Cyber insurance requirements in commercial contracts: getting it right

Cyber incidents have the capacity to cause many different types of loss. Insurance coverage exists for at least some aspects of cyber risks in the UK market. However, given the range and diversity of risks that may arise, there are some key issues for businesses to consider when it comes to insurance against cyber risks in commercial contracts. Our recent article considers these issues in more detail and can be found here. 

Continue reading

Operational impact of cyber-attacks on wind turbines

At this year’s Black Hat, a leading information security conference held in Las Vegas, cyber security researchers exposed new vulnerabilities in industrial control systems and warned that malware (including ransomware) could force companies to have to choose between expensive downtime and the potentially less expensive option of paying a cyber attacker’s ransom. Continue reading

WannaCry: A chance to test systems and raise awareness at a global level?

In one of the most dramatic and widespread cyber attacks to date, on Friday 12 May 2017, a worldwide ransomware attack known as “WannaCrypt” or “WannaCry” began infecting hundreds of thousands of computers in over 150 countries. Starting in the UK and Spain, critical infrastructure operators around the world including those in the health, transport, finance, telecoms and energy sectors, as well as manufacturers and service providers were affected. Continue reading

ENISA report includes guidance on CSIRT maturity assessment

On 12 June 2017, the European Union Agency for Network and Information Security (“ENISA“) published a new report which includes a comprehensive overview of parameters for Computer Security Incident Response Teams to assess their respective maturity. The EU Network and Information Security Directive (the “Cyber Security Directive“) creates a CSIRTs network “to contribute to developing confidence and trust between the Member States and to promote swift and effective operational cooperation”. Each Member State is required to designate one or more CSIRTs to comply with certain requirements in the directive (covering at least the sectors referred to in Annex II and the services referred to in Annex III) and responsible for risk and incident handling in accordance with a well-defined process. Continue reading

ENISA Guidance: Incident Reporting for Digital Service Providers under Cyber Security Directive and the interplay with GDPR

The new report referenced in the article above, follows comprehensive guidelines (the “Guidelines“) published by ENISA in February 2017 for Member States and the European Commission on how to implement incident notification for “digital service providers” (“DSPs“) across the EU, in the context of the Cyber Security Directive.

DSPs: The Cyber Security Directive sets out obligations in respect of “operators of essential services” and DSPs, with a slightly “lighter touch” approach applying to the latter. DSPs are limited to three types of services:

  • online marketplaces – which allow consumers and traders to conclude online sales or service contracts with traders and are the final entity where the contract is concluded. The term excludes both online “intermediaries” to third party services through which a contract can be concluded, as well as online price comparison services of different traders that redirect the user to the preferred trader to purchase the product;
  • online search engines – excluding search functions that are limited just to the content of a specific website; or
  • cloud computing service providers – spanning a wide range of activities that can be delivered according to different models.

Continue reading