Best practice
Increased protection
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
As there are currently no substantial laws on cybersecurity in Austria nor binding guidelines or best practices established on the grounds of the data security requirements set forth in the General Data Protection Regulation (GDPR), enterprises need to rely on industry standards and recommendations by various organisations and authorities.
The first contact in the field of cybersecurity in Austria is the Austrian Computer Emergency Response Team (CERT) for private entities and the Austrian Government Computer Emergency Response Team (GovCERT) for the public sector. Both institutions not only coordinate responses to cyberthreats but also advise on prevention measures. Thus, they constitute the most important contributors to a harmonised understanding of required and recommended cybersecurity measures. To facilitate intra-sectoral exchange of information, sector-specific CERTs are planned with the Austrian Energy CERT for the energy sector already being established. Additionally, sector-specific cybersecurity exchanges for providers of various critical infrastructures have been established in the form of the Austrian Trust Circles.
Further, interested parties can find a multitude of freely available publications on this topic; for example, from the Federal Ministry for Internal Affairs, the Chamber of Commerce or associations specialised in IT topics.
In addition, a coordination committee was established with the introduction of the Network and Information Systems Security Act (NISG) which advises the Federal Minister of Internal Affairs and the Federal Government on the decision whether a ‘cyber crisis’ is occurring or not as well as the operative measures required to cope with such a crisis and the coordination of public relations.
How does the government incentivise organisations to improve their cybersecurity?
While the Austrian government is very active in promoting cybersecurity directly as well as indirectly (eg, by means of GovCERT), there are currently no incentives in this context.
The NISG also follows the ‘classical’ approach and penalises inadequate cybersecurity measures, but otherwise does not provide any incentives for compliance.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
In Austria, ÖNORM ISO/IEC 27001: 2017 07 01 (which can be obtained from the ASI against payment) as well as the recommendations of the CERT (available from their homepage: www.cert.at) can be regarded as the main industry standards and codes of practice in the field of cybersecurity.
Comprehensive guidelines summarising the relevant rules and recommendations, as well as a checklist created specifically for very small enterprises, have been created by the Austrian Chamber of Commerce and can be obtained from www.it-safe.at.
Are there generally recommended best practices and procedures for responding to breaches?
Best practices and procedures can be derived from industry standards or recommendations of the CERT. They may vary depending on the type, severity and potential danger of a breach. Thus, there are no general rules apart from containing the breach and saving any information for later analysis.
After the incident, it is considered best practice to have the existing data analysed by a trustworthy and independent third party to determine the methods by, and reasons for, which the system could be breached and to take measures to prevent such occurrences in the future.
While the various decisions and recommendations of the data protection authorities, both in Austria and abroad, have provided some guidance in regard to cybersecurity, it is still either rather general or very case-specific. In the latter cases, best practices can be seen slowly developing based on the decisions and recommendations.
Information sharing
Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?
Voluntary information on cyberthreats should be addressed to the CERT (or the GovCERT, in the case of a public entity) by means of an email containing:
- details of where the incident has occurred (eg, IP address, website);
- details of the nature of the incident (eg, a virus, a DoS attack);
- details of how the incident has been noticed (eg, log files);
- a request for feedback; and
- an electronic signature.
As there are no recommended standard procedures that the notifying entity can follow in the meantime, it will need to wait for a response from the CERT. In any case, records of the incident should be saved in case they are destroyed or modified during the incident. For providers of critical infrastructure and digital services, the NISG stipulates that these voluntary reports are forwarded to the Federal Ministry for Internal Affairs by the CERT.
Unfortunately, there are currently no incentives to voluntarily disclose information on cyberthreats, apart from peer pressure within the industry.
How do the government and private sector cooperate to develop cybersecurity standards and procedures?
In the field of cybersecurity, cooperation between the private and public sectors has a long tradition in Austria, its first highly visible project being the Computer Incident Response Coordination Austria, established in 2003 by the Internet Service Providers Association and the Federal Chancellery.
Nowadays, cooperation continues mainly within the Austrian CERT network, where the most important stakeholders from the private and public sectors are united either directly or indirectly through the participating CERTs. Within this network, not only is the collected information on incidents or threats exchanged but the incident response and the advice on prevention measures are also coordinated.
The results are then propagated by the participants to other organisations, such as the Chamber of Commerce, which issue recommendations to their members, usually in the form of publications. Of course, the flow of information works both ways.
In December 2014, Curatorship Safe Austria, an independent association focused on issues related to internal security, organised a large-scale cybersecurity exercise focused on threats to critical infrastructures, in which, among others, the CERTs, the Federal Ministry for Internal Affairs and various private enterprises participated. The aim of the exercise was to optimise communication between the participants, especially the stakeholders as well as the organisations serving as information hubs for their respective sectors. Smaller exercises were conducted annually in the following years. The results and experience gained during those exercises were taken into consideration in White Papers on cybersecurity published by Curatorship Safe Austria in early summer of the following year, containing recommendations for the planned Austrian Cybersecurity Act, now the NISG.
Further cooperation is expected in the issuing of industry-specific recommendations according to the GDPR.
Insurance
Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?
Insurance against cybersecurity incidents, covering the costs of, for example, data recovery or downtime, are offered by every major insurer active in Austria. In detail, the covered risks of course vary from offer to offer, with some providing cover even in the case of negligence or fault.
Despite its availability, cybersecurity insurance is as yet far from common. This has not changed with the introduction of the NISG.
Law Stated Date
Correct On
Give the date on which the information above is accurate.
20 December 2021
Gloss