Ferma worried about insurance gaps caused by Cyber Resilience Act

Ferma has told the EC it welcomes the Cyber Resilience Act (CRA) that was proposed in September and will impose mandatory cybersecurity requirements for manufacturers, importers and distributors of a wide range of devices, plus fines for non-compliance.

In its response to the Commission’s proposal, Ferma said that the CRA is likely to be a “landslide moment” for cybersecurity in the EU. It says that the CRA seeks to do for cybersecurity what the GDPR has done for data privacy.

But the federation is worried about the feasibility of compliance given the high use of open-source software across such a broad range of devices. It is also concerned that the introduction of fines for cybersecurity, which will add to a complex landscape of penalties across different pieces of legislation, could open up, or widen existing, gaps in firms’ insurance coverage.

“While Ferma is, on the whole, supportive of the intention behind the CRA ­– namely to raise the level of cybersecurity of digital products in the EU (and beyond) ­– we have some practical concerns, which we hope will be addressed by the time the text is finalised,” states Ferma in its response to the Commission’s proposal.

“First, on the obligations of manufacturers, importers and distributors, Ferma underlines the importance of ensuring both proportionality of the requirements, as well as with the feasibility of complying with all requirements considering high utilisation of open-source software,” it states.

“Second, on the penalties, Ferma is concerned that the introduction of fines in the context of cybersecurity will lead to a complex landscape of fines according to different pieces of legislation, and could also open up (or widen existing) gaps in insurance coverage of companies,” continues the federation.

Ferma says it is at the EC’s disposal to further discuss the insurance implications of the proposed CRA, as well as the more practical elements related to cybersecurity risks and cybersecurity risk assessments.

On the obligations for manufacturers, distributors and importers, Ferma says it is “delighted” to see prominence given to thorough assessment of cybersecurity risks under the ‘Obligations of manufacturers’ set out in Article 10 (2) of the draft CRA.

It says that, based on experience with the ETSI EN 303 645 standard, the most significant requirement here would be prior to a product’s placement on the market.

“In view of the proposed wording in the CRA that each product would have to be evaluated for the period of five years after placing on the market, there also needs to be some sensitivity given to the varying resources of manufacturers. The larger ones will have a less difficult time to continuously monitor and evaluate the cybersecurity of their products than smaller organisations,” states Ferma.

“This is all notwithstanding the fact that five years in cybersecurity is a long time and standards and norms quickly evolve, as too do the threats themselves. However, as with almost everything related to cyber, and/or digitalisation more broadly, there will be some difficulty in evidencing 100% full compliance at all points, since there will always be some degree of ‘lag’ after, for instance, identifying a vulnerability. It is our view that there might always be a moment where products are somehow temporarily non-compliant at some stage during its lifecycle,” adds the federation.

Ferma says there is some concern within the risk management community about the cost of compliance becoming unmanageable over a product’s lifecycle.

“Currently, most – if not all – software has an open-source component. This open-source component makes it practically impossible to evaluate the entire chain of dependencies and interlinkages for their compliance with cybersecurity standards or levels. In turn, this implies extensive testing for organisations, which might imply increased costs for everybody, from manufacturers to importers to consumers,” it states.

Ferma says its generally of the view that cybersecurity would improve if it is enforceable and fines are obviously one way to achieve this. However, the federation states that it is important to ensure that different laws do not duplicate fines, and that there are clear and definite triggers for specific fines.

“For example, what would happen in the event some compliance with the CRA inadvertently leads to breaches in product liability requirements, or even in GDPR? What takes precedence in this is practically important for companies to know,” points out Ferma.

It says that there is also concern among risk managers about compliance with the CRA because of the high use of open-source software.

“The use of open-source software can complicate the evaluation of cybersecurity since the chain of dependencies is difficult to fully assess. Furthermore, how can vendors and service providers increase cybersecurity compliance of open-source software while keeping costs at the same or at least a reasonable level? If this cannot be done, there is a residual risk that remains,” points out Ferma.

A key question is whether the insurance market could help transfer that risk. Ferma wants to work with the EC to analyse the potential consequences for insurance coverage from the CRA.

“Right now, for example, when companies purchase a cyber insurance policy there is often – if not always – a product liability exclusion, while when purchasing a product liability policy there is often – if not always – a cyber exclusion. This leads to a gap in protection – and this we believe is something that should be on the Commission’s radar in the process of the next steps on the CRA,” concludes Ferma.

Back to top button