The impact of the new 'cybersecurity' directive, NIS2, on insurers
Although the exact date is not yet clear, the entry into force of the new law is a question of when, not if. The European Union is working on a new cybersecurity directive: NIS2 (NIS: Network and Information Systems). As the name suggests, this law is the successor to the existing 'NIS' Directive, which has been in force since 2016. The new directive tightens cybersecurity regulations, which is good news for insurers.
The NIS Directive aims to make European companies more resilient to cyberattacks. Companies that fall within its scope are required to meet a certain level of cybersecurity. The current directive applies to companies that are considered to provide essential services, in areas such as energy, drinking water and transport. The proposed NIS2 Directive provides for wider coverage of sectors, including telecommunications, waste management and food. In addition, the size of a company no longer has any effect on whether or not it must comply with the directive. Member States may also opt to extend the scope.
As Arjan Halma, from Eye Security, explains: "Although the directive has not yet been finalised and still needs to be transposed into national legislation, it is clear that European companies need to be in a position to better arm themselves against cyberattacks. This will make Europe more secure as a whole, which is beneficial for insurers offering cyber insurance."
The problem with cyber insurance
Thus far, insurers have struggled to manage cyber risk. The likelihood of a company experiencing a cyberattack is steadily growing, as is the potential impact of such an attack. For example, the damage caused worldwide by ransomware in 2021 was estimated at $20 billion. "As a result, insurers impose increasingly stringent requirements on companies that want to take out cyber insurance. Some insurers are also withdrawing from the cybermarket entirely because of the unpredictable nature of cybercrime," says Halma.
Securing and insuring
The new directive will therefore benefit insurers. Many previously 'uninsurable' companies and even entire industries will have to implement measures to become more resilient and minimise the likelihood of harmful cyberattacks. Halma: "At Eye Security, we believe in the combination of security and insurance, precisely because this allows you to have a direct impact on the cybersecurity of a company. Insurance is the final piece of the puzzle, so that the residual risk is also covered. We work with our partners—many of whom are insurers—to help manage their clients' cyber risk. With the entry into force of NIS2, together we can help more companies in Europe manage their cybersecurity."
Sustainability. Growth. Digitalisation. These are the words everyone’s using about the logistics landscape of 2023. But what do they mean for individual businesses – and for security?
Multi-Factor Authentication (MFA) is not sufficient. Various attacks, such as EvilProxy, can bypass MFA. Here, we discuss how you can defend yourself.
Software and operating systems are constantly evolving. Those that are no longer maintained - such as Window Server - may be hiding unmitigated security vulnerabilities within your business. Proactively assessing your infrastructure strengthens your security posture and your resilience against cyber threats.
Vishing attacks (voice phishing attacks) are getting more sophisticated. In this article, we cover the details of a real vishing attack that we prevented. Includes digital forensics, incident response, mitigation and prevention measures and IoC lists.