Publications
Importance of the new cyber security law for Lithuanian organizations
05-11-2024 | Expert opinionAs the digital environment improves, so do the threats that accompany it. On 18th October this year, an amendment to the Law on Cybersecurity came into force, which transposes the NIS 2 Directive (Network and Information System) into Lithuanian law. Organisations in various sectors, including the insurance sector, are facing significant changes. The aim of this legislation is to strengthen the resilience of critical infrastructure to cyber threats and to introduce unified security measures.
Essence and impact of the NIS2 Directive
The NIS2 Directive is part of the EU's broader cybersecurity strategy, which focuses on strengthening cooperation and information sharing between Member States. It aims to ensure that key sectors, including finance and insurance, are better equipped to withstand and respond to cyber incidents.
The amendment to the Cybersecurity Law of the Republic of Lithuania, which implements the provisions of the NIS2 Directive and primarily affects critical sectors, includes several vital elements:
- Particular attention is paid to incident management: organisations must immediately notify the responsible authorities (the National Cyber Security Centre and the police) of significant cyber security incidents. This includes a description of the nature of the incident, the impact on services and the actions taken to mitigate the risk.
- Risk management framework: from now on, companies must put in place an enhanced risk management framework that regularly assesses their cyber security measures. To maintain the level of cybersecurity, entities will be required to carry out a cybersecurity audit at least once every 3 years, in accordance with the methodology for conducting cybersecurity audits approved by the National Cyber Security Centre.
- Stricter penalties for non-compliance: non-compliance with the new rules could lead to heavy fines. The aim is to persuade organisations to pay more attention to cybersecurity.
- Training and awareness programmes: it is necessary to invest in training programmes for employees on best cybersecurity practices. Informed employees are the first line of defence against cyber threats.
Impact on the insurance sector
The implementation of the NIS2 Directive also places the insurance sector on the list of critical entities. Here are some of the key implications to consider:
- Increased accountability and credibility. Considering the new compliance requirements, companies in the insurance sector, including insurance intermediaries that are part of a single supply chain, will have to pay close attention to their cyber security obligations. This strengthened governance will not only increase resilience to threats but should also strengthen consumer confidence and ensure that customers feel more secure when entrusting their data to insurance industry players.
- Developing cyber insurance products. The new law will undoubtedly increase the availability of cyber insurance. It is likely that market participants will be offered more comprehensive cyber insurance products covering a wider range of incidents, including data breaches and ransomware attacks.
- Increased cooperation with technology companies. Insurers will need to work closely with technology companies to improve their cybersecurity infrastructure. These partnerships will be key to implementing effective risk management strategies and data protection measures.
In conclusion, while the new cyber security law poses challenges for organisations, it also offers opportunities to increase resilience and consumer confidence, and to mitigate risks. By prioritising cybersecurity and ensuring compliance with the new rules, organisations can not only protect their operations but also contribute to creating a safer digital environment for their business.
The Law on Cyber Security does not create any new requirements compared to the provisions of the international ISO 27001 standard, but it reinforces and encourages the priority given to information security. With the growing threat of cyber incidents, IVP Partners has been managing information security in accordance with the requirements of ISO 27001 since 2019 and has implemented an information security management system in the company based on the requirements of this standard. We therefore expect even more attention and strengthening of the information security culture across the market in the future.