How does NIS2 affect retailers?
In 2021, 500 COOP food stores in Sweden were forced to close when a significant ransomware attack hit the company. The attack resulted in point-of-sale tills and self-service checkouts failing. The retailer is not alone: a Sophos report, „The State of Ransomware in Retail 2022,“ shows a growing trend of threats targeting retail, with 77% of retailers experiencing a ransomware attack in 2021. To help mitigate the risks of cyber threats to retailers and other industries, the EU has updated its cybersecurity regulation, Network and Information Security (NIS), to NIS2.
This EU-wide initiative delivers the framework needed to build better cybersecurity structures across industries that provide essential functions: this includes retail.
Why does retail need to comply with NIS2?
The retail sector is an ideal financial playground for cybercriminals, with the industry worth 27.34 trillion USD in sales in 2021. Cybercriminals and scammers follow the money when it comes to executing fraud. It is, therefore, no surprise that the world of retail is seeing increased cyber-threats. There are many examples of where retail has been hit with cyber-attacks, resulting in severe consequences Two recent retail-targeted cyber-attacks for reference are: The Works: April 2022 saw cut price bookstore, The Works, targeted in a cyber-attack that is believed to have involved Wiper malware. The attack resulted in 5 of its 526 stores being temporarily closed. KP Snacks: in January 2022, KP Snacks was a victim of a ransomware attack. The attack resulted in delays of products well into March.
With 77% of retailers suffering a ransomware attack, the question is not if but when your retail company will become a victim. Preparation is key to de-risking a retail organization and hardening its defenses against a cyber-attack. To ensure that retail (and other sectors) are fully-prepared for cyberattacks, the regulators have recently added retail to NIS2; this update reflects the new breed of cyber-attacks that focus on critical functions such as retail and its supply chain The problem is that Cyber-attacks are so commonplace that a retailer can feel overwhelmed and unclear about how best to tackle the problem. As a result, the types of responses that we hear from retailers on the thorny issue of cyber-threats show high levels of concern mixed with feelings of being overwhelmed; typical statements include:
„we’re too small to be a victim“
„we have no budget for cyber security“
„it’s just fake news“ „cyber insurance is the answer“
„we already have anti-malware and firewall“
„we just don’t know where to start“
NIS2 and retail NIS ( Network and Information Security) regulation provides a framework incorporating that act as a baseline for cybersecurity risk management.
The NIS2 directive includes measures and reporting obligations for covered entities, including energy, transport, and health.
Under NIS2, certain retail areas are also included under „operators of essential services and important entities“ that have „food production, processing and distribution.“ Scope of NIS2 in terms of retail The NIS2 directive focuses on ‘essential’ and ‘important’ entities that are vital for society’s functioning, such as retailers involved in food distribution. The directive pulls explicitly out: „food production, processing and distribution“ and „providers of online marketplaces.“ These cover activities that justify placing many retailers under the class of „important services“ instead of „essential services.“ Not all retailers will be in scope; for example, it is unlikely that a retailer of musical instruments would be in scope.
First, however, a retailer must determine if its operation is a covered entity under NIS2
Penalties for non-compliance with NIS2 Like the GDPR, non-compliance with NIS2 comes with hefty fines. For example, the NIS2 Draft Article 31 says this on non-compliance penalties: „in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of at least 10,000,000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the essential or important entity belongs in the preceding financial year, whichever is higher.“ Breach notification rules NIS2 directive Article 20 sets out stringent reporting expectations if a cyber-breach occurs.
The regulation requires that breach notification is made „without undue delay“. This means the notice should be issued within 24 hours of an incident, but this can, under exceptional circumstances, be extended to 72 hours. Notably, the requirement to notify a breach that has impacted services is expected even if there is no indication of exposed personal data. Cyber security measures required by NIS2 Article 18 of the NIS2 directive states that covered entities should „take appropriate and proportionate technical and organizational measures “ to manage cyberrisks. NIS2 also lists the expected cyber security measures that retail and other covered entities are expected to deploy and include:
- Risk analysis and information security policies
- Thorough incident handling
- Business continuity and crisis management
- Robust supply chain security
- Extensive network security
- Vulnerability handling and disclosure
- Policies and procedures (to assess the effectiveness of cybersecurity risk management measures
- Appropriate use of cryptography and encryption Consequences of a cyber-attack on retail: While it may seem a significant task to put the NIS2 security measures in place, the alternative is mayhem caused by a cyber-attack. The consequences of a cyber-attack on retail, as noted in the examples above, include shop closures, large ransom payments to protect data, and many other problems, including:
- Empty shelves
- Unable to process orders, and the supply chain blocked
- Held to ransom with large financial losses; according to the Sophos report „State of Ransomware in Retail 2022“ the overall cost to retail organizations to remediate a ransomware attack is dropping but still high: average cost per ransomware attack – US$1.97M in 2020 / US$1.27 in 2021.
- Production stoppages The weakest link Supply chain attacks are widespread, with 97% of companies „negatively impacted“ by a cybersecurity breach originating at a supply chain vendor , according to research in the BlueVoyant survey. One of the areas that NIS2 focuses on is the supply chain. As a result, NIS2 strengthens supply chain security. In recent years, supply chain attacks have become a standard tactic of cybercriminals. Supply chain attacks in retail can be a double whammy, affecting delivery and/or the supplier being used as a way into companies higher up the chain. The KP Snacks example mentioned above is an example of supply chain attack aftereffects, the supply chain impact causing delays in product distribution and delivery. How can a retailer become cyber-fit to comply with NIS2?
The security industry has no shortage of „solutions“; however, picking the best combination can be a challenge. Standards organizations have prescribed strategies to achieve and maintain cyber-fitness. These strategies can be used to ensure your organization meets the compliance requirements of NIS2. One advantage of adopting a standards-based approach is that it brings a degree of impartiality to the decision-making process. Instead of worrying about which brands of security tools to buy, it becomes a discussion about which types of tools. Andrew S. Tanenbaum, Professor of Computer Science, Vrije Universiteit, Amsterdam, summed the situation vis a vis the standard-based approach perfectly: „The good thing about standards is that there are so many to choose from
Cyber-fitness is a process that can be made simpler by sharing the responsibility with thirdFor NIS2 compliance, specific security processes, measures, and tools must be evaluated and implemented. These include:
- Security training and awareness
- Better incident reporting and handling/response
- General improvement of security posture
- Risk analysis and information system security policies.
- Business continuity and crisis management.
- Supply chain security measures
- Cybersecurity risk management and business continuity policies.
- Cryptography and encryption.
How exposed is your organization?
Cyber Security Event Three Ireland party specialists. Outsourcing to specialists with the right in-house capabilities creates a fair and equitable model that is cost-effective and flexible enough to withstand change. In addition, if further updates to NIS are made, these specialists will make the transition less painful. From mid-2024, sectors such as industrial food producers, food distributors, and supermarket chains will be required to take appropriate cybersecurity measures that are requirements of the NIS2 directive. By preparing now, these entities can ensure they are cyber-fit in time for the directive. Cyber-fitness is a process that can be made simpler by sharing the responsibility with third party specialists. Outsourcing to specialists with the right in-house capabilities creates a fair and equitable model that is cost-effective and flexible enough to withstand change. In addition, if further updates to NIS are made, these specialists will make the transition less painful. From mid-2024, sectors such as industrial food producers, food distributors, and supermarket chains will be required to take appropriate cybersecurity measures that are requirements of the NIS2 directive. By preparing now, these entities can ensure they are cyber-fit in time for the directive.
Get Prepared Today.