Cybersecurity: A Responsibility for the Executive Leadership
-
January 10, 2025
-
Cyber attacks are increasingly frequent topic of discussion among business leaders and citizens alike. However, it’s difficult to determine their exact frequency because many attacks are not disclosed to avoid reputational damage. The governor of the Bank of Spain, José Luis Escrivá, recently stated that around 400,000 cyber crimes occur annually in Spain. The central bank monitors these issues closely since many of these crimes are connected to financial institutions and their customers.
Expanding the focus to all of Europe, independent reports like the one from ENISA (European Union Agency for Cybersecurity)1 reveal that the EU is experiencing a significant rise in cyber attacks, particularly in sectors such as healthcare and corporate supply chains. ENISA also highlights the impact of the pandemic and remote work on the expansion of attacks, as well as the growing use of emerging technologies like Artificial Intelligence (AI), which represent new opportunities for cyber criminals. More sophisticated attacks, such as deepfakes and spear phishing, are increasingly complicating the detection and mitigation of these threats, as also pointed out by IOCTA (Internet Organized Crime Threat Assessment)2 published this year by Europol.
Discover our Cybersecurity services
Learn More
No one can doubt that the number and sophistication of attacks is on the rise, originating from private organizations and state actors aiming to cause disruption or instability. Geopolitical tensions, with two wars in the foreground, and the increased digitalization of Western public institutions in critical sectors, provide fertile ground for these increasingly sophisticated assaults.
The European Union’s response has been the implementation of DORA (Digital Operational Resilience Act),3 a regulation that establishes a framework to strengthen the cyber resilience of financial entities. Its main goal is to ensure that these organizations can withstand, respond to, and recover from cybersecurity incidents while minimizing operational disruptions. DORA covers banks, insurance companies, financial markets, and technology service providers, such as cloud or data analytics services.
The EU regulation introduces requirements for managing technological risks, reporting cybersecurity incidents, and conducting operational resilience testing. It also sets rules for supervision and cooperation among relevant authorities.
DORA must be fully implemented by affected companies by January 17, 2025. Its aim is to enhance security and trust in the EU’s digital financial system, and non-compliance will result in hefty fines ranging from five million euros to 2% of a company’s annual turnover.
While the goal is appropriate, complying with DORA involves significant effort: implementing 40 different policies, adding 70 mandatory contract clauses with providers, and completing about 100 data fields for incident reporting.
The magnitude and complexity of DORA’s requirements, such as mapping the company’s critical business processes and identifying the vendors that support them, necessitate increased collaboration across various areas of the organization. For this reason, the regulation holds the entire board of directors and business executives— not just those in technology but also in Compliance and Legal— responsible. They will be held accountable—both financially and potentially criminally—if the company suffers attacks without proper protection in place.
In our long experience in this sector, we know that while technological protection is essential, it’s not sufficient. Most attacks result from human error—usually accidental but sometimes malicious. Employees must be made aware of the cybersecurity risks associated with using different devices, though we must not overlook the importance of maintaining close control over supplier operations and the supply chain, which are potential entry points for attacks.
In addition to DORA, the NIS2 Directive4 (Network and Information Security Directive 2) is set to come into force, updating the EU’s original NIS Directive. It is also aimed at improving cybersecurity and enhancing resilience and response capabilities in critical industries, such as essential infrastructures, energy, transport, healthcare, and digital. Published in 2022, it establishes strict requirements for risk management, incident reporting, and cooperation and harmonization among EU Member States. It will take effect once each country transposes the Directive.
To comply with these regulations, organizations need the necessary knowledge and experience for both implementation and strategic cybersecurity design. It is crucial to have efficient and intelligent systems in place to identify critical functions and their security controls, providing a 360-degree view in case problems arise. The key is to minimize the impact and continue providing services to customers.
Cyber attacks are now considered the most profitable criminal enterprise of this decade. According to some experts, the number of cyber attacks on companies in Europe is expected to double this year compared to 2023.5 The total cost of these attacks for businesses is estimated to reach 10 billion euros,6 with the most affected sectors being government, transportation, technology, and retail. DORA and NIS2 are valuable tools, but there is no time to waste in developing an effective cybersecurity strategy, as no one is immune to attacks.
Footnotes:
1: ENISA THREAT LANDSCAPE 2024. July 2023 to June 2024. Published on September 2024.
3: Link
4: Link
Related Information
Published
January 10, 2025
Key Contacts