According to the Directive on Security of Network and Information Systems (NIS Directive), the “security of network and information systems means the ability of network and information systems to resist, at a given level of confidence, any action that compromises the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the related services offered by, or accessible via, those network and information systems”.

In that sense, cyber security indicates the tools, rules, mechanisms and procedures an entity takes with the aim of protecting against criminal or unauthorised use of its data.

In this article we will focus on cyber security for business entities.

The pressure to deploy effective cyber security (and to continuously enhance it) springs from a state of fact: companies increasingly rely on multiple data concerning their customers, suppliers and personnel. Hence, information is an asset with the same relevance as a trade secret or equipment. At the same time, abuse of data can trigger a company’s responsibility to third parties to whom the data refer or who have title to such data.

Thus, a board of directors needs to protect, supervise and handle the information available to the company. Cyber security falls within the fiduciary duties entrusted to directors, and compliance with relevant rules and procedures is an obligation for all employees and agents.

As everyone now knows, cyber security is also one of the specific requirements demanded by the General Data Protection Regulation (GDPR) and, as anticipated, the NIS Directive outlines specific obligations for operators of essential services and digital service providers.

Yet, importance of cyber security goes well beyond protection of personal data or requirements for specific industries.

Jan-Mar 2019 Issue