- Kateřina Kubíková
The legislative process for approving the new Cybersecurity Act and its implementing regulations is ongoing. While changes may still be made to the current proposal, it is unlikely that the responsibility of management for cybersecurity will be removed. So, what new obligations should top management prepare for?
Who is considered top management?
The new requirements, stemming mainly from the NIS2 Directive, mean that top management will have bigger responsibility for ensuring cybersecurity than before. Responsibility will not only rest on the company but also on the top management itself. Who is top management according to the new law? The draft of Czech Cybersecurity Act defines top management as the statutory body or another person or group of people in a similar position. How broadly this will be interpreted remains to be seen in practice.
The requirements for top management are a security measure for providers of regulated services under both the higher and lower duty regimes.
Responsibilities of top management in the higher duty regime
For those providing regulated services under the higher duty regime, there will be numerous requirements placed on top management.
Attend cybersecurity training
Top management will need to undergo verifiable training to gain a basic understanding of the area they oversee. This training should align with the company's security awareness development plan, and top management must be informed about their obligations and the company's security policy, particularly in the areas of Information Security Management System (ISMS) and risk management.
Ensure the establishment of security policies and ISMS goals, integration of ISMS into company processes, availability of resources for ISMS, and support for achieving ISMS goals
While top management may not be required to establish security policies and goals themselves, they must ensure that these are set and that ISMS is integrated into the company’s processes. The regulations emphasize ensuring resources are allocated and supporting the achievement of ISMS goals. Cybersecurity should not be a peripheral issue but one that the company focuses on and dedicates resources to.
Inform employees about the importance of ISMS and compliance with its requirements, guide employees in enhancing ISMS effectiveness, and promote continuous improvement of ISMS
The regulations highlight that top management must ensure that employees are informed about the importance of cybersecurity within the company. Top management should lead and support employees in improving ISMS effectiveness. Continuous improvement is a fundamental principle of cybersecurity, as the field evolves rapidly and requires constant attention.
Participating in the development of impact analysis
As part of business continuity management, top management will play a role in impact analysis to help prioritize actions when activating continuity and recovery plans. This analysis is essential for making effective decisions.
Ensure testing of continuity and recovery plans and incident response processes
It is not enough to merely create continuity and recovery plans; they must also be tested and kept up to date. Management will be responsible for ensuring that these tests are carried out.
Support security roles within the company
Top management must support those in security roles in enforcing cybersecurity within their areas of responsibility. They must ensure that rules are set for identifying administrators and individuals who will hold security roles, as well as maintain confidentiality for all relevant parties, including administrators, security role holders, and suppliers.
Become familiar with security documentation and outputs
Management will need to review the Information Security Management System (ISMS) review report, risk assessment report, and impact analysis results. Additionally, they will need to examine cybersecurity audit results and other control activities related to cybersecurity.
Establish a cybersecurity management committee
The cybersecurity management committee should consist of individuals with the necessary authority and expertise to manage and develop the ISMS. This includes individuals who play a significant role in managing and coordinating cybersecurity activities. At least one member of top management or a designated representative, along with the cybersecurity manager, must be part of this committee.
Responsibilities of top management under the lower duty regime
Compared to the higher duty regime, fewer requirements are imposed on top management under the lower duty regime.
Attend training and be informed about their obligations
Top management, to ensure cybersecurity, must be verifiably informed about their responsibilities. Regular training on security policies and ensuring cybersecurity will also be necessary.
Ensure availability of resources
As in the higher duty regime, management will need to ensure the availability of resources required to maintain cybersecurity, in line with the overview of security measures.
Stay informed about the status of security measures
The goal of this responsibility is to ensure top management is verifiably aware of the status of security measures. According to the regulations, this should include an overview of all security measures that have been implemented, those that will be implemented, and those that have not been implemented.
How can management stay informed about the state of the company?
In the higher regime many responsibilities are assigned to top management. The regulations also outline management's responsibilities within ISMS. The cybersecurity manager will be responsible for regularly informing management about the state of ISMS and activities related to their responsibilities. Management should receive the necessary information through regular reporting and communication with the cybersecurity manager.
In thelower regime this responsibility for informing management falls to the security role “person responsible for cybersecurity.”
In the second part we will look at sanctions that management faces for failing to meet these requirements.
