“After the implementation of the new European guidelines (NIS2), executives are actually liable for the cyber policy of their organization. For example, they are expected to take measures to mitigate cyber risks and actively ensure compliance. Moreover, they are expected to actively contribute to ensuring cybersecurity with their suppliers. In case of negligence, they can even be held personally liable. However, not everyone is aware of this yet.
Cybersecurity goes beyond IT.
According to the Cyber Security Council (CSR), which advises the government on digital security, the role of executives is often limited to approving the requested budget, and the cybersecurity policy is still largely left to the IT department. The NIS2 directive is set to change this.
“At CCRC, we also notice that many organizations view cybersecurity as the responsibility of IT, while it is just one component of overall cyber resilience.” – Kelvin Rorive
Cybersecurity poses a threat to business continuity and is therefore as crucial as sound personnel management and solid finances. According to the Cyber Security Council (CSR), the risks of cyber incidents have never been greater. Research by cybersecurity company Cisco also shows that only 3% of all companies are prepared for current cyber threats. Furthermore, in this interconnected digital world, we are heavily reliant on one another. Inadequate security at a small supplier can have significant consequences for the entire supply chain. An example of this is the cyberattack on logistics provider DP World in Australia, which led to the shutdown of major ports and the inability to process 30,000 containers.
Will you, as a director, be liable?
The new European regulations apply to all companies in specific sectors with at least fifty employees and a minimum turnover of 10 million euros. However, as a director, you cannot expect a phone call from the government. You must independently investigate whether your company will face new obligations following the introduction of the legislation and whether you, as a director, could ultimately be held liable for them.
Meeting the NIS2 duty of care? Organize a Cyber Crisis Response!
At CCRC, we support organizations in conducting cyber exercises within their supply chain, which is an essential aspect of the duty of care introduced by the NIS2.
Are you curious about the possibilities for your organization? Feel free to contact us at contact@ccrc.nl or call 070 41 90 309 to discover how we can help your organization comply with these new regulations.
(Bron: CEO heeft eigen aansprakelijkheid cybersecurity niet op het netvlies (fd.nl))