Clarksons, the world’s largest shipbroker, is preparing for the fallout from a recent data breach.
An investigation has found that unauthorised access was gained through an isolated user account. Before the breach could be responded to, essential information was stolen. The criminal hacker is demanding money in exchange for not releasing the information to the public.
Clarksons is refusing to pay the ransom, and is warning its clients that some private data may get released. Andi Case, Clarksons’ chief executive, said: “Issues of cybersecurity are at the forefront of many business agendas in today’s digital and commercial landscape, and despite our extensive efforts we have suffered this criminal attack.”
In light of this breach, and with new legislation on the horizon (most notably the General Data Protection Regulation (GDPR) and the EU Directive on Security of Network and Information Systems (NIS Directive)), could a robust cyber resilience programme have saved Clarksons time, money and reputational damage?
What the NIS Directive will mean for operators of critical infrastructures
The NIS Directive will be transposed into national law in May 2018. Operators of essential services (OESs) and digital service providers (DSPs) will be inclusive of this.
Those subject to the Directive are required to adopt “appropriate and proportionate technical and organisational measures” to achieve compliance. Penalties for non-compliance have been proposed. The Directive requires the implementation of a risk management culture, involving risk assessment and the implementation of security measures appropriate to the risks.
The Directive also requires organisations to minimise the impact of security incidents to ensure service continuity, and to notify the relevant supervisory authority of any security incident having a significant impact on service continuity without undue delay.
Achieving compliance with the NIS Directive
Compliance with the Directive will require a comprehensive cyber resilience programme, which helps to prevent and minimise the impact of cyber attacks and enables organisations to quickly respond to and recover from threats.
Member states will have until November 2018 to identify the relevant OESs that will be subject to the Directive. As a company in the transportation industry, it is possible that Clarksons will be classed as an OES and may have to comply.
A strong cyber resilience programme should be supported by effective:
How IT Governance can help with NIS Directive compliance
IT Governance provides a comprehensive set of cyber resilience solutions to help you comply with the NIS Directive, and to ensure continued compliance with the Directive once it is transposed into law:
- Information security management, supported by the international information security standard, ISO 27001.
- Business continuity and cyber incident response management, supported by the international standard for business continuity, ISO 22301.