Freely subscribe to our NEWSLETTER

In France, the Ministry of the Interior’s orientation and programming law (Lopmi) also requires companies that have been victims of ransomware cyberattacks to file a complaint within 72 hours if they wish to benefit from assistance and reimbursement of a cyber ransom by their insurance.

In addition, the European NIS 2 directive, due to come into force in member states in the second half of 2024, imposes a new regulatory framework for cyber risk management, particularly in terms of analyzing the measures put in place for information systems security, business continuity, backup management and disaster recovery, as well as crisis management.

The question of critical and sensitive data, their clear identification and the protection measures put in place will therefore be at the heart of this new regulatory framework. In the United States, the SEC goes further, requiring affected companies to disclose the material impact of the attack, particularly in terms of the most critical data.

However, for Mark Molyneux, CTO EMEA at Cohesity, "Most companies will find it difficult to properly assess the value of data that has been stolen, altered, accessed or used for other unauthorized purposes, as much is hidden in the dark." Gartner refers to this as "Dark Data", which could represent up to 75% of a company’s total data. To best prepare for this new legislative framework, "Companies need to equip themselves with a modern, robust and intelligent system for safeguarding and classifying their data, not only to meet current compliance and transparency requirements, but also and above all, to counter the exponential threat of cyber-attacks, which are becoming ever more sophisticated and pernicious" continues Mark Molyneux.

While these new rules carry notorious penalties - with the SEC imposing fines of $6.4 billion in 2022 alone - listed companies in the USA need to get their act together. Europe is not to be outdone, particularly as the NIS 2 directive approaches entry into force.