08.10.19 FSMA and Centre for Cyber Security Publish Guidance for the Management of Cybersecurity Risks
Just in time for Cyber Security Month: the FSMA has published, in collaboration with the Centre for Cyber Security Belgium, a document on the basic principles for the management of cybersecurity risks. This communication serves as guidance for businesses on the better management of the ever-increasing cybersecurity risks (in a preventive as well as in a reactive manner). The identified principles are fourfold: governance, inventory of resources and risk-analysis, implementation and evaluation of the measures.
A first principle applies on the level of governance (security strategies and support). The FSMA advises all companies to adopt a Cyber Incident Response Plan that identifies the measures necessary to prevent cybersecurity breaches and to respond adequately in the case of an incident. To be effective, such a plan needs to ensure that there is fluent communication between the parties in question: the competent (judicial) authorities, the Cyber Incident Response Teams, the clients, etc. The FSMA stresses the importance of the necessary awareness within the entire company on the issue of cybersecurity and insists on the need to train employees in dealing with cybersecurity incidents, and to provide a clear and quick communication mechanism between all different entities within the cooperation, etc.
Secondly, the FSMA highlights what it considers to be one the most important steps for companies: make inventories of the critical operations in their infrastructure and their supporting information assets (which have to be secured in order to keep the operations stable and secure). This risk-management must be based upon the proportionality principle: the risks that the profile of the company presents must be assessed in order to determine the measures needed.
Thirdly, the FSMA and the Centre for Cyber Security describe the concrete application of these measures in order to protect, detect, react and correct the problems that are the result of cybersecurity incidents. They specifically recommend the appointment of a person responsible within the company to deal with breaches. Also, if there is a contract between the company and an IT service provider, the obligation of the IT service provider to report breaches of their client- and company records needs to be set out in the contract. The company also needs to have in place a formal process to assess whether the security measures implemented by the IT service provider are sufficient. Large companies are advised to deploy a SIEM-solution (Security Information and Event Management). This method analyses the use of the tools and systems within the company in order to detect irregular activity and to predict where security issues may arise in the future in order to proactively react to it.
Lastly, the FSMA and the Center for Cyber Security Belgium stress the importance of regular evaluation. The goal is a continuous improvement cycle: the annual review of risk analyses and control measures in the light of the incidents that occurred during the past year. In any case, they require an evaluation of the effectiveness of the security measures at least once every two years.
Next to the four identified principles, the communication finishes with further specifications: a help guide for SME’s by the Center for Cyber Security Belgium, the importance of the sharing of information regarding cybersecurity (which is obligatory under the Act of 7 April 2019 implementing the NIS Directive in certain cases).
The communication can be very useful for businesses in their quest for compliance with the obligations imposed by the legislator regarding cybersecurity and for the purpose of the security of their network and information systems in general. In any case, it is a good read in the light of Cyber Security Month.
Read the full communication here: https://www.fsma.be/nl/news/fsma-vraagt-aandacht-voor-het-beheer-van-cybersecurityrisicos / https://www.fsma.be/fr/cyber-securite.