Old and New Elements of Cybersecurity

Innovation Powerhouse

The current cybersecurity landscape has forced us to learn how to cope with surrounding cyber threats. By assisting our clients and international law firms in large and complex data breach incidents, we have learned the pain points and relieving factors in the data breaches of today. Based on our experience of the busiest ever data breach year of 2022, we predict that the increase of risks and malicious cyber attacks will just continue. Our team has compiled our key takeaways into five categories of the old and new elements of cybersecurity.

Technical core elements

Cybercriminals often target the “low hanging fruits”. In order to secure employees, customers, services, business partners as well as the whole business and its continuity, it is necessary to build a strong technical cyber shield in one’s IT systems and environments. Therefore, organisations need to be familiar with the possible threats, available best practices and requirements of law whenever IT systems, products and services are sourced and upgraded. We need to think ahead – cybersecurity must carry on during the whole lifecycle of the system, product and service and beyond that. This entails updating, monitoring and assessing the security levels as well as applying sufficient and sustainable contractual terms in technology agreements.

Collaboration

Even the best available cyber team cannot secure the whole organisation without teamwork. Large data breaches often commence with email attacks, like phishing, which are sometimes difficult to spot among the email floods. Malicious attackers often target members that are considered either the most vulnerable, such as new employees who have not yet learned the ropes, or the most influential, such as members of the management team. Collaboration and shared responsibility forms one of the key elements in protecting the organisation. This means that all members of the organisation, as well as external partners, need to collaborate in a responsible manner towards the common goal. The privacy and security functions together with all the legal counsels of the organisation have a pivotal role to play in this continuous preventive work that entail a vast field of different tasks from sourcing procedures and internal policies to third party agreements and data protection impact assessments.

Training

A certain level of training must be provided to all members of the organisation. Everyone should be familiar with the risks that are relevant in their area of responsibilities. In addition to the cyber threats, organisations need to be familiar with the relevant legal requirements stemming from data protection and cybersecurity legislation, including sector-specific legislation. Consequences and risks increase if a data breach incident reveals that mandatory legal requirements have been disregarded. In most cases, the management of organisation bears the responsibility for compliance with the applicable legal requirements.

Planning

Cybersecurity entails thinking ahead, constantly. According to the leading Finnish cybersecurity experts, data breaches will occur in all organisations sooner or later. It is vital to have an extensive plan for recovery measures as well, including mapping and contacting necessary external advisors from areas of technical consultancy and legal advice. Typically, organisations face an unexpected situation when the data breach notification must be filed with the competent data protection supervisory authority or authorities within 72 hours of becoming aware of the breach. Even though the notification can be filed as preliminary and completed later, the list of requested information for the initial notification is quite extensive. Sometimes, the notification must be filed in several countries by following varying local filing procedures. Our existing international networks of law firms and other experts cover all jurisdictions globally and ensure the possibility to fulfil these obligations within the set time requirements.

Caring

Cyber risks and their actualisation causes distress to organisations and their people and customers. A data breach, which involves personal data of individuals, may be a devastating shock to the involved data subjects. When resources are reallocated during incident management, external advisors may be helpful in reducing the distress, when some of the internal resources need to be allocated for supporting the organisation and the affected individuals. Managing cyber risks is not only protecting the business, but also taking care of the people, their security and wellbeing.

More by the same author

Implementation of the NIS2 Directive in Finland: New Cybersecurity Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.

Government proposal regarding the implementation of EU’s NIS 2 Directive published

On 23 May 2024, the Finnish Government submitted its proposal regarding the implementation of EU’s NIS 2 Directive ((EU) 2022/2555, the “Directive”) to the Parliament. The proposal includes, inter alia, the adoption of the new Cybersecurity Act and amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services. The objective is that the proposed legislation would enter into force on 18 October 2024.

First-ever Supreme Administrative Court rulings on GDPR fines – both for and against

The Supreme Administrative Court of Finland has issued its first decisions regarding administrative fines under the General Data Protection Regulation (the “GDPR”). Incidentally, the decisions concerned the first administrative fines imposed by the Finnish Data Protection Ombudsman back in 2020. The court’s essential arguments, as summarised below, may provide useful insights into how the appellate courts will interpret GDPR requirements and, especially, what aspects are key when challenging GDPR fines in the future.

Latest insights

The Ministry of Finance Proposes a New Tax Credit for Large Industrial Investments

Article / 7 Oct 2024
Reading time 2 minutes

Q&A: Exploring the Future of Legal Work with AI

Article / 1 Oct 2024
Reading time 2 minutes