Ferma wants EU to cleanup ‘complex’ and ‘spectacular’ cyber notification rules

European risk management association Ferma has repeated its call for Europe’s policymakers to establish a single point of entry for organisations to notify a cyberattack or data security breach, in order to help its members cope with ever-expanding cyber rules and reporting requirements. Organisations in Europe now face four major pieces of cyber legislation. Following on from the GDPR, companies must comply with one or all these new pieces of cyber regulation – NIS2, DORA and The Cyber Resilience Act (CRA) – as well as any national laws and variations on implementation by member states. “Driving through this landscape is very complex,” said Ferma board member Philippe Cotelle, during a webinar with Laure Zicry, head of FINEX cyber for Western Europe at WTW. “The requirements are not always fully coordinated,” Cotelle added. “Mandatory reporting duties are a challenge for any company; we need to react very quickly and with a streamlined process to ensure that all regulatory requirements have been met,” Zicry said. “For the same cyber incident affecting a company, it must, in order to be compliant, notify various supervisory authorities within very short but different deadlines,” she added. “Even though every piece of the legislative puzzle makes sense in building cyber resilience, as well as protecting data of European citizens, today we really see a stack of cyber reporting duties that companies need to comply with in case of a cyber incident,” Zicry said. Cotelle stressed that meeting reporting requirements means notifying multiple authorities all setting different reporting timeframes. This falls on companies already under stress in the midst of a cyberattack or breach, he added. “During this crisis phase where you are really under high pressure, there are a number of financial requirements that you need to fulfil, and with the threat of having to suffer additional financial penalties on top of the financial impact of the of the attack itself,” Cotelle said. Zicry added that as well as meeting cyber reporting notification requirements to relevant authorities, organisations have to notify affected individuals, such as under GDPR requirements, or companies in their supply chain under DORA and NIS2. Cotelle said the combination of different requirements an organisation has to comply with for the various regulations is “quite spectacular”. He said risk managers challenged with new and overlapping regulations must raise their profile and promote the role of risk management within their organisation,. “Make sure that as a risk manager you are able to break silos,” Cotelle said. Risk managers are in a “unique” position within an organisation to coordinate work with legal, compliance and communication departments in cyber governance, he said. “One of the key missions of the risk manager is to be able to alert, guide and inform on emerging risk and regulation constraints involving risk management,” Cotelle said. He added that not all stakeholders within organisations are always familiar with regulations and compliance requirements. “It’s really where the risk manager has a role to play, to be able to develop scenario analysis, bringing the different stakeholders together,” he said. Cotelle stressed that risk managers need to be part of an organisation’s cyber crisis team and must add value. “If you don’t add value, you will not be invited to the table, and we are all convinced that risk managers have a clear role to play, and they can add value,” Cotelle said. Risk managers play a key role in crisis teams by logging and detailing the decision process during the crisis phase in order to be indemnified for the financial impact of a cyberattack under their insurance policy. Zicry advised risk managers to ensure that the definition of a cyber incident or event under their cyber insurance policies match with the incidents that need to be reported under GDPR, NIS2, DORA and the CRA. Risk managers will also need to extend coverage for notification costs under cyber insurance policies already in place for a data breach under GDPR to security breaches that cover the three newer regulations, she continued, adding that similar checks must be carried out for coverage of defence costs, fines and penalties under the new rules. But Zicry warned that this situation differs across EU member states, with national laws introducing another stack of complications. Under French law LOPMI, for example, an insurer can deny cover for organisations that fail to report a cyberattack on their IT system to the police within 72 hours. Some member states make clear that fines and penalties are not insurable while in others the situation is more nuanced, she added. The webinar follows Ferma’s joint report with WTW in October.

Ferma wants EU to cleanup ‘complex’ and ‘spectacular’ cyber notification rules

Federation stresses that risk managers must raise their profile and promote risk management to keep on top of new and overlapping regulations

Want to read this article?

Read Next

IQUW launches active assailant cover

Talanx results boosted by HDI Global’s 43% jump in net income

VIG Re confirms Faucret as head of Western Europe

Spike in cloud service outages driven by Google Cloud downtimes

Canopius Group appoints group risk director

IQUW launches active assailant cover

Talanx results boosted by HDI Global’s 43% jump in net income

VIG Re confirms Faucret as head of Western Europe

Spike in cloud service outages driven by Google Cloud downtimes

Canopius Group appoints group risk director

Keep yourself informed

Sign up for Commercial Risk’s newsletters

Want to read this article?

Read Next

IQUW launches active assailant cover

Talanx results boosted by HDI Global’s 43% jump in net income

VIG Re confirms Faucret as head of Western Europe

Spike in cloud service outages driven by Google Cloud downtimes

Canopius Group appoints group risk director

Related Articles

Keep yourself informed

Sign up for Commercial Risk’s newsletters