Old and New Elements of Cybersecurity

Innovation Powerhouse

The current cybersecurity landscape has forced us to learn how to cope with surrounding cyber threats. By assisting our clients and international law firms in large and complex data breach incidents, we have learned the pain points and relieving factors in the data breaches of today. Based on our experience of the busiest ever data breach year of 2022, we predict that the increase of risks and malicious cyber attacks will just continue. Our team has compiled our key takeaways into five categories of the old and new elements of cybersecurity.

Technical core elements

Cybercriminals often target the “low hanging fruits”. In order to secure employees, customers, services, business partners as well as the whole business and its continuity, it is necessary to build a strong technical cyber shield in one’s IT systems and environments. Therefore, organisations need to be familiar with the possible threats, available best practices and requirements of law whenever IT systems, products and services are sourced and upgraded. We need to think ahead – cybersecurity must carry on during the whole lifecycle of the system, product and service and beyond that. This entails updating, monitoring and assessing the security levels as well as applying sufficient and sustainable contractual terms in technology agreements.

Collaboration

Even the best available cyber team cannot secure the whole organisation without teamwork. Large data breaches often commence with email attacks, like phishing, which are sometimes difficult to spot among the email floods. Malicious attackers often target members that are considered either the most vulnerable, such as new employees who have not yet learned the ropes, or the most influential, such as members of the management team. Collaboration and shared responsibility forms one of the key elements in protecting the organisation. This means that all members of the organisation, as well as external partners, need to collaborate in a responsible manner towards the common goal. The privacy and security functions together with all the legal counsels of the organisation have a pivotal role to play in this continuous preventive work that entail a vast field of different tasks from sourcing procedures and internal policies to third party agreements and data protection impact assessments.

Training

A certain level of training must be provided to all members of the organisation. Everyone should be familiar with the risks that are relevant in their area of responsibilities. In addition to the cyber threats, organisations need to be familiar with the relevant legal requirements stemming from data protection and cybersecurity legislation, including sector-specific legislation. Consequences and risks increase if a data breach incident reveals that mandatory legal requirements have been disregarded. In most cases, the management of organisation bears the responsibility for compliance with the applicable legal requirements.

Planning

Cybersecurity entails thinking ahead, constantly. According to the leading Finnish cybersecurity experts, data breaches will occur in all organisations sooner or later. It is vital to have an extensive plan for recovery measures as well, including mapping and contacting necessary external advisors from areas of technical consultancy and legal advice. Typically, organisations face an unexpected situation when the data breach notification must be filed with the competent data protection supervisory authority or authorities within 72 hours of becoming aware of the breach. Even though the notification can be filed as preliminary and completed later, the list of requested information for the initial notification is quite extensive. Sometimes, the notification must be filed in several countries by following varying local filing procedures. Our existing international networks of law firms and other experts cover all jurisdictions globally and ensure the possibility to fulfil these obligations within the set time requirements.

Caring

Cyber risks and their actualisation causes distress to organisations and their people and customers. A data breach, which involves personal data of individuals, may be a devastating shock to the involved data subjects. When resources are reallocated during incident management, external advisors may be helpful in reducing the distress, when some of the internal resources need to be allocated for supporting the organisation and the affected individuals. Managing cyber risks is not only protecting the business, but also taking care of the people, their security and wellbeing.

More by the same author

DORA Is Now Applicable – Key Implications for ICT Service Providers

EU’s Digital Operational Resilience Act (2022/2554, “DORA”) became applicable on 17 January 2025. This regulation strengthens the digital resilience of the financial sector and addresses outsourcing risks, as previously detailed in our Quarterly article. While financial entities are the main focus of DORA, it applies also to ICT service providers providing services to the financial sector.

New Cyber Security Requirements for Connected Products

The new EU regulation complementing the cyber security regulatory framework − the Cyber Resilience Act (EU) 2024/2847 (“CRA”) − has been adopted and published in the Official Journal of the EU. The CRA aims to improve cyber security of the connected products at the EU market. It will have significant implications for manufacturers, importers and distributors of products with digital elements across the EU.

Implementation of the NIS2 Directive in Finland: New Cyber Security Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cyber security legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cyber security measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cyber security and positioning the review and supervision of cyber security risks as a top management issue.

Latest insights

DORA Is Now Applicable - Key Implications for ICT Service Providers

Alert / 20 Jan 2025
Reading time 4 minutes

Government Proposal on New Tax Credit for Large Industrial Investments in Finland

Article / 20 Dec 2024
Reading time 2 minutes