EY Global Information Security Survey 2016-17: cyber resilience – regulatory and legal considerations

Excerpt taken from EY’s 19th Global Information Security Survey 2016-17, Path to cyber resilience: Sense, resist, react.

Threats of all kinds continue to evolve, and today’s organizations find that the threat landscape changes and presents new challenges every day. Organizations have learned over decades to defend themselves and respond better, moving from very basic level measures and ad hoc responses to sophisticated, robust and formal processes.

Information sharing and collaboration are on the rise

Governments and other entities are all increasingly concerned with your cybersecurity. Industry-specific regulations relating to cyber risks are gathering momentum, and legislative interest is increasing. So new regulations and laws should be expected. In many parts of the world, standards are being developed for critical infrastructure organizations, and there are calls for greater information sharing and collaboration, as well as mandatory reporting of cyber attacks, so that cybercrime can be fought together. It should be anticipated that this will become compulsory, and even if it does not happen in the short term, the atmosphere today will lead regulators, stakeholders, business partners and even customers to want to know more about your cybersecurity. So be prepared to report and look for opportunities to share and collaborate today.

What, how and when to communicate can present significant challenges

  • Today, many of the proposed regulations or laws around reporting of cyber attacks say that you need to notify customers within a certain number of days. The problem there is that many cyber attacks are not discovered for months, sometimes years. And in cases where law enforcement is involved, they may request that you do not notify your customers while their investigations continue.
  • Customers may be entitled, or feel entitled, to compensation for a breach of their information. In one example in the US, it is being discussed that a customer receives a year of free identity theft insurance. But not all breaches create a situation where a customer would need this, or something else like it, so there is a feeling that this kind of compensation would increase costs without actually providing a real benefit to the customer, and could be damaging to the brand and reputation.
  • Finally, there is a growing recognition that it may be dangerous to notify customers every time, especially if the risk is low, as they can become desensitized and not respond when a more harmful incident occurs. If we think back over the last two years, it is not impossible that the same person has been notified about an attack on their mobile phone provider, the online retailer they use, their email provider, and they may have been advised their credit card details have possibly been sold and their social security records are perhaps in the hands of criminals, and there is nothing they can do about any of that. It is too much and people will start to ignore it.

Today’s emergency services: the cyber breach response program

Given the likelihood that all businesses will eventually face a cyber breach, it is critical that companies develop a strong, centralized response framework as part of their overall enterprise risk management strategy.

A centralized, enterprise-wide cyber breach response program (CBRP) is the focal point that brings together the wide variety of stakeholders that must collaborate to resolve a breach. The CBRP should be led by someone who is experienced with technology, and is able to manage the day-to-day operational and tactical response, plus they must be equipped with in-depth legal and compliance experience, as these events can trigger complex legal and regulatory issues with financial statement impact.

Read more here.

EY Legal Services Contacts:


Peter Katko – Global Digital Law Leader



FabriceNaftalski – Global Data Privacy Leader