Cybersecurity intends that cybercrime be fought preventively, through the establishment within organizations of technical and organizational measures - therefore human and legal. The Grenier Avocats firm sheds light on the protections to be put in place in order to manage the legal risk of organizations, to anticipate and manage it.
Selon 80 % des responsables de la cybersécurité et de la gestion des risques interrogés lors d’une enquête mondiale d’IRM (Altran group) in 2019, deployment of 5G technology risks increasing cybercrime. Indeed, 5G will connect an unprecedented number of sensors, in particular those of connected objects popular in many sectors with sensitive data - especially health, logistics, energy, electricity. Or, these connected devices are hackable, exposing the data they collect and transmit to a high risk of theft or compromise. This cyber risk contributes to intensifying the overall digital risk and accentuates its propensity to gain all the activities of the organization. The evolution of digital risk henceforth engages the responsibility of the manager with regard to its management and processing, supporting regulations. So, the company must comply with the General Data Protection Regulation (RGPD) or to the European Network and Information Security Directive (start). Furthermore, if the company targeted by a computer attack is a victim, at the same time it can be legally responsible for a corollary act : the illegal extraction of personal data in large numbers. Or, among the data that will pass through 5G, many are personal data, like health data, identity or location. The company must therefore take the initiative to ward off cyber attacks and protect the data it holds and processes against compromise and theft.. Hence the importance of cybersecurity and the role of the lawyer in, anticipate and manage the legal risk of organizations.
Legal compliance and prevention
In order to preserve its civil and criminal responsibilities, like those of the organization as a legal person, the manager must first of all know the legal and regulatory requirements applicable to his organization. It can thus assess its level of compliance and identify all the protections to be guaranteed.. The advice of a legal expert is essential here to help the manager review the sector obligations, specific to the nature of the organization (public, health, nuclear, transports, finances, etc.) and its status - for example operator of vital importance (OIV) or essential service operator (or) - as well as the obligations relating to national or international rules to identify all the protections to be guaranteed. On the contractual level, the manager must check the security requirements included in the contracts signed with his clients, suppliers or partners. The company must then be equipped with a digital risk governance framework. The leader must define, with the board of directors, the new risk acceptability thresholds. The approach also concerns stakeholders in the company's value chain. Finally, the company must deal with the human factor, déclencheur de 70 % des cyberattaques. So, the company must make its employees aware of threats and train them in good security behavior. The approach also concerns subcontractors and service providers (art. 39 du RGPD).
Secure machines and information systems
Cybersecurity will concern the company's information systems, that we must arm with computer security. These must be accompanied by good practices to be deployed in society, and the leader has every interest, here again, to be accompanied by experts in this field. Industrial systems are also in the sights of cyber attacks, because they are highly computerized and interconnected with traditional information systems. Too, they expose employees to a cyber risk while stationed in the vicinity of vulnerable work equipment. Machine safety, both in terms of design and use, is therefore concerned. Legal counsel will help the manager conduct an analysis, in particular that proposed within the framework of the European directive "Machines" 2006/42 / CE and the protection of the employees. It aims to provide methodological elements to prevent cyber risk and its consequences on the health and safety of operators.. Despite all the cybersecurity measures put in place, the company must be prepared in the event of an attack. Thus procedures, responsibilities and roles in the teams must be defined and operational in the event of a problem. Another ally of the company in the process : his insurer. It can support it in terms of prevention, offer assistance in the event of an attack, cover financial losses suffered as a result of an attack and ensure liability if the computer attack results in recourse or damage to third parties. There are now so-called "cyber insurance" contracts, in a context where digital risk is increasingly the object of exclusion from traditional insurance contracts, in favor of more specific insurance policies.