Among the Ukraine conflict consequences is the increased cybercrime, especially for the many companies that work with Russia. But cybersecurity is an issue that concerns everyone who exchanges data and information with any electronic device daily. Even before the Ukraine crisis with the Covid-19 pandemic – and the increase in teleworking – it became necessary to think about the creation of an ad hoc cyber defence structure in our country. The establishment of the National Agency for Cybersecurity, was indispensable for developing a national cyber resilience strategy. Recently, Prime Minister Mario Draghi signed the “National Cybersecurity Strategy 2022-2026”, which stated that 1.2% of gross national investments should be allocated annually to cybersecurity.
In the last few months many Italian online services and sites, including the Senate, Ministry of Defence and ABI (Italian Banking Association) websites were cyber-attacked (including by the Russians), the issue concerns the public as much as the private sector. The 2022 edition of the Data Breach Investigations Report by Verizon pointed out a significant increase in ransomware attacks with a 13 per cent increase in just a year. This is the “largest growth over the past five years.” In its annual report Proofpoint pointed out that 2021 was a year of great creativity for cybercriminals: threat actors turned to unconventional, people-focused methods with 100,000 daily smartphone attacks while smishing doubled compared to the previous year.
Guido Moscarella, Coo of Innovery – an Italian multinational specialising in cybersecurity told Dealflower: “According to the data shared by the postal police, the first quarter of 2022 saw an increase in cyber-attacks of around 40 per cent compared to the same period last year. ‘This increase cannot be blamed entirely on the war, the number of cyber-attacks and their complexity are increasing yearly, especially in the post-pandemic era. The spread of remote working has quickly brought out new vulnerabilities, because it has expanded the perimeter of attack by cyber criminals, a perimeter that companies could not monitor.”
But are government measures sufficient? “To assess whether the planned investments are sufficient is not easy. The cost of cyber-crime is approximately €7 billion yearly. The planned investment for the agency is 623 million, to which further financial levers, such as tax relief should be added. In a country where 95 per cent of the production fabric is made up of small and medium-sized enterprises, the vast majority of which do not have an IT security system that is up to the task, due to budget problems, we would have hoped for a more substantial investment,” Moscarella said.
However, from SMEs to multinationals, all companies are subject to hacker attacks. Lawyer Elena Cannone, Managing Associate and Compliance and Focus Team Leader of the firm De Luca & Partners, told Dealflower: “This situation has worsened with the pandemic as corporate assets are more exposed with remote working.” But the solution may already be at hand if one looks at the GDPR. “This regulation and cybersecurity are sides of the same coin,” the lawyer said. Why? “In the regulation we talk about technical and organisational measures on cybersecurity. Everything is done under the principle of accountability: the company must make an assessment, understand the risks, survey them and, consequently, take measures appropriate to the risk level.”
If the GDPR could be a first step, Cannonne said, “we need to have an IT infrastructure that allows us to contain and reduce the risk as much as possible. Companies must be made aware of IT security, because this protects the company assets, image and reputation.” in addition to the numbers that are public, it should not be forgotten that many companies do not report hacker attacks. The ideal, is to prevent what might happen to protect the assets, but there is still a way to go. We are slowly getting there: since 2018, however, progress has been made.” What is lacking is awareness to train employees. “These must be trained and disciplined with specific and periodic training,” the lawyer emphasised.
Training is crucial and that goes beyond the company. Moscarella said: “Italy is facing a serious gap of profiles with skills in the IT sectors, especially in cybersecurity. The lack of these profiles makes it difficult to continuously monitor critical structures and guarantee immediate action in case of need.” Innovery has two SOCs – Security Operation Centres, in Italy, which guarantee continuous monitoring, active 24/7, 365 days a year, capable of responding to any emergency. “But to increase the effectiveness of these centres, it is necessary to implement them with ever new resources, capable of dealing with cyber risks at all levels, which is why it is essential to invest in training.”
According to a recent Fortinet report – an American multinational company that develops and markets IT security software, devices, and services, Italy lacks 100,000 cyber security experts. According to the data of the 2022 Cybersecurity Skills Gap analysis, which involved 1,223 managers from as many companies in 29 countries worldwide, the shortcomings of protection systems are evident. Massimo Palermo, Fortinet’s country manager for Italy and Malta, pointed out that Italy needs at least 100,000 specialised figures considering that we are “the third country in the world most affected by ransomware attacks.”
For proper whistleblowing management, it is essential to pay due attention to the protection of the personal data processed.
In achieving the necessary balance between the whistleblower’s need for confidentiality, the need to ascertain the wrongdoing and the whistleblower’s right to defence and cross-examination, the adoption of appropriate measures to ensure the protection and security of personal information is a key factor in achieving this balance.
Vittorio De Luca, Managing Partner of Studio De Luca & Partners commented: “The recent measure adopted by the Data Protection Authority is only the latest of the measures adopted on the subject which, as the Authority pointed out, is part of a broader inspection plan dedicated to verifying the utmost respect for the protection of personal data during the management of unlawful conduct reports. Without prejudice to this, proper management of the “whistleblowing system” is part of an effective corporate compliance strategy. Implementing organisation, management and control systems built based on the results of a preliminary risk analysis makes it possible to reduce the risk of offences being committed and the risk of incurring the heavy penalties provided for by applicable legislation. It is necessary to adopt corporate procedures and appropriate technical and organisational measures for the protection and security of the information of those involved without neglecting the importance of awareness-raising and training users of these systems and those in charge of managing and verifying the reports made. Reaching a high level of awareness and culture among corporates must be one of the first objectives to be achieved.”
On 7 April 2022, in an injunction order issued against a hospital, the Italian Data Protection Authority (“Garante”) found that the data processing carried out as part of the management of its whistleblowing system was unlawful.
The Authority sanctioned the IT company, which was acting as a data processor, and managed the service for reporting alleged corrupt activities or unlawful conduct within the entity.
The Authority noted that under Articles 13 and 14 of Regulation (EU) 2016/679 (the “GDPR”), the hospital in its capacity as Data Controller, failed to provide specific and prior information about personal data processing carried out following a report. This was in violation of the principle of “lawfulness, fairness and transparency”, which imposes on the data controller the obligation to provide data subjects specific information about the data processing in advance, by taking “appropriate measures” to reach recipients.
It emerged that the health authority failed (i) to trace the processing operations carried out in the Processing Register under Art. 30 of the GDPR and to carry out a preliminary privacy impact assessment.
The Authority stated that the processing of personal data using systems for acquiring and managing reports has risks for the rights and freedoms of the data subjects due to “the sensitivity of processed information, the “vulnerability” of the data subjects in the workplace, and the confidentiality regime of the whistleblower’s identity under the sector’s legislation.”
The Authority fined the hospital and the IT Company € 40,000 and gave the hospital a further 30 days to make its relationship with its supplier compliant with the relevant legislation.
◊◊◊◊
As specified in the communiqué shared by the Data Protection Authority, the investigation carried out, in this case, was part of “a series of inspections on the processing methods of data acquired through whistleblowing systems, particularly those most used in Italy by employers.”
Other related insights:
In the last few days, Italian online services and sites, including the websites of the Senate and the Ministry of Defence, have suffered a cyber-attack from a group of Russian cybercriminals. Vittorio De Luca, from Studio De Luca & Partners said:
“Cyber-attacks are a daily occurrence and no one can consider themselves safe. Attacks on institutions cause a stir, but for years hundreds of companies suffered daily attacks from cybercriminals. These attacks have a considerable impact on productivity and lead to data theft, service disruption and image damage. Robust cyber security is essential to protect a company’s knowledge assets and ensure business continuity. GDPR requires small and large companies to conduct a survey of their cyber risk exposure and the impact they could have on their business. An “incident” response plan must be prepared, security policies and measures to protect the IT system must be adopted. There must be periodic audits. It is essential to raise employee awareness on cyber security through training sessions, so that they can recognise and deal with the various threats. Protection from cyber-attacks takes place in two phases – prevention and protection. If there is a successful attack, companies must inform the data protection authority, and initiate a data breach procedure within 72 hours of becoming aware of the violation.”
Based on the principles in the Court of Justice Schrems II judgement of 16 July 2020, with Decision no. 2021/914 of 4 June 2021, the European Commission has approved two new sets of Standard Contractual Clauses (“SCCs“) which, from 27 September, must be included in contracts to regulate a transfer of personal data to non-EU countries or international organisations. For contracts signed before this date, there will be a transition period ending on 27 December 2022, provided that the processing operations covered by the contracts remain unchanged and the “old” clauses ensure that the transfer of personal data is subject to adequate safeguards. After this deadline, these contracts will need to be updated based on the new SCCs. The new SCCs will cover cases where personal data is transferred to non-EU countries or international organisations that do not offer a system of protection equivalent to that provided by the Data Protection Regulation (EU) 2016/679 (the “GDPR“). The new SCCs must be adopted for personal data transfers: (i) between data controllers; (ii) between a controller and its processor; (iii) between a processor and its (sub) processor; and (iv) between a processor and its controller where the latter is not subject to the GDPR scope.
Other related insights:
