Management team not prepared for cyber regulations

Introduction of AI and WP.29 shows that many companies are probably not prepared for the EU Cyber Resilience Act and the EU Supply Chain Directive.

WP.29, NIS-2, the EU Cyber Resilience Act and the EU Supply Chain Directive – a series of new regulations are coming into force this year that are intended to ensure the digital security and integrity of products, services and companies, among other things. However, the management teams in many companies are either inadequately prepared or not prepared at all. This is the result of the Kaspersky study “Enterprise cybersecurity and increasing threats in the era of AI: Do business leaders know what they are doing?”.

The EU and global organizations are working to increase cyber security. For example, WP.29 regulates a set of common cybersecurity standards for new vehicles. The NIS-2 Directive, on the other hand, sets the legal framework for critical EU infrastructure sectors such as energy, water, telecommunications, transportation, financial services, healthcare and digital services. The EU Cyber Resilience Act, on the other hand, is intended to strengthen the IT and digital security of banks, insurance companies and investment firms in the EU by making them more resilient to serious business disruptions. Furthermore, the EU Supply Chain Directive is intended to ensure due diligence by all large companies with regard to human rights and the environment in the EU and in their global value chains.

AI safety is hardly an issue in the management team

However, the management team seems overwhelmed with the implementation of new regulations – both those that are already active and those that will be introduced in the foreseeable future. For example, the Kaspersky study shows that while generative AI (GenAI) is becoming mainstream in the workplace, business leaders still need to be educated about the cyber risks associated with implementing the new technology. While the majority (95%) of business leaders are aware of its use in the company and more than half (53%) say it seamlessly contributes to critical optimization processes. However, less than two thirds (59%) of C-level executives are concerned about AI-related data leaks. Furthermore, less than a quarter (22 percent) have discussed AI regulations at board or executive level.

The automotive sector is also lagging behind

However, this unpreparedness does not only affect AI, but seems to be a general challenge – regardless of topic, country or industry. In the case of the automotive sector, another Kaspersky study shows that a large part of the industry may not yet be prepared for the new WP.29 regulation – even though it has been mandatory since July of this year. As of January, 23 percent of respondents in Germany had already developed plans, but had not yet started or implemented them. Only 37 percent were in the process of implementation.

Management team may also not be prepared for upcoming regulations

In view of these results, it can be assumed that the management team is probably not sufficiently prepared for NIS-2, the EU Resilience Act and the EU Supply Chain Directive. This needs to change as quickly as possible, explains Waldemar Bergstreiser, General Manager Central Europe at Kaspersky:

“Cybersecurity is an essential part of our everyday lives – both privately and professionally; this ranges from private computers and vehicles to critical business functions. Nevertheless, there is still often a lack of implementation of protective measures or compliance with regulations set by the EU and other organizations. Companies urgently need to allocate resources to prepare for future regulations, otherwise they will face serious consequences.”

Recommendations for more cyber security in companies

• Invest in training: Provide training and cybersecurity initiatives for all levels of employees, implement security awareness training to address specific security needs and reduce the risk of internal cybersecurity incidents.
• Provide ongoing information: In preparation for new regulations such as WP.29 and the EU’s NIS-2, RCE, supply chain and AI regulations, regularly inform all employees, including IT and InfoSec experts, about new cyber threats and measures to counter them.
• Use interactive simulators: These help to assess the expertise and decision-making ability of individuals in critical situations. Scenarios from the IT department and interactive learning games can simulate how they monitor and respond to attacks.
• Deploy threat intelligence services: Training from cybersecurity experts helps organizations improve the skills of Infosec staff using cutting-edge EDR, MDR and XDR solutions – such as Kaspersky Next.
• Companies should carry out a fullsupply chain risk assessment of the products and services they use and the associated processes. This includes a thorough review of all suppliers’ cyber security records and risk management plans.
• Processes that are subject to strict compliance should be fully traceable. This includes all strategies for dealing with cyber risks and the entire life cycle of the product and associated services. Every change in the development and design process of the supply chain should be continuously monitored using a structured and defined process.

(lb/Kaspersky)