New law will fine companies that hide cyber attacks

[OyaYansa]

In recent months we have experienced important cases of cyber attacks to companies at a global level, affecting millions of users. Such has been the impact of these computer malfunctions that the Spanish administration has decided to take measures. Specifically, it is preparing the draft of a new Royal Decree Law, which will fine companies that conceal potential cyber attacks or do not take necessary measures to remedy them.

While it is true that the last hacks have not significantly affected our country - except with the virus WannaCry where Telefónica was the great disadvantage -, if they put on the table the need to have a legal instrument that allows the Administration to offer some Certain guarantees on the security systems that Spanish companies have. With this objective, the Government are committed to carry out a prevention and alert to companies against hackers. If not, they will be sanctioned for the first time.

Specifically, in the draft decree law that is being finalized, it is stated that the companies that operate essential services (electricity, transpoprte) and digital service providers that do not notify significant cyber attacks that receive or do not take measures to avoid them may be punished with " Effective, proportionate and dissuasive sanctions ".

This Royal Decree allows the Administration to supervise the security of computer systems of Spanish companies, impose preventive measures and even punish them if they do not apply or do not notify the cybertacks suffered.

This measure is being made possible by the joint effort being made by the Department of Homeland Security, the Ministry of the Interior, the CNI and the Secretary of State for the Information Society and the Digital Agenda - which coordinates the work. They seek to be updated to the European regulations, specifically to Directive 016/1148 on Security of Networks and Information Systems of the EU, which should be incorporated into the legislation of member states before May 2018.

The NIS Directive requires a listing of essential service operators and the main providers of digital services, both private and public, and to communicate them to the European Commission. The sectors involved would be energy (electricity, crude and gas), transport (air, sea, rail and road), financial (banking and markets), sanitation, drinking water and digital infrastructure - which are the potential targets of future attacks

This regulation will allow the Administration:

  Conduct audits to monitor your security level;
Establish "binding instructions" that help them improve the protection of their computer systems;
Inform "without delay" of any incident that endangers the service provided.
As for the sanctions that will be taken by companies that do not comply with these measures, they are expected to be in line with the seriousness of the computer attacks, taking into account the number of users affected, the geographical extent or their consequences.