Managing cyber risk

In this article we give a brief overview of some of the latest developments in Norway in the area of cyber risk and cyber legislation, and share some recommendations for how companies should prepare to manage this risk going forward. 

Cyber security must be ­prioritised

The latest annual report on national digital risk in Norway was published by the Norwegian National Security Authority (“NSM”) on 19 October 2023 [Nasjonalt digitalt risikobilde 2023 (nsm.no)]. The purpose of the report was to raise awareness and motivate enterprises to increase their cyber security efforts, with NSM generally emphasising that both public and private enterprises must prioritise cyber security going forward.  

The report highlights the following key points:

• The developments in artificial intelligence, including large language models, are expected to lead to further professionalisation among attackers.
• Cyber-attacks can have an increased physical impact as industrial systems (such as those linked to critical infrastructure) are increasingly connected to the internet.
• Increased focus on cyber security may make other methods of accessing information more attractive to malicious actors. The risk from insiders to the system may increase with a one-sided focus on cyber security. Thinking about security in all domains is crucial.
• Cyber-attacks aimed at influencing voters place a strain on democracies.

Based on the ever-increasing risk, cyber security is a topic that should be high on the agenda both for company boards and management. Directors and managers must recognise the importance of understanding how cyber risk can threaten the values of the company, take necessary measures to ensure the continued operation of the business (in the wake of a cyber-attack), mitigate financial loss, prevent loss of confidential information / personal data and limit the risk of liability and reputational damage. Pursuant to the Companies Act, Norwegian boards have a duty to familiarise themselves with and follow up on potential compliance risk areas for the company. The board sets expectations and partially sets guidelines for management priorities. Additionally, board members may be held personally liable (by shareholders) in the event of financial loss. 

EU cyber security ­directives and corresponding legislative ­developments in Norway

With respect to cyber legislation, there is a steady stream of developments which companies must take into account in their efforts to implement comprehensive and good cyber management. 

In Norwegian law, the latest development is the Norwegian Parliament’s adoption of the Digital Security Act on 20 December 2023. The act incorporates the EU’s cyber security directive, the NIS1 Directive (albeit that its date of entry into force has not yet been determined). The Digital Security Act requires organisations that have a particularly important role in maintaining critical social and economic activity to comply with digital security requirements and to notify authorities of serious digital incidents. A number of industries /sectors have already been subject to legal requirements for digital security for a number of years, including in particular the financial and health sectors. The new legislation will therefore have particular significance mainly for companies in industries that have not previously been subject to equally extensive requirements for digital security. 

In the EU, the second iteration of the cyber security directive – NIS2 – has already entered into force. NIS2 imposes security requirements, as well as incident notification and governance obligations on entities in a range of critical sectors, including energy, transport, finance, health, and digital infrastructure. Members states have until October 2024 to transpose the directive into national law. In addition to mitigating certain weaknesses in NIS1, the NIS2 Directive aims to expand and harmonise the scope of the cyber security rules while also setting certain minimum requirements. It is not certain when NIS2 will become part of Norwegian law. However, it is possible that the Norwegian government will look to the  NIS2 Directive’s obligations and scope when drawing up regulations under the already adopted Digital Security Act. 

Regardless, companies should even now take account not just of NIS1, but also of the requirements set out in the NIS2 Directive. Even Norwegian companies without operations in the EU may be indirectly affected by NIS2, since customers subject to the requirements in NIS2 to a greater extent than under NIS1 will be obliged to follow up on cyber risk and resilience in their supply chains. 

In addition, companies must be cognisant of the numerous other relevant legal requirements pertaining to cyber security, including (but not limited to) information security requirements. This includes general laws such as the Security Act, which applies to national security, and the Personal Data Act, which applies to the protection of personal data. There are also requirements that apply to specific industries or products, such as sector specific regulations in finance, health and the public sector. Additionally, the upcoming Cyber Resilience Act is highly relevant. This will be the first EU-wide legislation of its kind, introducing common cyber security rules for manufacturers and developers of products with digital elements, covering both hardware and software.

Cyber risk management and incident handling

Preparation is key to managing cyber risks and limiting the disruption and damage that cyber security incidents cause. Such preparedness can for example be achieved by: 

• setting up a risk-based cyber security risk management programme, implementing governance-, compliance-  and contractual measures;
• identifying applicable regulatory requirements, including notification requirements; 
• implementing an effective Cyber Incident Response Plan, which establishes a written systematic approach to handling the incident and includes detailed procedures/guidelines (e.g. checklists), stakeholder management etc.;
• conducting awareness and preparedness training;
• mapping and following up on employee risks (insider threats etc.);
• setting up a dedicated data breach response procedure pursuant to the GDPR; 
• mapping risks related to liability in relevant vendor and customer contracts; and 
• assessing cyber insurance issues.

In the event of a cyber-attack, it is important to have a trusted partner that can assist in taking immediate and effective action. Wikborg Rein has extensive experience handling various types of incidents, including related to security breaches. We are also used to working seamlessly with technical experts who will play a central role in dealing with cyber risks and incidents as they arise.