Enriching insights for Cyber Security in the chain
Enriching insights for Cyber Security in the chain
Yesterday, the session about Digital duty of care took place, which we have organized together with FME and VNO NCW. Reason for the session is the Guide for companies about digital duties of care, which is published by the Cyber Security Council. All three organizing parties have a representation in the Cyber Security Council, the advisory body of the Cabinet to bring cyber security to a strategic higher level in the Netherlands.
Nicole Mallens of VNO NCW kicked off the meeting and underlined the imporance for companies to give adequate completion to the duty of care. Cyber Security becomes more and more urgent in this ongoing digitalization trend. Next, Pieter Wolters gave an introduction on the Guide Duty of Care. As a co-author, he outlined three ways of digital duties of care:
- Duties of care in the context of processing personal data. Every company processes personal data, because all information about a person is personal data. After all, every company saves data, or deletes or collects data. From May 2018 the General Data Protection Regulation (GDPR) will be in order. With it, companies are obligated to take the necessary technical and organisatorial measures.
- Duties of care in the context of the use of ICT. Important is that every company has the responsibility to keep their own data safe. Make sure you have your cyber security in order!
- Duties of care at companies who offer products or services with an ICT application. For example, this can be a car filled with software, or an airplane company where you can check-in via an app. When the customers are consumers, there are a lot more obligations then when companies are the customers.
Pieter emphasizes the importance of board responsibility: the board of a company is ultimately responsible for cyber security.
After this, Sylvia Huydecoper, sr. legal advisor at Nederland ICT, showed the participants a practical case in which the supervisor has additional demands for a company which saves HR-files of employees in the Cloud. Protecting the data with passwords was not enough and there should be 2-factor authentication. But who needed to pay for these additional measures? The customer of the cloudservices who did not secure his personal data well enough or the provider of the cloudservices who did not offer secure software? This case shows the complexity of the subject and the mutual responsibilities. In the context of the duty of care, Sylvia stated that companies need to take their responsibility and be alert on:
- Awareness (Security will cost money (10% of the ICT budget))
- Communicate by informing/warning.
- Maintenance contracts : prevent texts like “Client is – (…) – entitled to refuse the use and/or implementation of Updates and Upgrades… (GIBIT article 8.11)”
- Security-by-design.
The most important message of Sylvia is that you should demand from your supplier to know what is going on, ask about it and investigate it. If something is not clear, you should get a third party involved.
Hélène Minderman, of Transport and Logistics Nederland, gave an insight in the sector Transport and Logistics. The sector operates internationally and is eminently chain dependent. ICT is becoming more and more important in the sector, because of the ongoing digitalisation and with it the cybercrime. Hélène gave the example of a logistic provider who was down for a whole week because of ransomware and they could not reach their customer data. Research has shown that the knowledge about cyber security needs to improve in the sector. Hélène has got some pointers:
- A safe supply chain is a mutual responsibility.
- Make clear agreements with eah other (intern and extern) and write them down.
- Develop a cyber security policy and make sure this is part of the enterprise strategy.
Hélène closes with the remark that some companies have taken measures for cyber security, which contributed to the fact that they have survived the crisis, made them more safe and led to more revenue. That is why the duties of care are not only a burden, but also offers opportunities!
Johan de Wit, of Siemens, talked on behalf of FME about the complexity of ICT in our current society. This is beacuse the physical and digital worlds are connected (Internet of Things). In his presentation, Johan got into the difference between IT (office automation) and OT (Operational Technology). The Duty of care discussion like it written in the Guide seems to be focusing on the IT-side, but the attention should be for everything which has an ICT component, this means IT ánd OT. Johan continued that the Duties of care should not be about compliance, but should aim on everybody who is responsible for a (partial) proces in the chain of cyber security. One should not focus on the duties, but should underscore the opportunities that come with it. This can be an opportunity to insert cyber security into the enterprise strategy, which will lead to new business models and then we are not talking about Duties of care, but about Opportunities of care.
Ronald van der Luit, from the Ministry of Economic Affairs, reflected on the duties of care. Independently of legal duties, it is also an urgency problem. Recently there have been some incidents who frustrated production processes for a longer period of time. Also Economic Affairs advocates for highlighting the opportunities-side of cyber security. Duty of care is an open norm (flexible, stable and less regulatory pressure). There are public law duties of care (most often sector specific duties of care with a public supervisor) and private law duties of care. This needs to be further completed. The Guide of the Cyber Security Counsil does not only create awareness, but it also gives a completion of the duties of care. Standardization and certification can also help in this case. Ronald gives the participants a thinking balloon to go about the product life cycle: when does responsibiloty stop and will it start with the next?
Goal of the session was to highlight the ICT duties of care from different angles. As well as from the branche organisations, the customers, the government, as the suppliers, there was a clear message: software is still the heel of Achilles of digital security. To keep on communicating about this is key! Talk about it, intern with you employees, but also extern in the chain with suppliers and customers and make agreements on this topic!