Recent cyberattacks, whether targeted or destructive as WannaCry or NotPetya, have shown how significantly business activities can be affected, and how organisations are not always cyber-resilient. How is the Luxembourg regulatory framework evolving? What have we learned from recent cyberattacks?

Cybersecurity and cyber-resilience, what are the differences?

Cybersecurity is the gathering of technologies, tools, processes and practices which aim at defending networks, computers and data from attacks, damages or unauthorised accesses. Cyber-resilience is the entire system of processes and products which help anticipating, responding and recovering from cyberattacks. To that effect, cybersecurity measures must be developed for cyber-resilience to be effective.

Cyber-resilience, what is the legislation in the EU and in Luxembourg?

As a response to these threats, and need for effective cybersecurity measures, the European Commission has proposed the Network and Information Security (NIS) directive as being part of the EU Cybersecurity strategy. Based on three pillars, the objective of the NIS Directive is to:

- Develop a culture of security across two types of instances: Operators of Essential Service (OES) and Digital Service Providers (DSP), which cover vital sectors such as drinking water, supply and distribution, energy, digital infrastructure, health, transport, banking and financial market infrastructures;

- Strengthen cybersecurity authorities: each Member State must define Computer Security Incident Response Teams (CSIRTs) and competent National NIS authority;

- Create a cooperation group across all Member States to support and facilitate strategic cooperation and information exchanges between Member States by creating a CSIRT network that will “contribute to developing confidence and trust between the Member States, and to promote swift and effective operational cooperation”. Transposed on May 28th, 2019, the NIS directive in Luxembourg has appointed two National Competent Authorities (NCA) to cover all OES and DSP sectors:

- The Luxembourgish Institute of Regulation (ILR) for drinking water, supply and distribution, energy, digital infrastructure, health, transport;

- The Financial Sector Supervisory Commission (CSSF) for Banking and Financial Market Infrastructures.

Furthermore, two Computer Security Incident Response Teams (CSIRTs) were designated in Luxembourg:

- GOVCERT.LU for the public entities operating in defined sectors;

- Computer Incident Response Centre Luxembourg (CIRCL) for private entities.

Finally, if involved parties do not comply with the NIS directive, sanctions will be applied to OES and DSP and penalties will be exclusively administrative.
Jean Diederich

Jean DiederichPartnerWavestone Luxembourg

All the information processes, security requirements and incident notification requirements have been clearly stated, and Luxembourg national authorities are working on the selection of OES and DSP.

Finally, if involved parties do not comply with the NIS directive, sanctions will be applied to OES and DSP and penalties will be exclusively administrative, and fines will not exceed €125.000.

Cyber-resilience, Wavestone lessons learned

At Wavestone, we have developed a strong expertise in supporting major cyber crisis and cyber-resilience programmes. You will find below what we have learned on the topic, and 3 key aspects we recommend you to improve:

[1] Prepare to contain the attack when it occurs Cyber crises are specific, and they often involve third parties who are unprepared on the topic. Therefore, current crisis management processes must be supplemented to cater for the various cyber threat aspects. To that extent, two types of actions are needed. First, organisational actions, which identify key stakeholders before the crisis and define appropriate processes in order to take fast decisions and enable defence-plan-activities in parallel. Second, technical actions are needed to define roles and responsibilities of stakeholders, while inserting adequate investigations to understand the attacks, and define adequate floodgates to limit the attack propagation.

[2] Prepare to work without your IT Business teams need to learn how to work in a downgraded mode without IT if systems are to be downgraded or untrustworthy for a few days or weeks. To that extent, teams must be flexible enough to maintain operational efficiency without the usual IT, whilst tools and processes are revamped. For that reason, each business team must be able to work with manual workarounds and interrupt their activity in a controlled manner. Furthermore, they must keep track of data gathered, and identify the alternative tools needed to ensure continuity.

[3] Prepare to rebuild your IT If the cyberattack is a destructive one, or that important parts of the IT estate cannot be cleaned of a malware infection, there may be a need to rebuild some or all workstations, and infrastructure to maintain vital business activities. For that purpose, these issues must be anticipated, and processes and tools must be defined and implemented accordingly. To that extent, applications and infrastructures need two points of attention: - The rebuilding of applications and infrastructure must be prioritised according to business needs that have been defined previously to the attack;

- Architectures must be standardised in order to simplify their deployment in case they need to be rebuilt. Implementing and testing measures to address the 3 aforementioned cyber-resilience aspects will help you improve your cyber-resilience, but it is not sufficient: 

- Efforts to do so must go hand-in-hand with efforts to ensure the appropriate protection of your IT systems; 

- And, it is important that businesses receive the maximum value of their technological choices to protect the interest of the board, executive managers, staff, shareholders, etc.