems Directive (NIS Directive)? This came into force in the U.K. on May 10, 2018, through the Network Information Systems Regulations (The NIS regulations) and contains its own eye-catching provisions including:
- An obligation to notify the relevant authorities within 72 hours of a significant cyberattack
- Fines in the U.K. of up to £17 million for noncompliance
One useful way to distinguish the types of computer systems to which the two legal systems are directed is that whereas GDPR applies to technology that moves and stores information, NIS applies to operational technology (i.e. computers that move and safeguard things). Of course a company can fall under both regimes and neither the regimes, nor their respective sanctions, are mutually exclusive.
Which companies are in scope?
Since the NIS is a directive rather than a regulation it’s not directly enforceable in Member States. Instead it’s up to each Member State to introduce legislation. The indications are that different countries have approached the subject in different ways and with different outcomes. For example, in Germany the maximum fine for a breach is only 100,000 euros compared with £17 million in the U.K. In France the entire scope of the directive comes under the auspices of a single authority whereas in the U.K., the “relevant authorities” vary from sector to sector.
One feature which is common to all is the definition of the European Union-established operators of “Essential Services.” These include the following categories of company:
- Digital infrastructure
The relevant size thresholds are set out in Schedule 2 of the NIS regulations but, generally speaking, it’s the larger companies that are in scope.
Focus on the Board
As with GDPR there’s a focus in the U.K. on ensuring the issues are taken seriously at board level. A recent report by the House of Lords and House of Commons on cyber security and the U.K.’s critical National Infrastructure (the joint report) stated: “It is the duty of all board members to get a little more technical – by educating themselves about the basics… of cyberattacks, cyber risks and cyber defences.”
In September 2018 the National Cyber Security Centre published a five question toolkit to assist boards in getting to grips with some of these complexities. While it applies more to information systems than to operational systems, it’s a useful indication of the level of detail which the authorities expect directors to get to grips with.
A further option still under consideration is a requirement on some or all companies to include a report on cyber resilience in their annual reporting requirements. What form this reporting might take is unclear but, according to the joint report, it might include:
“… How much time the board has spent discussing cyber resilience, the frequency of third-party testing and incident response exercises, and the number of incidents su?ered in a reporting year and the lessons learned.”
There’s a balance to be struck here as companies and their directors would justifiably be concerned if the reporting obligations required them to reveal their vulnerability to attack. For those companies to which NIS applies, the need for accurate and reliable systems and for timely and appropriate disclosures would be all the greater.
What this means for directors
Commentators often refer to financial services companies and their directors as among the most regulated in the U.K. and elsewhere. The Senior Managers Regime (soon to apply across that sector) is a good example of this. The NIS, though, is an example of enhanced regulation being applied in other and arguably equally vital infrastructure sectors. The common thread running through this increased regulation is the need for the relevant dangers to be addressed at board level.
It’s clear that expectations of individual board members are on the increase. In the same way as all directors are already expected to have sufficient acumen to read and understand a set of financial statements (albeit the degree of rigor and sophistication expected of the chief financial officer will be greater than for the rest), similar expectations as to cyber literacy and competence are now expected of all board members. I would suggest it’s no longer safe for board members simply to seek relevant assurances from the company’s chief information security officer. What is needed is a dialog in a language which is understood by all.
Willis Towers Watson’s cyber team have, uniquely, developed an insurance product providing affirmative cover for NIS regulatory defense costs and fines, but what are the specific implications for directors?” to find out more click here.