By 2022, the average German will own 9.7 connected devices – such as smartphones, smart home appliances and computers. Digitalisation not only affects private households, but also systems within production, supply-chain and other industrial processes across all sectors. As these processes are becoming increasingly digitalised across all sectors, they are becoming more vulnerable to hacking and sophisticated cyber criminals. Successful attacks result in high costs, especially for businesses. For example, current studies estimate that an average cyber-attack costs a company just less than four million U.S. dollars and the global total ransomware damages will climb to 11.5 billion U.S. dollars in 2019. Ransomware is projected to attack a business every 14 seconds by the end of 2019, up from every 40 seconds in 2018. At the same time, the risk awareness among German business managers has decreased, according to the latest Deloitte Cyber Security Report 2018.
Governments are reacting to these increasing threats by introducing various cyber security regulations. For example, the German government recently proposed a toughening of Germany’s criminal law, as well as more far reaching requirements for businesses to report cyber security incidences, as part of its second IT Security Law (IT-Sicherheitsgesetz 2.0). However, some countries also utilise their national cyber security regulations for other than cyber security-related political and economic goals.
Cyber security: Different countries, different approaches
Deloitte illustrated in its European Cyber Defense Report 2018 that all countries in Europe have already introduced at least one national cyber security strategy. With these strategies, each country is aiming to ensure a high degree of cyber resilience. To this end, countries identify their own strategic cyber security goals, name responsible institutions, and define public and private responsibility in the case of cyber security incidents. Therefore, companies have to get acquainted to these country-specific approaches in order to comply with them and to avoid fines. However, so far only about half of all business managers are aware of cyber security regulations being important for their business activities.
Several countries outside of Europe have also developed their own strategic approaches to cyber security. As each country introduces its own definitions of key terms such as “critical infrastructure”, “national security” and “data of public interest”, discussions erupt across the globe concerning potential hidden agendas. This was the case for China’s national cyber security law. Since the introduction of the Chinese national cyber security law in 2017, China has prioritised the protection of its national security in cyber space. In this context, Chinese authorities require the disclosure of business-related data from companies active in China. Companies must be aware of such requirements as they can have an impact on company-specific policies regarding the protection of intellectual property.
Varying cyber security regulations: Consequences for industry
German companies aiming to do business in third countries should inform themselves about the specific regulations in the respective country. Such regulations can affect incident reporting, the handling of personal and non-personal data, as well as the need of cyber security insurance. In particular, companies need to inform themselves on whether or not their business is classified as a critical infrastructure, as this often implies additional obligations.
About the project: BDI and Deloitte’s Cyber Landscapes
With their interactive Cyber Landscapes, BDI and Deloitte aim to provide an overview of cyber security regulations in various jurisdictions around the globe to companies, politicians and other interested parties. The countries have been selected according to their economic ties with Germany and German companies’ engagement in these countries (e.g. foreign direct investments, FDI) respectively. The maps provide the current state of play (April 2019) and will be (partially) updated on an irregular basis. It is important to highlight, that sector specific regulations are not being considered when researching cyber security regulations. Moreover, the Cyber Landscapes do not consider data privacy regulations and those for the financial sector.