Practice area CybersecurityA university that pays criminals an enormous amount in the form of bitcoins to secure the return of all its backup systems. A municipality that is the victim of a major cyberattack and electronic extortion. Cybercrime and similar cyberincidents have been growing in number and gravity in recent years. There is every reason to devote attention to cybersecurity immediately. Yet where does one begin? Dirkzwager’s Cybersecurity Team can assist you throughout the process, from preventive measures to subsequent legal assistance.
Cybersecurity in 2021
Businesses and institutions are increasingly dependent on electronic processes and ICT. The importance of digital work and homeworking has only increased since the advent of the coronavirus era. Society can no longer survive without digital solutions, although such dependence also renders organisations more vulnerable. The danger of data leaks is growing and cybercriminals seize potential opportunities. The consequences for an affected organisation cannot be underestimated: reputational harm, the disruption of business and liability. A timely examination of the cyberrisks to which your organisation is exposed, adoption of appropriate security measures, and preparation of contingency plans should matters nevertheless go awry will increase your cyberresilience.
Definition of cybersecurity
Cybersecurity refers to all of the security measures which a business or organisation adopts to avoid any harm due to the malfunction, breakdown or misuse of an information system or computer.
Common cybersecurity issues
The disruption of business and/or a data leak due to:
- the breakdown of a system, for example, as a result of a failure to implement timely system updates;
- an indirect attack, for example, in the form of phishing, social engineering, a virus or malware;
- a direct attack, such as a hack, DDoS attack or industrial espionage;
- mala-fide staff (‘insider threats’) who abuse the power which they have for the purposes of carrying out their work;
- the vulnerability of a system, for example, because it is obsolete (a ‘legacy system’) and the failure to install updates and patches.
Cybersecurity legislation and regulations
Every business which processes personal data must comply with the requirements stipulated in the European General Data Protection Regulation (GDPR). Amongst other things, this legislation stipulates that a business must adopt ‘appropriate technical and organisational measures’ to protect personal data. Should a data leak occur, a business is required to report it to the Dutch Data Protection Authority in many cases. A stiff fine may be issued for any contravention of the GDPR.
In addition, any business or organisation which constitutes part of the so-called essential infrastructure is bound by the Network and Information Systems Security Act [Wet beveiliging netwerk- en informatiesystemen] (Wbni). Such businesses and organisations have a legally stipulated duty of care to adopt measures to minimise security risks for ICT systems as far as possible. Should a cyberincident occur, they will need to report it. Essential suppliers and suppliers of essential services do so to the National Cybersecurity Centre (NCSC). In addition, suppliers of essential services are also required to report it to the relevant sectoral regulatory authority and electronic service providers to the CSIRT (Computer Security Incident Response Team). A stiff fine may also be issued for a contravention of this legislation.
Apart from this legislation, every business which uses ICT and computer systems has a duty of care (unwritten or otherwise) to ensure proper cybersecurity. In many cases businesses and organisations comprise part of an electronic supply chain which includes other businesses and in some cases also consumers. Every business is itself responsible for the ICT which it uses. Clearly stipulated arrangements and risk estimates are very important because of the independence of a supply chain.
Sectoral specific regulations
Regulations may be highly specific to a sector Proper cybersecurity is highly dependent on the nature of a business or organisation, the extent to which special or other personal data is processed, and the degree of dependence on technology. A hospital uses a great deal of highly sensitive data and is highly dependent on technology. In this case consideration is given to matters other than, for example, production operations as part of one’s cybersecurity strategy, where the sensitivity of personal data plays a less prominent role. Public authorities and knowledge institutes must in turn deal with their cybersecurity strategy in a different manner.
Cybersecurity is a subject to which attention needs to be devoted at the executive level based on a multi-disciplinary approach. The directors need to meet with managers, IT staff and representatives of the legal, commercial and publicity departments.
All organisations in all conceivable sectors which have electronic processes are exposed to cyberrisks. The Cybersecurity Team is active in all of these sectors:
- IT and internet businesses;
- universities and educational institutions;
- insurers and insurance brokers;
- public authorities;
- healthcare institutions;
- the business sector.
As such, it is important to view cybersecurity from various perspectives. This is also why a multi-disciplinary Cybersecurity Team has been put together with experts from various disciplines within Dirkzwager: intellectual property, IT, liability, loss, insurance, and health care. By combining all of its specialist expertise in both the legal field and the specific sectors, the Cybersecurity Team has a comprehensive overview.
The Cybersecurity can assist your organisation throughout the entire process from prevention to legal resolution.
- Contract management: What arrangements have you made and how have the cyber and other risks been assigned?
- Risk management: How do you implement cybersecurity as part of risk management within your organisation?
- Incident response: Comprehensive process management when an emergency (ransomware or a data leak) occurs. Where necessary, we do this together with external experts, such as forensic IT experts and publicity consultants. In addition, we assist with specific legal matters, such as reporting to the relevant regulatory authority in the case of a data leak or a serious cyberincident, or we determine your legal position in relation to other parties, for example, counterparties.
- Corporate compliance: Does your organisation comply with the relevant regulations? Cybersecurity constitutes part of corporate governance and intersects privacy legislation. A failure to comply with the regulations may have far-reaching consequences.
- Follow-up care: Legal assistance for the purposes of settling compensation claims and in the case of disputes. We provide insurers with assistance in the case of cover disputes. We assist any party that is called to account in the case of compensation pursuant to a contravention of the GDPR.
The Cybersecurity Team
The Cybersecurity Team combines extensive experience of digital technologies and IT systems with a an in-depth knowledge of the various sectors, such as those of health and insurance. The team is led by the cybersecurity specialist, Nynke Brouwer, who specialises in cybersecurity, privacy, and the law governing liability and insurance. She will be completing her doctorate at Radboud University in Nijmegen in the course of 2021. With her specialist knowledge, Nynke Brouwer assists insurers with the initial and further development of cyberpolicies.
If you would like more information about the cybersecurity team, cybersecurity, incident response or cyber insurance, or should you wish to make an appointment, you may contact Nynke Brouwer on +31 (0)26 353 8312 by email at email@example.com.