Banks, hospitals, energy providers, cloud computing firms and others will all be forced to report any instance of a cyberattack, if a proposed new European law comes into play.
According to an article in Techcrunch, the move would require all companies involved in what the EU deems to be ‘critical infrastructure’ to report security breaches to new Computer Emergency Response Teams (CERTs), which would be set up in each member country. More than 40,000 companies would likely be affected by the proposed rule changes, which were published earlier today.
Neelie Kroes, the EU’s Digital Agenda Commissioner, said that the move would help European businesses to improve how they deal with security issues:
“At the end of the day openness and transparency about your experience is going to result in a better environment for all,” she noted.
Techcrunch says that the new rules would affect around 15,000 hospitals, 15,000 transport companies, 8,000 banks and 4,000 energy companies, although those firms that have less than ten employees would be exempt from reporting attacks.
Once an attack has been reported, CERTs would then be able to decide whether or not to make news of the breach public, weighing up the threat to the company’s reputation against the greater public interest. Currently, it’s believed that many firms fail to report cyberattacks precisely due to these fears of their reputation being damaged – something that can be detrimental to their customer’s best interests. Kroes cites the case of Diginotar, which was hacked back in 2011 yet waited a full ten days to report the breach, during which time 530 fraudulent security certificates were issued for sites including Google, Facebook, the CIA and Mossad. Under the new rules, authorities would have the power to fine companies that fail to report breaches.
It remains to be seen how successful ‘forced reporting’ would be against cybercrime, but one can imagine that the ‘shame’ of being hacked will almost certainly pressure those companies that are more lax about their security to tighten themselves up. As with all types of crime, cyberattacks can only be solved if they are reported in the first place.
The EU says that the new rules are desperately needed, as just one in four EU states currently operates a formal ICT security policy that is regularly reviewed. What’s more, the risk of cyberattacks is far more omnipresent than most people realize. Three quarters of small businesses and 93% of all large enterprises in the UK fell victim to a security breach in the last year, and its likely that the numbers are just as high in other EU countries.