No individual, no business, and no country is immune from the threat of cybercrime. The increasingly successful and complex economies of CEE countries are no exception to this rule. In fact, for both historical and political reasons, CEE is at particular peril.
CMS, together with Legal Week and The American Lawyer, recently published a report, “The Cybersecurity Challenge in Central and Eastern Europe,” which reveals and discusses how corporates and smaller businesses in the region are dealing with the cyber threats that assail them. The report asked one hundred respondents and general counsels about their cyber-strategies and levels of risk awareness and preparedness, and if there was a specific responsibility for cyber-protection within the leadership structure.
Unsurprisingly, the majority of respondents were worried about cyber-attacks in the future. The report revealed that, although in 2017 there were 113 cyber-attacks in the 18 CEE countries covered, and despite the widespread concern, only a minority of respondents had confidence that their companies were adequately prepared to detect and deal with cyber-attacks.
Training and Attack Readiness
Prevention of attacks is, of course, the first line of defense, but fewer than two-thirds of respondents (60%) said there was mandatory cybersecurity training for their workforce. The problem of a lack of cybersecurity awareness is most acute in small or medium firms, the report reveals, but respondents said that even in larger enterprises awareness does not always extend to the highest level. The weakness in corporate readiness for cyber-attacks is typically human error. Respondents said that even where training is fully in place and supported by senior executives, the enduring difficulty is in getting employees to prioritize cybersecurity and to be routinely aware of its requirements. The report showed that it was only in the wake of a cyber-attack that levels of awareness and preparation rose. Respondents said that in those circumstances systems were updated and counter measures implemented.
In the event of a cyber-attack, it is essential that damage limitation incident response plans (IRPs) are fit for purpose. The report revealed that fewer than half of respondents regularly update their IRPs.
Who Takes Responsibility?
The extent and seriousness of the cyber-threat throughout CEE has, the survey revealed, had the positive effect of increasing the time and resources invested in cyber-risk management: more than half of respondents report an increase in the past year. On the crucial questions of who in CEE businesses takes “ownership” of cyber-strategy, and who or which department reports to the Board, the findings are mixed: IT dominates with 39%, while Compliance is at 27% -- but only 11% of General Counsels have that responsibility. There is a two-thirds consensus among respondents in every CEE country that regulators need to up their game when it comes to cybersecurity processes.
Despite the GDPR having only a limited relevance to cybersecurity, respondents were concerned about compliance. No doubt it is the extent of the maximum fines for failing to comply with data security that caught their attention: EUR 20 million, or four percent of annual global turnover, whichever is higher, for non-compliance.
National laws based on the Directive on Security of Network and Information Systems are becoming increasingly relevant to cybersecurity, although respondents were far less aware of its provisions for prevention and mitigation than they were of those in the GDPR.
The report shows a general awareness of the increasing risk to cybersecurity in CEE countries. Cyber-attacks can be prohibitively expensive; McKinsey has estimated that the average financial cost of a breach is EUR 4 million. It is strange, then, that the apparent take-up of cyber-attack insurance is at very modest levels: only 37% of respondents have cyber-attack coverage. Interviews have identified a probable cause – that for many CEE countries and companies, cyber-attack insurance is a novel concept that is yet to be fully embraced.
Cyber-threats are difficult and elusive enemies, as they can be neither seen nor physically defeated. Security against data breaches is both a defensive strategy and intangible; there is no immediate – or at least no apparent – value added to the business. Safety, let alone immunity, can never be absolute, however sophisticated the cyber strategy may be. But as the experience of the report’s respondents confirms, in a world of uncertainty little is as certain as that cyber-risks and costly attacks will continue and amplify.
Interviewee statements together with analysis of the report’s findings demonstrate that CEE board directors and general counsels fully comprehend the cyber-threats their companies face. In many cases they also accept that adequate measures to mitigate cyber-risk have yet to be taken.
Business success in CEE countries, as elsewhere, is complex and rarely secure. As this report makes clear (sometimes uncomfortably so) an integrated and continually renewed strategy for cybersecurity is as essential to success as a skilled workforce or a first-rate IT system. Cyber is the future – its security cannot be ignored.
By Dora Petranyi, Partner and Johannes Juranek, Partner CMS
This Article was originally published in Issue 5.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.