Cybersecurity: regulatory news, corporate liability and cybercrime prevention
1. Background
Cybercrime is a growing phenomenon, the alarming precision and invasive capacity of which astound, as well as the increasingly sophisticated and automated techniques, potentially very damaging to individuals, companies, government or multinational entities, and the entire community. Advanced digitization, remote work, and technological evolution make such entities more susceptible to cyber threats and incidents, endangering business continuity and data protection.
The evolution of information technology has led to an increase in criminal activities, facilitated by the abuse of software (ransomware, cryptolocker, viruses, worms, and Trojans), and the number of devices connected to the Internet: smartphones, notebooks, laptops, etc.
The range of possible cyber attacks is very wide and varies according to the techniques used to carry them out: among the most common are Phishing , aimed at extorting data through an explicit request to the legitimate owner, and Malware , i.e., applications created specifically to penetrate computer defenses and damage devices.
Cyber risks, by their very nature, are neither predictable nor programmable, as the constant and continuous technological evolution often makes it very complex to identify all possible categories of actions to be prevented and, consequently, the relevant protection measures to be implemented.
The issues on cybersecurity that have emerged as a result of the many serious attacks recently suffered by public and private entities have made it increasingly urgent and necessary for institutions to take action in order to facilitate coordination of the relevant legislation in force, to fill regulatory gaps and to ensure greater protection in the face of the cyber risks to which entities are exposed on a daily basis.
Individuals and companies are required to be particularly careful in the use of information media, and the ability to recognize the relevant criminal conduct, develop the necessary skills and conduct specific training on the subject is becoming increasingly essential.
In addition, the support of experienced consultants with specific expertise in the field is essential, both for prevention activities and for follow-up action in the event of successful cyber attacks.
2. Cyber attacks: a growing phenomenon
According to the CLUSIT (Italian Association for Information Security) Report updated to October 2023, comparing the number of cyber attacks on an organization's information security detected in the first half of 2018 in Italy with those in the first half of 2023, the growth was 86% (from 745 to 1,382). Durning the same period, the monthly average of serious attacks increased from 124 to 230 (nearly 8 per day).
Overall, there was also a significant increase (+40%) in successful attacks in the first half of 2023 compared to 2022.
As for the comparison with other countries, the increase in attacks detected towards Italian entities is percent greater than the growth observed globally, which was 11% in the first half of 2023.
The Global Data Protection Index conducted by Dell Technologies in collaboration with Vanson Bourne showed that in Italy, 76% of companies experienced at least one disruption of their IT systems in 2023 as a result of cyberattacks, incidents that hindered access to data or caused data loss.
In addition to increasing frequency, impacts have also increased: their estimated "Severity" has grown steadily.
The survey also highlights the significant economic impact such events can have on businesses. In Italy, about 60% of companies have incurred significant costs, ranging from $500,000 to $1 million, as a result of cyber attacks and related incidents suffered.
3. European regulatory framework
One of the earliest regulatory contributions at the European level is Directive (EU) 2016/1148 of July 6, 2016 (so-called NIS Directive - Network and Information Security) with the aim of ensuring a "high level of network and information system security in the national sphere, contributing to raising the common level of security in the European Union." The NIS Directive was transposed into Italian law by Legislative Decree No. 65/2018, which was followed by Decree-Law No. 105 of 2019 (later converted and amended in part by Law No. 133 of November 18, 2019) that formally established, among other things, the National Cyber Security Perimeter.
Over the years, the EU institutions have further strengthened their cooperation to counter cyber attacks, passing the Cybersecurity Regulation on April 9, 2019, which introduced a set of EU-wide certification systems and established a permanent EU cybersecurity agency.
The Council also established a framework for the EU and its member states to use all CFSP measures, including restrictive measures if necessary, for the prevention, deterrence, deterrence, and response to malicious cyber activities against the integrity and security of the EU and its member states.
For the first time in July 2020, the EU imposed restrictive measures against six individuals and three entities responsible for carrying out or participating in cyber attacks. These included the attempted cyber attack against the OPCW (Organization for the Prohibition of Chemical Weapons) and the attacks publicly known as "WannaCry," "NotPetya," and "Operation Cloud Hopper."
With Directive No. 2022/2555 (so-called NIS2 Directive), the Council adopted new legislation to ensure a high common level of cybersecurity in the Union and further improve the resilience and incident response capabilities of the public and private sector and the EU as a whole. The NIS2 Directive replaced the previous Network and Information Systems Security Directive (NIS Directive), expanding the scope for major economic and social activities in the internal market.
The NIS2 Directive, in fact, also considers smaller public entities and small and medium-sized enterprises as subjects deserving attention and makes a further distinction between essential and important services. While the Directive prescribes the development of individual IT security plans, based on the needs of the specific organization, it also provides for a common evaluation, with shared and standardized criteria, of the effectiveness of the adopted platforms, as well as a periodic review and updating of protection measures.
The impact of the NIS2 Directive on companies is quite significant, as they are obliged not only to adopt more stringent cybersecurity measures but also to verify the security of their supply chains by checking that their suppliers have adequate data and information protection requirements. Especially involved in this are digital service providers in the areas of e-commerce, search engines, cloud computing, and ICT service management.
Then, last January 7, Regulation 2023/2841 of the European Parliament and of the Council entered into force, which establishes new measures aimed at the establishment by each Union entity of an internal cybersecurity risk management, governance and control system, as well as cybersecurity risk reporting and information sharing.
In particular, the Regulation suggests the adoption of technical, operational and organizational measures proportionate to the risks identified, as well as the importance of sharing information on incidents to facilitate threat detection.
The Regulation also provides rules on the organization, functioning and operation of the EU Computer Emergency Response Team (CERT-EU), which is responsible for improving the protection of information systems by providing support in the prevention and management of incidents and facilitating the sharing of relevant information on cyber threats and the coordination of responses to any cybersecurity emergencies.
The Regulation also established the Interinstitutional Cybersecurity Board (IICB), composed of representatives from various EU institutions, in order to promote a high level of common cybersecurity among EU actors by adopting multi-year strategies and overseeing the implementation of the Regulation.
The EU's action plan (known as the "strategic compass") to strengthen security and defense policy - including digital - by 2030 is also part of the EU process described, under which it is possible to assume that further measures will be taken in the coming years.
Finally, an additional measure of key importance could be the Cyber Resilience Act (CRA), an initial proposal for which was submitted by the Commission on September 15, 2022, and subsequently amended last December 2023.
The CRA is aimed at ensuring:
- harmonized standards for the placing on the market of products or software with a digital component;
- a framework of cybersecurity requirements governing the planning, design, development and maintenance of such products;
- an obligation to provide duty of care for the entire life cycle of such products, thereby protecting consumers and businesses that purchase or use them.
4. The DDL Cybersecurity and the main innovations
In the face of regulatory developments initiated in the European context, the Italian Council of Ministers, on January 25, 2024, approved a draft bill introducing provisions on cybercrimes and strengthening national cybersecurity (hereinafter also "DDL Cybersecurity").
The text intervenes with significant substantive and procedural changes to the regulation of cybercrimes, providing for the raising of penalties, the inclusion of aggravating factors and/or the prohibition of mitigating factors for various crimes committed through the use of computer equipment and aimed at producing undue advantages to the detriment of others for those who commit them or to illegally access computer systems and/or intercept/interrupt computer and telematic communications.
4.1. Computer crimes
The DDL provides that the penalty for abusive access to computer systems under Article 615 ter of the Criminal Code is doubled from 1-5 to 2-10 years of imprisonment.
The same sentencing framework is also applied to those whose conduct integrates the case provided for in Article 615 ter of the Criminal Code not only through the use of violence against property but also through the threat of its use.
The same punishment is also provided for those who, through abusive access to a computer or telematic system, not only cause the destruction or damage of the system but also for those who, by carrying out the abusive access, cause "the removal, including by reproduction or transmission, or inaccessibility to the owner" of the computer or telematic system.
Penalties for the conduct punished by the third paragraph of Article 615 ter of the Criminal Code are raised from the current provision of "one to five years and three to eight years" to "three to 10 years and four to 12 years."
In addition, there is provision for the addition of a second sentence to the third paragraph of Article 615 ter of the Criminal Code, by which it is stipulated that for the conduct punished by the aforementioned paragraph, where the circumstances provided for in number 3 of the second paragraph of the same article also exist, almost all the mitigating circumstances cannot be recognized in a prevalent or equivalent measure to the aforementioned aggravating circumstances, except for the mitigating circumstances provided for in Articles 89, 98 and 623 quater of the Criminal Code (the latter being newly introduced).
For the crime referred to in Article 615 quater of the Criminal Code (Unauthorized possession and dissemination of access codes to computer or telematic systems), the "advantage" is taken into account and no longer the "profit" obtained through the commission of the crime: the assessment of unlawfulness thus disregards the "economic" concept of profit and is linked to the more generic category of advantage.
The second paragraph of the aforementioned article is, in addition, entirely replaced, providing for the punishment of imprisonment from two to six years for public officials, public service officers, abusive practitioners of the profession of private investigator and for those who abuse their capacity as system operators.
There is provision for the introduction of a third paragraph to this article of the Criminal Code by which it is specified that a penalty of imprisonment from three to eight years shall be imposed on anyone who possesses, disseminates or abusively installs equipment, codes and other means of accessing computer or telematic systems of military interest or relating to public order or public security or health or civil protection or otherwise of public interest (the circumstance referred to in Article 615 ter, paragraph 3, first sentence, of the Criminal Code).
The DDL repeals Article 615-quinquies of the Criminal Code and provides for the addition of a new paragraph to Article 617-bis of the Criminal Code (by which it establishes the punishment of imprisonment from two to six years for those who violate Article 617-bis of the Criminal Code and hold the position of public official, person in charge of public service, abusive practitioner of the profession of private investigator or system operator abusing their capacity, a circumstance referred to in Article 615 ter, paragraph 2, number 1, of the Criminal Code).
As for the offence under Article 617 quater of the Criminal Code, (Illegal interception, obstruction or interruption of computer or telematic communications), the DDL provides for the change of the sentencing framework provided for in the fourth paragraph (from the current penalty of imprisonment of three to eight years to the current penalty of imprisonment of four to ten years) when the crime is committed to the detriment of specific persons specified in the legislation. As provided for with the amendment of Article 615 ter of the Criminal Code, an additional paragraph is also introduced for Article 617 quater of the Criminal Code, by which the prohibition of granting mitigating circumstances in a prevalent or equivalent measure to the aggravating circumstances provided for in the fourth paragraph of Article 617 quater is introduced.
Also for the crimes under Article 617 quinquies and 617 sexies, a tightening of penalties is provided for where certain circumstances identified in the legislation occur, and again, the prohibition of granting prevailing or equivalent mitigating circumstances is introduced.
One of the most significant new features introduced by the DDL is the introduction of Article 623 quater of the Criminal Code, a mitigating circumstance envisaged for the perpetrator of computer crimes (referred to in Articles 615 ter, 615 quater, 617 quater, 617 quinquies and 617 sexies) who decides to cooperate with justice, preventing the criminal activity from being taken to further consequences, including by assisting the police or judicial authorities in the collection of evidence or in the recovery of the proceeds of the crimes or the instruments used for the commission of the same crimes. In such cases, the provision provides for a sentence discount of one-half to two-thirds.
Another important novelty represents the introduction of the crime of extortion by means of a computer crime in Article 629 co. 3 of the Criminal Code: one who commits extortion by means of the commission or threatened commission of the crimes punished by Articles 615 ter, 617 quater, 617 sexies, 635 bis, 635 quater and 635 quinquies of the Criminal Code is punished with imprisonment from six to 12 years and, if some of the circumstances indicated in the last paragraph of Article 628 of the Criminal Code exist, the punishment is that of imprisonment from eight to twenty-two years.
Finally, the bill also provides for an increase in penalties for all the various cases of computer or telematic damage provided for in Articles 635 bis c.p. et seq. In addition, again, it provides for the introduction of a new article (Article 635 sexies of the Criminal Code) by which the mitigating circumstance is inserted, applicable to extortion by commission or threat of computer crime and the various cases of computer or telematic damage, which provides for a reduction in punishment from half to two-thirds for those who decide to cooperate with the Authorities.
4.2. National Cybersecurity Agency and obligations for public entities
The DDL provides for the strengthening of the functions of the Agency for National Cybersecurity (ACN) and its coordination with the Judicial Authority in case of cyber attacks, through specific procedures aimed at making intervention and restoration of the functionality of information systems more immediate.
The DDL Cybersecurity also establishes an obligation for public entities (including their respective in-house companies) identified in the legislation to equip themselves with cybersecurity systems, including by identifying an internal Cybersecurity function, as well as an obligation to report and notify incidents indicated in a specific ACN measure, impacting networks, information systems and IT services, regulating the related procedure. Failure to comply with the reporting requirement may result in possible inspections by the Agency, in the 12 months following the determination of the delay or omission, including for the purpose of verifying the implementation of resilience-building actions. In cases of repeated failure to comply with the notification requirement, a fine of 25,000 to 125,000 euros will be imposed on the entity by the Agency.
In addition, for employees of public administrations, violation of the provisions may constitute grounds for disciplinary and administrative-accounting liability.
For the same subjects, in the presence of reports from the Agency about specific vulnerabilities to which they are potentially exposed, there is an obligation to provide without delay, and in any case no later than fifteen days from the communication, the adoption of the remedial actions indicated by the same Agency and, for the failure or delay in the adoption of these remedial actions, the application of the same sanctions.
The DDL also provides that, in relation to specific issues, the Cybersecurity Nucleus may be convened, in a composition from time to time extended to the participation of a representative of the National Anti-Mafia and Anti-Terrorism Prosecutor's Office, the Bank of Italy or other parties interested in the same issues.
4.3. Regulation of public contracts for IT goods and services
Finally, the draft law amends the provisions on public contracts for IT goods and services employed in a context related to the protection of strategic national interests, providing that, as part of the supply/provision of such IT infrastructure, "the essential elements of cybersecurity" must be identified, in the absence of which the entity may freely revoke the award.
This provision takes on particular relevance as it effectively extends the scope of the regulations to all private entities, which are suppliers of IT goods and services to the Public Administration and which, therefore, must commit to meeting the mentioned cybersecurity requirements.
4.4. Regulatory Gaps
The DDL Cybersecurity represents a significant contribution in the fight against cybercrime in Italy.
However, the text approved by the Council of Ministers makes no provision for the prevention of cyber attacks, that is, for all the possible measures to prevent the occurrence of such damaging events, focusing instead mainly on sanctions and subsequent intervention by the legal system.
Despite the regulatory gaps, it is essential to have the necessary mechanisms in place to prevent cybercrime, not only through the adoption of advanced cybersecurity technologies, but also through effective governance systems, the adoption of internal policies and procedures specifically aimed at minimizing cyber risks, and the constant training and updating of personnel skills.
Also, no mention in the DDL regarding Artificial Intelligence. Indeed, the rapid development of AI applications in recent years, the use of which is spreading across numerous business sectors, has significant legal implications related to the operation and use of such tools.
The occurrence of criminal facts referable to the use or operation of AI systems could affect different areas of criminal law (either in relation to new ways of realizing already typified crimes or in relation to the need to incriminate new facts).
For example, the use of AI technologies for the development of new malware or social engineering tools could lead to increasingly dangerous cyber attacks or frauds; new crimes could also be configured in relation to the programming of AI systems used for the realization of cyber attacks or having an illicit character (e.g., used for extortion purposes).
Europol published, date 27 March 2023, a first report dedicated potential use ChatGPT and analogue models criminal finality. In such a report it detects its own as similar to apply can sensibly facilitate the commission of crimes, essentially increasing the potential and skills of the individual (cyber)criminals.
For example, the particular imitative ability and the capacity to process natural language make such tools an essential aid in the perpetration of "fraud" and social engineering, being able to process "highly realistic" texts capable of reproducing the communicative style of specific individuals or organizations, and therefore endowed with a definitely higher deceptive potential, usable for example for extremely accurate phishing campaigns. The same generative-processing capability, can also facilitate cyber criminals in the perpetration of cyber crimes in the strict sense, since AI can - at the request of users - process strings of code in different programming languages and, therefore, provide users with little technical knowledge and skills with means and instructions to carry out cyber attacks.
5. New profiles of corporate liability and prevention of cyber crimes
With Law 48/2008, which ratified the Budapest Convention of the Council of Europe on cyber crime, cybercrimes were included in the list of predicate offenses of Legislative Decree 231/01, for which the Entity, in addition to the individual, can also be held liable.
The Cybersecurity DDL also introduces relevant changes in the area of administrative liability dependent on crime, in particular to Article 24 bis of Legislative Decree 231/2001, as it expands the list of offenses, including the new Article 629 co. 3 of the Criminal Code, and toughens the penalties broken down by quotas.
In order to best prevent the commission of cybercrimes, it is advisable for companies to adopt an Organization, Management and Control Model in accordance with Legislative Decree 231/01 or, if they have already adopted it, to implement and update it by assessing the possible risks and related control safeguards with regard to the regulatory changes examined.
In fact, the mere adoption of any procedures, security measures or management systems that are not included within an Organization, Management and Control Model is not sufficient to exclude the entity's liability for crime.
It is therefore necessary to carry out an analysis of the risks of offenses abstractly configurable within the company's reference reality, identify which are the sensitive activities, i.e., the activities in the performance of which one of the offenses identified as abstractly realizable may be committed, and integrate, accordingly, effective control measures and prevention protocols.
An additional prevention tool is provided by the standards ISO 27001 - Information Security Management Systems and ISO 27002 - Guidelines for the Implementation of Information Security Management Systems.
Possible areas of implementation may include:
- the definition of information security roles and responsibilities;
- the definition of internal information security processes and specific protocols for crime prevention (e.g., for asset management, access control, physical and environmental security, operational controls, etc.);
- the control of external suppliers that may have impacts in relation to information security;
- the training and awareness of personnel in information security;
- the provision of information protection measures even when the employment relationship ends or the supply contract expires.