As information technology advances rapidly, more and more aspects of our lives are shifting into the digital space. The number of companies that can no longer imagine operating without IT is growing daily. While this may seem to simplify or facilitate work functions, it’s not as straightforward as it might initially appear. The modern digital economy is risky, and lurking cyberattacks pose a constant and growing threat to businesses of all sizes across all sectors. During a cyberattack, hackers attempt to steal and misuse information, aiming to disrupt or halt the functioning of computer systems and networks. Companies operating with the help of IT are obliged to protect the sensitive data of customers, investors, and employees. However, as cyberattacks increase in frequency and severity, businesses must be properly prepared. Investing in cybersecurity is no longer a luxury but a necessity. Businesses that neglect cybersecurity often suffer not only financial losses but also a loss of trust from clients and partners, along with reputational damage or the loss of competitive advantage in the market.
The Ministry of National Defense (MoD) in its 2023 National Cybersecurity Status Report noted that overall national cyber resilience directly depends on each organization’s preparedness to implement organizational and technical security measures in their daily operations. Last year alone, the National Cyber Security Center (NCSC) recorded 2,378 cyber incidents. Compared to previous years, the number of more dangerous medium-level incidents grew by 12%.
According to MoD data, cyberattacks in Lithuania in 2023 primarily targeted confidential (non-public) information: authentication data for information system users, financial, commercial, and operational data, GDPR-defined personal data, operational data of information systems, private life data, and professional or service-related data. The most common consequences of cybercrime for legal entities in 2023 included illegal surveillance, theft, encryption, damage, alteration, or destruction of electronic data, email address impersonation and/or interception of electronic correspondence, and unauthorized publication of electronic data. The NCSC reported that in 2023, the most damaging cyberattack methods were malware viruses that encrypt data and demand ransom, DDoS attacks, supply chain attacks (involving the entirety of organizations, people, technologies, activities, information, and resources tied to the delivery of goods or services), and social engineering attacks aimed at extracting sensitive data.
In light of these threats, the European Union has been working to strengthen cybersecurity. In 2022, the European Parliament and Council adopted the NIS 2 Directive, replacing the outdated NIS 1 Directive (also known as the Networks and Information Systems Directive). In May of this year, Lithuania registered, and in July adopted, a law amending the Cybersecurity Act No. XII-1428, which incorporates the provisions of the NIS 2 Directive into national law. This law will come into effect on October 18.
The NIS 2 Directive aims to address issues related to differentiating essential service operators and digital service providers, a distinction that is now outdated and does not reflect the importance of sectors or services to societal and economic activities in the internal market. It also establishes basic rules for the coordinated operation of regulatory systems, while creating mechanisms for effective cooperation between responsible authorities, updating the list of sectors and activities subject to cybersecurity obligations, and outlining effective remedial and enforcement measures crucial for ensuring compliance with these obligations.
The new version of the law that will come into effect introduces a Cybersecurity Entities Register, which will be overseen by the NCSC. According to the relevant provisions, all entities meeting the criteria outlined in the law will be registered in the mentioned register. Preliminary estimates suggest that over 20,000 entities in Lithuania will be affected by the directive.
Cybersecurity entities will be categorized into essential and important entities. Those directly subject to the directive’s provisions will be required to implement cybersecurity risk management measures and report significant cybersecurity incidents to the NCSC. Both public and private sector organizations fall within the scope of the new Cybersecurity Act. The MoD explained that an entire company’s operations will be assessed based on general and specific criteria, and if it engages in activities that qualify it as either an essential or important entity, it will be assigned to the appropriate category. The sectors targeted by the directive’s provisions include: energy; transport; banking; financial Infrastructure; healthcare; drinking water; wastewater; digital infrastructure; B2B IT services; public administration; space; postal and courier services; waste management; chemical manufacturing and distribution; food production; processing and distribution; manufacturing; digital service providers; scientific research. Indicators such as the number of employees, annual revenue, or asset value listed on the balance sheet will help determine the entity’s categorization.
Failure to properly implement the directive’s requirements on time may result in financial penalties. Important entities face fines of at least €7 million or 1.4% of total global annual turnover, whichever is higher, while essential entities face fines of at least €10 million or 2% of total global annual turnover, again depending on which amount is greater. In addition to administrative fines, company leaders or authorized individuals may also be held accountable under the same provisions.
Recognizing the potential dangers and the importance of cybersecurity, the next step should be to implement actions to strengthen a company’s resilience to cyberattacks. A few immediate steps include: Protecting hardware by using two-factor or multi-factor authentication, educating employees and dedicating time to training them to recognize potential breaches and what actions to take if a mistake occurs, backing up data by creating backups stored in a separate location, and securing the company’s internal network with a firewall that acts as a barrier between internal and external networks, controlling and filtering traffic based on predefined security rules.
In addition to preventive measures, companies aiming to protect against cyber risks are also advised to consider special insurance that covers cybersecurity threats. Cyber risk insurance can be seen as transferring some of the risk from the company to the insurer. In the event of a cyberattack, this coverage can reduce or fully compensate for financial losses, allowing the company to continue operations even after an incident. Only a few companies in Lithuania currently offer such insurance. BUNDA is proud to lead the cyber risk insurance market due to its broad coverage, tailored solutions, expert support, and preventive measures. This type of insurance provides much-needed financial security during a cyber incident. As a reliable partner, BUNDA responds quickly to incidents, covering legal and regulatory costs, ensuring business continuity, and making post-attack consequences more manageable. This ensures the company’s long-term stability and growth in an ever-changing digital environment.
We are thrilled to have participated in the 10th anniversary of Lithuania’s biggest insurance event – Draudimo Forumas 2024!
This year is extra special as BUNDA is also celebrating its 10th anniversary!
Our CEO Kristina Penkaitienė delivered an inspiring speech, congratulating the insurance brokers community on this milestone. It was a moment of pride and joy for all of us at BUNDA.
Our Head of Underwriting Andrius Barauskas shared his expertise in a panel discussion on Liability insurance, where participants acted as clients in various situations to discuss how to secure the best liability coverage. This contributed to insightful conversations and industry advancements.
A special highlight was BUNDA’s coffee truck, where Baristokrat baristas enjoyed serving coffee to all event participants. We set a record for the number of coffees served, making it a memorable experience for everyone!
Thank you to all the brokers and participants for the wonderful catch-ups and for making this event a grand success.
Here’s to many more years of collaboration and growth!
At BUNDA, we prioritize the well-being of our team and their loved ones. Each year, we gift our employees’ children a special present to start the school year. This year, we chose umbrellas to keep them safe from the rain on their way to school – a symbol of our care and support. This small token symbolizes our commitment to the well-being of our team and their loved ones, ensuring they feel protected and valued.
We understand that a new school year brings new challenges and opportunities, and we want to wish all of our employees’ children the very best as they take on their studies.
Workation with purpose at BUNDA!
At BUNDA, success is built on a strong team and meaningful collaboration. That’s why we have a tradition of taking the entire team on a workation for a few days each year.
Our workations aren’t just about working remotely from a beautiful location. During this time, we focus on what truly matters:
Work hard, bond harder – that’s the BUNDA way! Looking forward to more shared experiences and achievements with this incredible team.