Cybersecurity Preparedness: What Guidance to Follow?

With cybersecurity becoming a board-level issue, compliance officers, lawyers, board members, and business drivers are looking for official guidance or recommendations on cybersecurity measures to protect business, customers, and the wider economy.

Whose guidance to use?

On 14 December 2024, the Court of Justice of the European Union confirmed that, under data protection rules, it is the controller of personal data that bears the burden of proving that the security measures applied to personal data are appropriate. So, we looked at the highest fines imposed on organisations so far for failure to apply appropriate security measures. The UK Information Commissioner’s Office (ICO) that imposed the highest fines so far (Euro 22.4 mln and Euro 20.45 mln in 2019), when determining what security measures are appropriate referred to the guidelines and standards published by the UK National Cyber Security Centre (NCSC) guidelines and the US National Institute of Standards and Technology (NIST). In the EU, the equivalent to the NCSC and NIST would be the European Union Agency for Cybersecurity (ENISA) that is tasked to produce cybersecurity-related guides and standards.

These three organisations produced numerous guides from security measures for video-conferencing and password security to supply chain security and ransomware attack management. The content of the guides is different for small, medium and large organisations.

The sheer amount of guidance material may feel overwhelming for a person who does not specialize in IT security. For example, there are at least 89 NSCS publications available on cyber risk management alone. Therefore, we provide you with a snapshot of the basics you can start from. However, for cybersecurity professionals, there are also free tools to test and practice a response to a cyber-attack.

ENISA guidelines

NCSC guidelines

NIST Guidelines and CISA Guidance

US State Guidance

Cybersecurity guides for organisations in regulated industries and critical infrastructure

If your organisation is in essential services industries in the EU (energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, or ICT service management) or provides EU-facing services in these sectors, then there are additional legal requirements concerning the cybersecurity measures your organization should be taking under the EU Network and Information Security Directive (NIS2) and the EU Critical Entities Resilience Directive (CER) that go beyond the protection of personal data. If you are in the financial services sector, there are also sector-specific cybersecurity and operational resilience laws, such as the EU Digital Operational Resilience Act (there are similar rules applicable in the UK). ENISA is working on updating its guidelines under the above laws and we will keep you updated on these.

The UK announced the intention to update its NIS1 legislation to follow suit and the NCSC provides guidance for organisations responsible for vitally important services and activities under the Cyber Assessment Framework. In the US, NIST has a resource page for Critical Infrastructure: https://www.nist.gov/cyberframework/critical-infrastructure-resources.

In addition, if your organisation is in the US, in July of 2024, the US Securities and Exchange Commission (SEC) adopted rules requiring registrants and foreign private issuers to disclose material cybersecurity incidents and material information regarding their cybersecurity risk management, strategy, and governance. Failure to comply with SEC regulations can lead to an enforcement action. For New York State regulated entities and individuals, the Department of Financial Services (DFS) Cybersecurity Regulations have been in force since 2017 and underwent a major update in 2023. For all entities subject to California’s Consumer Privacy Act (CCPA), an initial draft of the cybersecurity risk assessment requirement was released in August 2023 and will certainly undergo the rule making process to finalize.