Ransomware: A Critical Threat to Financial Services
Financial institutions are prime targets for ransomware attacks due to the vast amounts of sensitive customer information they hold. The consequences of these attacks can...
Read MoreWe live in a world where banking, healthcare, public transportation, and other critical services and agencies rely on computer systems. Computer systems which make them vulnerable to cyberattacks. To counter these threats, the European Union has introduced NIS2, a set of rules designed to strengthen cybersecurity across Europe.
Cyberattacks have become more frequent and more dangerous. Attackers can infiltrate computer systems, steal information, and disrupt critical infrastructure such as electricity or healthcare. Those disruptions are crippling. The ransomware attack against The Irish Health Services Executive (HSE) network on May 14, 2021 resulted in a months-long nationwide shutdown of its IT systems.
The European Union Agency for Cybersecurity (ENISA) is taking steps to stop those cyberattacks. ENISA identified eight prime cyber threat groups in the eleventh edition of their Threat Landscape (ETL) report.
Source: ENISA Threat Landscape 2023
Ransomware was the largest threat group in the study, affecting all sectors. The largest targets included organizations in manufacturing, health, public administration, and services.
The report also shows malware attacks targeted individuals, public administration, digital infrastructure, banking and finance, and digital service providers.
Cyberattacks are immediately damaging, but we also need to consider the long-term impact. ENISA concluded the attacks in the ETL report resulted in six types of impact:
Unfortunately, public release of information related to cyberattacks is often delayed or never happens. This makes assessing the true impact of the incidents almost impossible to calculate.
NIS2 was created to help organizations in the EU prevent or mitigate the impact of these threats and to improve reporting so ENISA and other agencies can understand the true impact of cyberattacks as they work to stop them.
Understanding NIS2
How will the NIS2 legislation protect organizations in the EU from cyberattacks? By focusing on improving the cybersecurity of high-value and critical targets.
The Directive will
NIS2 also addresses the importance of information sharing and cooperation as part of crisis management.
The new rules improve the way the EU prevents, handles, and responds to large-scale cybersecurity incidents and crises by introducing clear responsibilities, appropriate planning and more EU cooperation. According to Dutch MEP Bart Groothuis, “This European directive will help around 160,000 entities to strengthen their grip on security and make Europe a safe place to live and work. The law should also allow for the sharing of information with the private sector and partners around the world. If we are attacked on an industrial scale, we have to react on an industrial scale.”
NIS2 impacts more organizations than the original NIS directive, imposing regulations on medium and large operating in critical sectors.
The new directive focuses on both “very critical sectors” (banking, digital Infrastructure, drinking water, energy, financial market infrastructure, government, healthcare, ICT (B2B) management, space, transport, and wastewater) and “critical sectors” (chemicals, digital provider and research, food, manufacturing, postal and courier services, and waste management).
Enforcement depends on an organization’s category. All organizations in these sectors will be labeled as either essential or important. The classification depends on the organization’s status as critical or very critical and the size of the company. Only large organizations that fall under very critical sectors are considered essential. Note: Organizations may automatically be classified as essential, regardless of size, if a service outage would have serious consequences.
The primary differentiator between essential and important entities is how compliance is monitored. Supervision is proactive for essential organizations and entities. Those organizations will actively be monitored. Supervision for important entities begins as soon as an incident occurs. If the organization is not taking the required mitigation and reporting steps, the organization will be seen as non-compliant. The management of the organization is responsible for all compliance.
The NIS2 directive is requiring industries to adopt more extensive cybersecurity requirements. Essential organizations are also required to proactively manage security risks.
In addition to existing risk-management, organizations might now be required to make more frequent file backups, perform risk analysis assessments, and report incidents in a timely manner. This will result in an increase in administration and financial responsibility for most impacted organizations. Organizations not yet covered by the directive will see a 22 percent increase in information and communications technology (ICT) expenditures. Companies already in compliance with NIS will see increases of up to 12 percent.
All organizations covered under NIS2 are required to comply with a duty of care. The Directive is specific about the types of measures you will have to comply with. Included in that list is:
NIS2 outlines a three-stage approach for reporting significant incidents. This reporting applies to both essential and important entities.
Early Warning
The organization must report the incident within 24 hours to limit the potential spread of incidents and to allow entities to seek support. The reporting organization must indicate if the incident resulted from an unlawful or malicious act and if it could have a cross-border impact.
Incident Notification
Within 72 hours of becoming aware of a significant incident and incident notification, the organization must update the information provided with the early warning with 1) an initial assessment of the incident, 2) the severity and impact of the incident, and 3) the indicators of the compromise.
Final Report
Within one month of the incident notification, the organization will need to submit a final report. That report will contain 1) a detailed description of the incident, its severity, and impact, 2) the type of threat or cause of the incident, 3) mitigation measures—used and ongoing, and 4) any cross-border impact of the incident.
These reporting rules apply to significant incidents, meaning incidents that result in significant operational disruption or financial losses or if the incident might cause material or immaterial damage to individuals. Organizations are also required to report significant threats they encounter that might lead to a significant incident in the future.
NIS2 isn’t a toothless directive. It’s backed up by strict enforcement, fines, and penalties. The Directive lists mandatory sanctions (these may differ by country), including on-site inspections, requests for access to data, requests for information, security audits, and security scans. Each country is mandated to ensure effective, proportionate, and dissuasive sanctions.
In addition to the sanctions, NIS2 also outlines permissible administrative fines. Infringements might result in fines of up to 10 million euros or 2% of the company’s annual worldwide turnover, whichever is higher.
NIS2 requires Member States and critical organizations to increase cybersecurity and respond to threats immediately, making sure attacks are detected and stopped quickly. Their goal is to keep the EU safe and running smoothly. Our goal is to help you do the same.
If you’d like to learn more about how BullWall can help your organization prepare for and finance NIS2 compliance, please don’t hesitate to request a demonstration.
Financial institutions are prime targets for ransomware attacks due to the vast amounts of sensitive customer information they hold. The consequences of these attacks can...
Read MoreRegardless of the industry, ransomware poses a significant threat to organizations worldwide, leading to downtime, financial loss, reputational damage, and disruption of essential services. The...
Read MoreThe manufacturing industry, a cornerstone of the global economy, faces a growing threat from ransomware attacks. These cyberattacks can cause severe damage, leading to costly...
Read MoreGovernment institutions provide critical services to citizens, including healthcare, public safety, transportation, and utilities and as such are prime targets for ransomware attacks. Ransomware attacks...
Read MoreAnnouncement BullWall announced today the appointments of Steen Lomholt-Thomsen as CEO and Kerry Grimes as Executive Vice President and Chief Partner Officer. BullWall has also...
Read MoreImproving Business Success Through Enhanced Data Security In today’s ever-changing digital landscape, data has ascended to an almost sacred status. The importance of making sure...
Read MoreUnraveling the Infamous Malware that Defined a Decade of Cyber Threats In the ever-evolving world of cyber threats, ransomware has emerged as a formidable monster,...
Read MoreThe Human Factor in Ransomware Defense In the intricate maze of cybersecurity, while technology and systems are often paramount, one of the most overlooked components...
Read MoreIn the current digital age, one of the most pressing concerns is the exponential rising threat of ransomware attacks. These malicious attacks on organizations are...
Read More