CYBERWARZONE – During a committee debate in the Dutch House of Representatives on cybercrime, Minister Yesilgöz of Justice and Security announced that the government is considering requiring organizations to report major ransomware attacks on their networks.
Key takeaways:
- The Dutch government is considering requiring organizations to report major ransomware attacks on their networks.
- The government is conducting research on the damage caused by ransomware in the Netherlands.
- The government will not create a fund to pay ransomware demands on SMEs.
- The police are working on enabling online reporting of ransomware attacks by victims.
- The minister urged affected organizations not to pay ransomware demands.
- The government is exploring the possibility of implementing a mandatory reporting requirement for ransomware attacks under the Network and Information Security Directive.
The minister also stated that the government is conducting research on the damage caused by ransomware in the Netherlands and that there will be no fund to pay ransomware demands on small and medium-sized enterprises (SMEs).
The minister discussed various topics during the debate, including the integrated approach to cybercrime and online fraud. She emphasized the importance of online reporting of ransomware attacks by victims and stated that the police are working on enabling online reporting for ransomware attacks.
The government is currently conducting research on the nature and extent of ransomware damage to businesses and organizations in the Netherlands. The research is expected to be completed by the summer in 2023.
In response to a question about creating a fund for SMEs to pay ransomware demands, the minister explained that the government considers paying ransomware demands to be undesirable and that such a fund would be unnecessary since there are already insurance providers in the Netherlands that offer cyber insurance for ransomware attacks.
The minister urged affected organizations not to pay ransomware demands, as it does not guarantee that criminals will restore access to systems or refrain from further extortion.
Regarding a proposal for a mandatory reporting requirement for ransomware attacks, the minister stated that the government is exploring the possibility of implementing such a requirement under the Network and Information Security Directive for large incidents.
You might want to read:
She committed to informing the House of Representatives about the potential reporting requirement in the third quarter of this year.
The directive applies to essential service providers in sectors such as energy, finance, and transportation, as well as digital service providers such as cloud services, search engines, and online marketplaces.
These companies have a duty of care to take appropriate and proportionate measures to prevent incidents and are already subject to a reporting requirement for incidents with significant consequences.
What do you think about the Dutch government’s approach to combatting ransomware attacks, including their considerations of mandatory reporting for major attacks, research on the damage caused by ransomware, and their decision not to create a fund to pay ransom demands on SMEs?