The topic of cybercrime is higher than ever on the agenda among the boards of organizations. It is a risk for businesses that demands and receives increasing attention. There is much talk and writing about how to manage calamities in this area. Prevention seems an illusion, but being aware of the risks and being well prepared for an emergency are of great importance. Therefore, be well informed by specialists in this field and make sure that preventive measures and insurance are kept up-to-date. The bill Promoting Digital Resilience Businesses is hopefully going to help you gather information.

The news reports make us increasingly aware of the risks we face, as an organization and as directors. Ransomware, CEO fraud, hacks, intellectual property theft, and data breaches; some of the daily news. Every organization is at risk and thus has, or at least should have, a cyber issue.

The insurance market for covering cyber risks is also very much in flux. With the increasing numbers and scale of cyber incidents, developments in the insurance market are also gaining momentum. Several initiatives are aimed at managing cyber risks, as well as providing insight into prevention measures.

Despite the increasing numbers and magnitude of cyber risks, it appears that risk perception among many companies is still relatively low. On the other hand, the number of insurers offering insurance solutions for cyber risks is also relatively small. Consequently, we expect strong premium increases and stricter requirements and exclusions in terms and conditions. Insurers are also asking you to provide comprehensive information so they can best assess your organization’s cyber risk. So make sure the topic stays on the agenda and that you are well prepared for any cyber attack.

Kröller Boom has built up considerable cyber expertise in recent years to mitigate and cover these types of specific risks through customized cyber risk insurance policies. Kröller Boom weighs the risk aspects and helps you make informed decisions regarding risk financing. Customization is key and leads to result-oriented solutions and support. Also, it is an important part of your Business Continuity Management.

Guest view from the law firm Simmons & Simmons with Eva Schothorst-Gransier, Nosh van der Voort and Sharon van Norden.

Improving digital resilience non-regulated businesses.

Government will more actively inform business about digital threats.

1. Introduction

The government will take a more active role in informing the business community about digital threats. Whereas to date only the central government, vital providers and digital service providers have been alerted to cyber threats, a new bill should ensure greater digital resilience for the entire business community. Anticipating this bill Promoting Digital Resilience for Businesses, the government decided, from a pragmatic point of view, to start alerting non-regulated businesses about cyber threats as early as Sept. 13.

2. National Cyber Security Center and Digital Trust Center.

In the Netherlands, the National Cyber Security Center (NCSC) and the Digital Trust Center (DTC) were created to alert agencies, businesses and citizens about cyber threats. The Network and Information Systems Security Act (“Wbni”) regulates the NCSC’s legal duties in the area of cybersecurity and provides the legal basis for warning, informing and advising on such digital threats and incidents.

The law aims to promote the digital resilience of the Netherlands. It should be emphasized, however, that this law applies only to:

• Central government;
• Vital providers (such as energy companies, drinking water companies and banks); and
• Digital service providers (including cloud service providers).

As a result, other unregulated companies are left out of the loop the moment the government shares information about digital vulnerabilities, threats and incidents. This narrow scope of the NCSC’s work, the call from the business community to share threat information more broadly and the government’s desire to strengthen the digital resilience of businesses have led to the proposed Business Digital Resilience Promotion Act.

3. The bill Promoting Digital Resilience for Businesses

This bill regulates the tasks and powers of the Minister of Economic Affairs and Climate (“Minister of EZK”) in the area of improving the digital resilience of the non-vital business community in the Netherlands. The duties and powers of the Minister of EZK have been delegated to the already existing DTC. Two main tasks have been formulated for the DTC. First, to provide information and advice; second, to promote business cooperation on digital resilience.

It is expected that through the new law, businesses can be better provided with practical guidance that will allow companies to partially fulfill the appropriate technical and organizational measures referred to in Article 32 of the General Data Protection Regulation. In practice, therefore, the law could be a useful tool that can serve to fulfill the (cybersecurity) duty of care that companies have under the AVG.

However, the bill still needs to be approved by parliament.

4. The DTC Information Service.

In anticipation of the implementation of the law, the DTC launched the DTC Information Service starting Sept. 13. In doing so, the DTC receives specific threat information from the NCSC and can alert affected companies about serious threats so they can take measures to prevent or mitigate potential damage. In doing so, where possible, the DTC provides advice on measures to take, such as installing security updates, changing passwords or engaging an IT specialist. At present, the DTC can only perform this task on a limited scale and in cases of serious threats. The longer-term goal is a system in which threat information can be linked to groups of companies.

5. Industry’s own initiative

In parallel with this government initiative, the business community along with several industry and nonprofit organizations recently announced their own introduction of an alert system that alerts organizations and businesses to vulnerabilities within their systems and networks. In this way, the business community itself hopes to fill the gap that currently exists in urgent cyber threat disclosure.

6. Implications for the insurance industry.

With the bill and the already started practical implementation, the government wants to regulate information sharing with the Dutch business community that does not fall under the scope of the Wbni. It covers the entire range from sole proprietorships to large corporations. There seems to be a response with this law to the strong call from the business community for government assistance in adequate digital security and the desire to be informed about new methods of cyber criminals.

The information that may start to be provided in practice and the measures to be taken may also affect the insurance industry. For example, how does the insurer deal with a company that is presented with information on the basis of which it can make its own assessment of whether and to what extent it should take measures to mitigate a vulnerability or ward off a threat, but fails to act or act appropriately? What costs are covered at the time the company is subsequently attacked by cybercriminals? And at what point can and should the insurer be notified by the company of the threat information? With the practical implementation of the law and the pragmatic solutions of the government and industry itself leading up to the law, there may be (in)direct implications for the insurance industry ahead.

When both insurers and industry anticipate the developments discussed, it offers room for improved insurability of cyber risks in today’s market. Cooperation is essential to keep entrepreneurial Holland, for now and in the future, sufficiently protected.