1 00:00:04,240 --> 00:00:08,400 Speaker 1: SONS two is focusing on cybersecurity of entities, and the 2 00:00:08,480 --> 00:00:17,399 CIA is focusing on cybersecurity for products with digital elements. 3 00:00:19,399 --> 00:00:23,079 Speaker 2: Welcome everyone to the Industrial Security Podcast. My name is 4 00:00:23,160 --> 00:00:26,679 Nate Nelson. I'm here with Andrew Ginter, the vice president 5 00:00:26,839 --> 00:00:31,000 of Industrial Security at Waterfall Security Solutions, who's going to 6 00:00:31,039 --> 00:00:34,240 introduce the subjects and guest of our show today. Andrew, 7 00:00:34,520 --> 00:00:35,200 how's it gone. 8 00:00:35,880 --> 00:00:38,039 Speaker 3: I'm very well, Thank you, Niate. Our guest today is 9 00:00:38,119 --> 00:00:41,359 Christina Kiefer. She is an attorney at law and a 10 00:00:41,439 --> 00:00:46,039 senior associate in the Digital Business department of Reuschlaw, and 11 00:00:46,079 --> 00:00:49,920 she's going to be talking to us about cybersecurity regulation 12 00:00:50,280 --> 00:00:52,439 in the European Union. You know, as we all know, 13 00:00:52,600 --> 00:00:55,280 NIS two is coming, and there's other stuff coming too. 14 00:00:56,039 --> 00:00:59,920 Speaker 2: Then, without further ado, here's your conversation with Christina. 15 00:01:02,479 --> 00:01:05,920 Speaker 3: Hello Christina, and welcome to the podcast. Before we get started, 16 00:01:05,920 --> 00:01:07,959 can I ask you to say a few words, you know, 17 00:01:08,040 --> 00:01:10,760 introduce yourself and your background and tell us a bit 18 00:01:10,840 --> 00:01:13,040 about the good work that you're doing at Reuschlaw. 19 00:01:13,599 --> 00:01:15,799 Speaker 1: Yes, of course. So, first of all, thank you very 20 00:01:15,879 --> 00:01:18,599 much for the invitation. I'm very happy to be in 21 00:01:18,640 --> 00:01:19,680 your podcast today. 22 00:01:20,200 --> 00:01:22,840 Speaker 4: So yeah to me. My name is Christina Kiefer. 23 00:01:23,000 --> 00:01:26,280 Speaker 1: I'm an I'm an attorney at law working as a 24 00:01:26,400 --> 00:01:30,680 senior associate at our digital business unit in the law 25 00:01:30,760 --> 00:01:34,680 firm Vouch Law. We are based in Germany and Reuslaw 26 00:01:34,760 --> 00:01:38,519 is one of Europe's leading commercial law films specialized in 27 00:01:38,640 --> 00:01:43,000 product law and for more than twenty years, our team 28 00:01:43,280 --> 00:01:48,319 of approximately thirty experts has been advising companies in dynamic 29 00:01:48,359 --> 00:01:53,519 industries both nationally but also internationally. And for me myself 30 00:01:53,599 --> 00:01:57,760 and my daily work, I advise companies and also public 31 00:01:57,879 --> 00:02:04,079 institutions on your complex issues in the areas of data protection, cybersecurity, 32 00:02:04,200 --> 00:02:08,039 but also IT and contract law. And one focus of 33 00:02:08,039 --> 00:02:11,560 my work is at supporting clients in introduction of digital 34 00:02:11,599 --> 00:02:15,680 products in the EU market and also looking at the 35 00:02:15,719 --> 00:02:20,000 field of cybersecurity and IT law. Since my studies I 36 00:02:20,039 --> 00:02:24,199 have already focused on IT law and cybersecurity and yes 37 00:02:24,280 --> 00:02:27,719 I have been involved in the legal developments since then 38 00:02:27,800 --> 00:02:28,599 in this area. 39 00:02:29,479 --> 00:02:32,360 Speaker 3: And our topic is you know, the law in Europe 40 00:02:32,360 --> 00:02:35,759 for cybersecurity, it's regulation. The big news in Europe is 41 00:02:35,800 --> 00:02:39,120 of course NIS too, and it's not a law, it's 42 00:02:39,159 --> 00:02:43,240 a directive to the nation states to produce laws to 43 00:02:43,280 --> 00:02:46,800 produce regulations. So every country is going to have its 44 00:02:46,840 --> 00:02:50,000 own laws. Can I ask you for an update? How's 45 00:02:50,039 --> 00:02:53,280 that going? Who's got the law? I thought there was 46 00:02:53,319 --> 00:02:57,280 a deadline, you know the nations of Europe have this 47 00:02:57,479 --> 00:02:59,080 covered or is it still coming? 48 00:03:00,759 --> 00:03:03,639 Speaker 1: Yeah, so it's the last point, so it's still coming. 49 00:03:05,000 --> 00:03:08,879 Some countries have already transposed in this two directive international law, 50 00:03:08,960 --> 00:03:11,280 but also a lot of countries are still in the 51 00:03:11,400 --> 00:03:18,199 developing and the transposition yeah period. And that's where we 52 00:03:18,639 --> 00:03:22,039 YE are confusing because theen it's two directive, it's already 53 00:03:22,280 --> 00:03:26,240 or has already been informs since generally twenty twenty three. 54 00:03:27,400 --> 00:03:29,960 And also the deadline for the new member states to 55 00:03:30,280 --> 00:03:35,080 impose in this two directive international law was the October 56 00:03:35,120 --> 00:03:38,639 twenty twenty four. So because of that, because of a 57 00:03:38,639 --> 00:03:41,719 lot of member states haven't transposed in this to directive 58 00:03:41,719 --> 00:03:46,560 international law, the YOU Commission has launched an infringement proceeding 59 00:03:46,759 --> 00:03:51,479 against twenty three member of states last fall in twenty 60 00:03:51,520 --> 00:03:56,360 twenty four. And this yeah, has led to some movements 61 00:03:56,360 --> 00:03:57,719 and some new member states. 62 00:03:58,479 --> 00:03:59,240 Speaker 4: So as of. 63 00:03:59,360 --> 00:04:05,159 Speaker 1: Now ten countries have for fully transposedness to international law. 64 00:04:05,759 --> 00:04:08,199 Speaker 4: So for example, Belgium. 65 00:04:07,840 --> 00:04:12,879 Speaker 1: Finland, Greece or Italy, and then another fourteen countries have 66 00:04:13,120 --> 00:04:18,519 published at least some draft legislation so far, and there 67 00:04:18,600 --> 00:04:23,360 you can call Bulgaria, Denmark and also Germany. And then 68 00:04:23,399 --> 00:04:28,720 there are also two countries it's Sweden and Austria, and 69 00:04:28,839 --> 00:04:33,279 those two year members days they have not published neither 70 00:04:33,600 --> 00:04:38,600 a draft or also in final national law. So there 71 00:04:38,600 --> 00:04:42,680 we have no public information available on their implementation status. 72 00:04:42,759 --> 00:04:46,959 Speaker 3: Yet. You know, someone watching this from the outside with 73 00:04:48,680 --> 00:04:51,560 you know, a command of English and a very limited 74 00:04:51,560 --> 00:04:56,920 command of German. Is there sort of a standard place 75 00:04:56,920 --> 00:04:58,519 that a person like me looking at this from the 76 00:04:58,560 --> 00:05:01,519 outside could go to find and all this stuff or 77 00:05:01,600 --> 00:05:05,519 is it on every country's national website in a different language, 78 00:05:05,519 --> 00:05:08,160 in a different location. Is there any central repository of 79 00:05:08,199 --> 00:05:08,920 these rules? 80 00:05:10,439 --> 00:05:11,519 Speaker 4: No, not yet. 81 00:05:11,600 --> 00:05:15,240 Speaker 1: At least maybe there will be some private websites where 82 00:05:15,240 --> 00:05:19,879 you can find all the different implementation informations. But until now, 83 00:05:20,040 --> 00:05:24,600 when you are a company either within the EU or 84 00:05:24,680 --> 00:05:28,519 rs ADU, when you are providing your services into the 85 00:05:28,560 --> 00:05:31,839 EU market, you have to fulfill with the IS two directive, 86 00:05:31,959 --> 00:05:34,319 and this means you have to fulfill with the national 87 00:05:34,439 --> 00:05:36,360 laws in each U member states. 88 00:05:36,839 --> 00:05:39,279 Speaker 4: And this is a big challenge. 89 00:05:38,920 --> 00:05:42,800 Speaker 1: For all international companies because they have to check each 90 00:05:42,959 --> 00:05:45,600 national law of each EU member states and they have 91 00:05:45,720 --> 00:05:48,199 to check if they fall under the scope of application. 92 00:05:48,680 --> 00:05:52,680 And what is also very important that the different national 93 00:05:53,720 --> 00:05:58,079 laws have different obligations. So then is two directive has 94 00:05:58,120 --> 00:06:03,000 a minimum standard which a national legislators have to fulfill. 95 00:06:03,480 --> 00:06:07,279 But on top of this, some EU member states have 96 00:06:07,439 --> 00:06:12,800 imposed more obligations or a portal for registration or new 97 00:06:13,240 --> 00:06:16,560 reporting obligations, so you have to check for each EU 98 00:06:16,720 --> 00:06:17,319 member state. 99 00:06:18,199 --> 00:06:22,519 Speaker 4: But here we can also help because we see in. 100 00:06:22,480 --> 00:06:24,879 Speaker 1: Our daily work that this is a very very hard 101 00:06:25,560 --> 00:06:29,120 you challenge for companies to check all the laws and 102 00:06:29,160 --> 00:06:33,240 to also understand all the national laws. We offer an 103 00:06:33,519 --> 00:06:38,199 to implementation guide where you can get regularly updates on 104 00:06:38,600 --> 00:06:41,319 an overview of how the different YOUW member states have 105 00:06:41,439 --> 00:06:42,439 transposedness too. 106 00:06:43,360 --> 00:06:47,160 Speaker 4: And yes, in addition to this, we also have an a. 107 00:06:47,199 --> 00:06:51,040 Speaker 1: Need to reporting an obligation guide, especially looking at the 108 00:06:51,160 --> 00:06:55,879 reporting and registration obligations to see where you have to 109 00:06:56,199 --> 00:07:00,000 register in each EU member state, so you can book 110 00:07:00,120 --> 00:07:04,839 our full guide, but we also post some overviews on 111 00:07:04,959 --> 00:07:06,759 LinkedIn and in our newsletter. 112 00:07:08,399 --> 00:07:13,199 Speaker 3: You touched on the you know the goal of this 113 00:07:13,439 --> 00:07:18,040 too was to increase consistency among the nation states of 114 00:07:18,040 --> 00:07:21,560 Europe in terms of their cyber regulations, and in my understanding, 115 00:07:21,600 --> 00:07:25,800 to increase the strength of those regulations across the board. 116 00:07:26,519 --> 00:07:29,519 How's that coming. Are the regulations that are coming out 117 00:07:29,680 --> 00:07:33,120 stronger than we saw withiness too, and you know, are 118 00:07:33,160 --> 00:07:33,920 they consistent? 119 00:07:35,439 --> 00:07:39,120 Speaker 1: Well, it's correct that the idea behind this too or 120 00:07:39,160 --> 00:07:42,959 in To directive was to create a stronger and also 121 00:07:43,079 --> 00:07:47,079 more consistent cybersecurity framework across the whole EU and the 122 00:07:47,120 --> 00:07:51,800 EU market. And also the news TO directive should also 123 00:07:51,879 --> 00:07:55,399 cover a crowd set of sectors for a regulated companies, 124 00:07:55,439 --> 00:07:59,519 so there should be some consistency within the EU. But 125 00:07:59,879 --> 00:08:02,920 it's an i EU directive and not an EU regulation. 126 00:08:03,160 --> 00:08:06,600 So this means the two directive sets only a minimum 127 00:08:06,639 --> 00:08:10,519 standard to our EU member states that they can then 128 00:08:10,600 --> 00:08:12,560 transpose international law. 129 00:08:13,279 --> 00:08:16,040 Speaker 4: And that's why the EU member states. 130 00:08:15,600 --> 00:08:19,040 Speaker 1: Are allowed also to go beyond if they want to, 131 00:08:19,759 --> 00:08:22,600 and some of the EU member states have already done that. 132 00:08:23,040 --> 00:08:28,160 This so what we're seeing right now looking at the 133 00:08:28,240 --> 00:08:31,120 national laws which have already been an actor, and also 134 00:08:31,160 --> 00:08:34,039 looking at the draft of some national laws, we see 135 00:08:34,080 --> 00:08:37,039 quite a mixed picture. So we don't see a whole 136 00:08:37,120 --> 00:08:40,039 consistency what a lot of companies we're hoping for. 137 00:08:40,519 --> 00:08:42,559 Speaker 4: We see more like a mixed picture. 138 00:08:43,039 --> 00:08:47,159 Speaker 1: With some countries like Belgium again, for example, they have 139 00:08:47,279 --> 00:08:50,879 pretty much stuck to the core of the directive and 140 00:08:51,200 --> 00:08:54,679 haven't added much on top. So there you are also 141 00:08:54,720 --> 00:08:57,000 for you as a company, you can ensure when you're 142 00:08:57,000 --> 00:08:59,360 looking at his two directive, or when you have already 143 00:08:59,399 --> 00:09:03,639 looked at his directive, you can be positive that you 144 00:09:03,759 --> 00:09:08,039 also fulfill the requirements of the law of Belgium. But 145 00:09:08,159 --> 00:09:12,879 on the other hand, looking for example, on Italy, they 146 00:09:12,919 --> 00:09:17,919 have expanded the scope of application. So Italy has for example, 147 00:09:18,080 --> 00:09:22,720 included the cultural sector as an additional regulated area. So 148 00:09:22,840 --> 00:09:26,799 the sector of culture hasn't been mentioned in an IS 149 00:09:26,840 --> 00:09:30,799 two directive at all, but Italy had the idea, well, 150 00:09:30,879 --> 00:09:34,080 we can regulate also the cultural sector, so that's why 151 00:09:34,159 --> 00:09:35,600 they have also. 152 00:09:37,000 --> 00:09:38,799 Speaker 4: Included it into their national law. 153 00:09:39,200 --> 00:09:41,360 Speaker 1: And also in France, you can see that they have 154 00:09:42,320 --> 00:09:46,399 imposed more obligations and also have broadened the scope of 155 00:09:46,480 --> 00:09:50,360 application of their national law because here they have also 156 00:09:50,960 --> 00:09:56,240 widened up the regulated sectors and here they have added 157 00:09:56,279 --> 00:10:01,799 the educational institutions for example, So yeah, you can see 158 00:10:02,000 --> 00:10:05,799 we have a minimum set of standard set out in 159 00:10:05,840 --> 00:10:10,120 ANSTUO directive, but across the EU, looking at the national laws, 160 00:10:10,480 --> 00:10:14,080 we have a lot of national differences and that's why 161 00:10:14,120 --> 00:10:16,679 it's why we're hard for companies to comply with the 162 00:10:16,759 --> 00:10:20,679 News Too Directive or with the national laws within the 163 00:10:20,679 --> 00:10:21,399 EU market. 164 00:10:24,399 --> 00:10:26,879 Speaker 2: One of the more interesting things that Christina mentioned there 165 00:10:26,960 --> 00:10:33,639 Andrew was Italy treating its cultural sector as like critical infrastructure, 166 00:10:33,679 --> 00:10:37,919 which sounds a little bit it sounds very Italian. Frankly, well, I. 167 00:10:37,919 --> 00:10:43,080 Speaker 3: Don't know, it's not just the Italians. The original you know, 168 00:10:43,159 --> 00:10:46,440 this was back in the I don't know, the late knots. 169 00:10:47,679 --> 00:10:49,919 One of the original directives that came out of the 170 00:10:49,960 --> 00:10:54,200 American administration was a list of critical infrastructures and at 171 00:10:54,200 --> 00:11:01,360 the time it included something like national monuments as infrastructure sector, 172 00:11:01,799 --> 00:11:05,200 and the justification was, you know, any monument or you know, 173 00:11:05,440 --> 00:11:08,559 cultural institution that was that was seen as essential to 174 00:11:08,679 --> 00:11:15,159 national identity, national cohesion. And then it disappeared in the 175 00:11:15,639 --> 00:11:20,440 twenty thirteen update of what were critical national infrastructure, so 176 00:11:20,919 --> 00:11:24,279 it's no longer on the ceases list of critical infrastructures, 177 00:11:24,279 --> 00:11:27,080 but it used to be, and you know, in terms 178 00:11:27,120 --> 00:11:31,240 of Italy, I don't you know, I don't have a 179 00:11:31,240 --> 00:11:35,120 lot of information about Italy. But again you might imagine 180 00:11:35,159 --> 00:11:39,200 that national monuments and certain cultural institutions are vital to 181 00:11:39,320 --> 00:11:43,840 sort of national identity. Think the Roman Coliseum, should that 182 00:11:43,919 --> 00:11:47,399 be regarded as critical infrastructure? Certainly critical to tourism as 183 00:11:47,440 --> 00:11:50,840 for sure. So that's that's what little I know about it. 184 00:11:53,000 --> 00:11:57,799 In my recollection ofness to one of the changes was 185 00:11:58,120 --> 00:12:03,399 increased incident this disclosure rules. Now I've you know, I've 186 00:12:03,519 --> 00:12:08,600 argued or I've speculated. We did a threat report at Waterfall. 187 00:12:08,960 --> 00:12:12,879 We actually saw numbers sort of plateau in terms of incidents. 188 00:12:13,799 --> 00:12:20,799 I wonder I speculate whether increased incident disclosure rules are 189 00:12:20,840 --> 00:12:27,399 in fact reducing disclosures because lawyers see that disclosing too 190 00:12:27,440 --> 00:12:30,720 much information can result in lawsuits. For instance, Solar Winds 191 00:12:30,759 --> 00:12:36,039 was sued for incorrect disclosures, and so they I'm guessing 192 00:12:36,080 --> 00:12:40,519 that they they you know, conclude that minimum disclosure is 193 00:12:40,639 --> 00:12:43,919 least risk. And if they get part way into an 194 00:12:43,960 --> 00:12:46,159 incident and say this is not material, we don't need 195 00:12:46,200 --> 00:12:49,519 to disclosure, We're not going to disclose it, we actually 196 00:12:49,519 --> 00:12:53,440 see fewer disclosures. Can you talk about what's happening with 197 00:12:53,600 --> 00:12:56,840 the disclosure rules. You know, are they how consistent are 198 00:12:56,879 --> 00:12:59,960 they multinational businesses? How many different ways do they have 199 00:13:00,120 --> 00:13:03,919 the file? And are we seeing greater disclosure or in 200 00:13:04,039 --> 00:13:07,840 your estimation, fewer disclosures because of these rules. 201 00:13:08,039 --> 00:13:11,440 Speaker 1: Yeah, that's a really good question, and honestly, it's something 202 00:13:11,519 --> 00:13:15,720 we could also ask all the time right now because 203 00:13:16,840 --> 00:13:20,480 once we hear again or if you operate in several 204 00:13:20,519 --> 00:13:23,799 EO countries, do I need to report a security incident 205 00:13:23,960 --> 00:13:27,279 in one you member states or we are one portal 206 00:13:27,440 --> 00:13:29,759 and then I'm fine? Or do we really have to 207 00:13:29,840 --> 00:13:33,639 report a security incident to each you member states which 208 00:13:33,679 --> 00:13:38,759 is kind of affected with regard to the security incident, 209 00:13:39,519 --> 00:13:44,879 And yeah, unfortunately the answer right now is yes, you 210 00:13:45,039 --> 00:13:48,679 have to report your security incident to each EU member 211 00:13:48,720 --> 00:13:53,440 state or to each national authority of the U member 212 00:13:53,480 --> 00:13:56,480 state which you fall under the scope of the national law, 213 00:13:58,080 --> 00:14:03,840 because the too erective does not really require one portal 214 00:14:04,559 --> 00:14:10,519 or one obligation registration and also reporting portal for all 215 00:14:10,639 --> 00:14:15,039 EU member states. So it's up to the national authorities 216 00:14:15,039 --> 00:14:17,480 and also up to the EU member states to regulate 217 00:14:17,679 --> 00:14:22,759 this field of law. And you can see that many 218 00:14:22,840 --> 00:14:27,279 national authorities have already recognized this issue and they are 219 00:14:27,320 --> 00:14:31,440 also looking at ways to simplify the process of registration 220 00:14:31,600 --> 00:14:35,960 but also of reporting security incidents. And then you can 221 00:14:36,000 --> 00:14:42,360 see some member states try to at least include or 222 00:14:42,799 --> 00:14:47,559 to set up a portal, a national wide portal where 223 00:14:47,559 --> 00:14:54,200 you can report your security incident. Some other national authorities 224 00:14:54,240 --> 00:14:59,960 go even further. They say they implement a scheme or 225 00:15:00,039 --> 00:15:03,840 structure where you only have to report to them and 226 00:15:03,879 --> 00:15:08,759 then they will transfer the report to the other relevant 227 00:15:08,799 --> 00:15:13,200 YOU authorities. But again this is each and in each 228 00:15:13,279 --> 00:15:16,320 you member states national law, so then you also have 229 00:15:16,399 --> 00:15:22,320 to check again all the other national laws within the EU. Yes, 230 00:15:22,759 --> 00:15:26,600 but also the authorities of the EU member states have 231 00:15:26,919 --> 00:15:30,759 already well at least indicated that they are talking to 232 00:15:30,799 --> 00:15:34,919 each other. So maybe in the future we will get 233 00:15:35,080 --> 00:15:37,399 one portal to report everything. 234 00:15:37,879 --> 00:15:40,919 Speaker 4: But as I said before, it's not regulated. Indian is 235 00:15:41,000 --> 00:15:45,039 too directive and it's also not foreseen for now. 236 00:15:45,879 --> 00:15:50,919 Speaker 1: Yes, and to the other part of your question, well, 237 00:15:52,399 --> 00:15:57,559 you could think that when you're obliged to report everything 238 00:15:57,679 --> 00:16:03,120 and each security incident, that the reporting would degrees, but 239 00:16:03,159 --> 00:16:08,320 you also have to look at the at the risk 240 00:16:08,399 --> 00:16:11,559 of non compliance, and the risk are very high because 241 00:16:11,600 --> 00:16:15,799 the NESTUD directive is imposing high sanctions and also a 242 00:16:15,799 --> 00:16:21,080 lot of authority measures, authority market measures. And that's why 243 00:16:21,240 --> 00:16:24,679 in the daily consulting work, it's better to say please 244 00:16:24,799 --> 00:16:29,919 report in incident because also the national authorities communicate this 245 00:16:30,320 --> 00:16:34,200 to the companies. They say please report something because then 246 00:16:34,279 --> 00:16:35,440 we can work together. 247 00:16:35,840 --> 00:16:37,879 Speaker 4: So the focus after the national. 248 00:16:37,639 --> 00:16:41,759 Speaker 1: Authorities, at least in Germany we see right now, is 249 00:16:41,960 --> 00:16:45,720 they want to cooperate together. They want to ensure a 250 00:16:45,799 --> 00:16:49,919 cyber secure environment and a CyberSecure EU market. 251 00:16:50,440 --> 00:16:53,279 Speaker 4: So the focus is to report something that they can 252 00:16:53,840 --> 00:16:54,639 work on together. 253 00:16:55,320 --> 00:16:58,120 Speaker 1: And that's why it would be better to report. And 254 00:16:59,080 --> 00:17:03,799 I would say maybe we get also an increase of reporting. 255 00:17:05,200 --> 00:17:09,039 Speaker 3: I'm a little confused by your answer. The rules that 256 00:17:09,079 --> 00:17:12,640 I'm a little bit familiar with are the American Securities 257 00:17:12,640 --> 00:17:16,240 and Exchange Commission rules, and those rules mandate that any 258 00:17:16,400 --> 00:17:20,720 material incident must be reported to the public, any incident 259 00:17:20,759 --> 00:17:24,839 that might cause a reasonable investor to either buy or 260 00:17:24,920 --> 00:17:28,119 sell or put a sign of value to shares in 261 00:17:28,160 --> 00:17:33,279 a company, which means non material incidents can be kept quiet. 262 00:17:34,359 --> 00:17:38,440 And the sec disclosures are public. Everyone can see them 263 00:17:38,559 --> 00:17:42,240 because reasonable people need information to buy and sell shares. 264 00:17:44,000 --> 00:17:50,079 Then too system is it requiring all incidents to be 265 00:17:50,119 --> 00:17:54,119 reported and are those reports public to. 266 00:17:54,119 --> 00:17:57,039 Speaker 4: Your first part of your question, then it's too directive. 267 00:17:57,079 --> 00:17:59,640 Speaker 1: And also in is too reporting obligation is kind of 268 00:17:59,640 --> 00:18:03,519 to say as the regulation you mentioned before, because you 269 00:18:03,640 --> 00:18:08,759 have to report only severe security incidents, and yeah, you 270 00:18:08,920 --> 00:18:12,480 as a regulated company, you are obliged to check if 271 00:18:12,519 --> 00:18:14,920 there is a security incident in the first step, and 272 00:18:15,000 --> 00:18:17,319 then the second step you have to check is there 273 00:18:17,519 --> 00:18:21,759 a severe security incident, and only this security incident you 274 00:18:21,799 --> 00:18:25,440 are obliged to report to the national authorities. So that's 275 00:18:25,519 --> 00:18:29,319 kind of the same structure of or mechanism. And to 276 00:18:29,400 --> 00:18:34,319 the second part of your question, the report will not 277 00:18:34,519 --> 00:18:38,359 be published for everyone. So first of all, if you 278 00:18:38,480 --> 00:18:42,839 report it to national authorities, only the national authorities have 279 00:18:42,880 --> 00:18:47,720 the information. It can happen because we have in some 280 00:18:47,839 --> 00:18:54,359 member states some laws where yeah, people from the public 281 00:18:54,400 --> 00:18:58,480 can access or can get access to information to public information. 282 00:18:58,559 --> 00:19:02,680 It can happen that information will be publicly available. But 283 00:19:03,640 --> 00:19:06,119 the first step is that you will only report it 284 00:19:06,160 --> 00:19:09,000 to the national authority and that the report will not 285 00:19:09,160 --> 00:19:13,680 be available for the public as such. But next to 286 00:19:13,759 --> 00:19:17,200 the reporting obligation to the national authorities. 287 00:19:17,599 --> 00:19:20,039 Speaker 4: You also have information. 288 00:19:19,680 --> 00:19:23,920 Speaker 1: Obligations in the two directive, so it can happen that 289 00:19:24,000 --> 00:19:29,119 you are also obliged to inform the consumers of your services. 290 00:19:30,000 --> 00:19:33,200 Speaker 3: The other big news that I'm aware of in Europe 291 00:19:33,440 --> 00:19:38,920 is the CRA, which you know confuses me because you know, 292 00:19:38,960 --> 00:19:41,359 I thought this too was the big deal. Yet there's 293 00:19:41,400 --> 00:19:43,079 this other thing that sort of came at me out 294 00:19:43,079 --> 00:19:45,200 of the blue a year ago, and I'm going, what's 295 00:19:45,279 --> 00:19:47,240 what's going on? Can you introduce for us what is 296 00:19:47,279 --> 00:19:49,720 the CIRA and how's it different from this too? 297 00:19:50,599 --> 00:19:50,839 Speaker 4: Yeah? 298 00:19:50,920 --> 00:19:56,160 Speaker 1: Sure, So, as you mentioned before, the CIA is like 299 00:19:56,359 --> 00:19:59,880 the sister or brother and the second major piece of 300 00:20:00,039 --> 00:20:04,079 the new European cybersecurity framework alongside the NIS two directive. 301 00:20:05,200 --> 00:20:09,440 It's the Cyber Resilience Act or for short, CRA. And 302 00:20:09,720 --> 00:20:14,039 while then IS two directive focuses on the cybersecurity requirements 303 00:20:14,119 --> 00:20:19,960 for businesses or entities in critical sectors, the CIA takes 304 00:20:20,000 --> 00:20:24,640 a different angle and the CIA introduces uy and cybersecurity 305 00:20:24,759 --> 00:20:29,640 rules for products. So NI two is focusing on cybersecurity 306 00:20:29,680 --> 00:20:34,200 of entities and the CIA is focusing on cybersecurity for 307 00:20:34,359 --> 00:20:40,839 products with digital elements and also the other. The other 308 00:20:40,920 --> 00:20:43,440 difference is also then is too directive. 309 00:20:43,519 --> 00:20:45,079 Speaker 4: We have an EU directive, so. 310 00:20:45,119 --> 00:20:49,240 Speaker 1: It needs to be transposed into national law by each 311 00:20:49,559 --> 00:20:53,599 member state. And the Cyber Resilience Act is an EU regulation, 312 00:20:54,240 --> 00:20:57,799 so when the cub Resilience Act comes into force, it 313 00:20:57,880 --> 00:21:00,920 will apply directly in each you members. 314 00:21:00,920 --> 00:21:04,400 Speaker 3: Stay okay, So that's how the CIRA, you know, fits 315 00:21:04,440 --> 00:21:08,200 into this too. What is the CIRA? What are these rules? 316 00:21:08,240 --> 00:21:08,359 Speaker 5: Is it? 317 00:21:08,359 --> 00:21:09,680 Speaker 3: Can you give us a high level summary? 318 00:21:10,640 --> 00:21:15,680 Speaker 1: So the CIA is the EU wide first horizontal regulation 319 00:21:16,279 --> 00:21:22,240 which imposes cybersecurity rules for products with digital elements. So 320 00:21:23,000 --> 00:21:26,640 regulated are products with digital elements, and this definition is 321 00:21:26,839 --> 00:21:30,960 very broad. It covers software and also hardware and also 322 00:21:31,039 --> 00:21:36,400 software and hardware components if they are brought. 323 00:21:36,160 --> 00:21:37,759 Speaker 4: To the you market separately. 324 00:21:38,720 --> 00:21:42,799 Speaker 1: And products with digital elements are kind of like connected 325 00:21:42,839 --> 00:21:46,880 devices and as I said, software and hardware that can 326 00:21:47,039 --> 00:21:49,039 potentially post. 327 00:21:48,759 --> 00:21:49,759 Speaker 4: A security risk. 328 00:21:53,759 --> 00:21:59,720 Speaker 1: Also, what is very important, the CI imposes obligations not 329 00:22:00,079 --> 00:22:05,160 only to manufacturers but also to importers, distributors and also 330 00:22:05,200 --> 00:22:08,720 to those companies which are not resident in the EU. 331 00:22:09,319 --> 00:22:12,400 Speaker 4: Because the main point. 332 00:22:12,680 --> 00:22:16,920 Speaker 1: For the geographical scope of application is that you put 333 00:22:17,119 --> 00:22:20,319 or that you place a product in the EU market, 334 00:22:20,960 --> 00:22:25,519 whether you are placed in the EU or not. So 335 00:22:25,559 --> 00:22:29,200 this means also that the Summer Resilience Act, such as 336 00:22:29,240 --> 00:22:35,400 the data such as the General Data Protection Regulation has 337 00:22:35,440 --> 00:22:40,880 a global impact for anyone selling tech products in Europe. 338 00:22:44,000 --> 00:22:46,480 Speaker 3: So let me jump in real quick here, Nate. You 339 00:22:46,519 --> 00:22:52,960 know what Christina has described here, the cre the scope 340 00:22:53,079 --> 00:22:58,279 applies to all digital products sold in Europe. To me, 341 00:22:58,920 --> 00:23:03,440 you know this the CIRA is in my estimation, and 342 00:23:03,440 --> 00:23:06,480 she's going to explain more in a few minutes. It's 343 00:23:06,519 --> 00:23:11,359 probably the strictest cybersecurity regulation for products generally in the 344 00:23:11,400 --> 00:23:15,359 whole world. It sounds to me like this might become 345 00:23:15,480 --> 00:23:18,640 just like GDPR. This was a European regulation that came 346 00:23:18,680 --> 00:23:21,519 through a few years ago. It had to do with 347 00:23:22,759 --> 00:23:25,960 marketing and the use of private information, in particular my 348 00:23:26,119 --> 00:23:28,799 email and sending it. Basically, it was like an anti 349 00:23:28,799 --> 00:23:33,400 spam act. It's the strictest in the world, and everybody 350 00:23:33,640 --> 00:23:36,200 who has any kind of worldwide customer base, which is 351 00:23:36,640 --> 00:23:41,160 almost everybody in the digital world that's sending out marketing emails, 352 00:23:42,039 --> 00:23:46,039 is now following the GDPR pretty much worldwide because it's 353 00:23:46,119 --> 00:23:48,880 just too hard to apply one law in one country 354 00:23:48,920 --> 00:23:50,279 and one law and the other. So what you do 355 00:23:50,640 --> 00:23:52,880 is you pick the strictest that you have to comply 356 00:23:52,960 --> 00:23:55,559 with worldwide, which is the g GDPR, and you do 357 00:23:55,640 --> 00:23:59,240 that worldwide instead of trying to figure out what's what 358 00:23:59,359 --> 00:24:02,200 It sounds me like the CRA could very well turn 359 00:24:02,240 --> 00:24:05,119 into that kind of thing. It might be the thing 360 00:24:05,200 --> 00:24:08,319 that all manufacturers that embed a CPU and their product 361 00:24:08,359 --> 00:24:11,680 have to follow worldwide because it's just too hard to 362 00:24:12,279 --> 00:24:17,119 change what they do in one country versus another. Okay, 363 00:24:17,119 --> 00:24:20,599 so can you dig a little deeper. I mean an automobile. 364 00:24:20,799 --> 00:24:23,680 You buy a new automobile from the from the dealership. 365 00:24:24,000 --> 00:24:26,119 My understanding is that it has you know, two hundred 366 00:24:26,119 --> 00:24:28,440 and fifty three hundred maybe three hundred and twenty five 367 00:24:28,559 --> 00:24:32,000 CPUs in it, all of them running software. It would 368 00:24:32,000 --> 00:24:35,319 seem to me that a new automobile is covered by 369 00:24:35,319 --> 00:24:38,559 the CIRA. What you know, what are the obligations of 370 00:24:38,599 --> 00:24:44,240 the manufacturer. What should customers like me expect in automobiles 371 00:24:44,240 --> 00:24:46,480 that might be different because of the CIRA. 372 00:24:47,880 --> 00:24:53,200 Speaker 1: First of all, looking at your example, automobiles are not 373 00:24:53,440 --> 00:24:58,119 covered by the CRA because the CIA has some exumptions 374 00:24:58,799 --> 00:25:02,759 and the CISS we are not regulating digital products with 375 00:25:02,839 --> 00:25:09,200 digital elements which are already regulated by specific product safety laws. 376 00:25:09,640 --> 00:25:10,720 Speaker 4: And here looking at. 377 00:25:10,599 --> 00:25:14,240 Speaker 1: An automotive sector, we have for sure and you very 378 00:25:14,319 --> 00:25:18,839 strong and very specialized regulation for product safety of cars 379 00:25:18,960 --> 00:25:24,200 and so on. So just for your example, but looking 380 00:25:24,240 --> 00:25:30,359 at other products with digital elements, for example wearabiles or headphones, smartphones, 381 00:25:30,400 --> 00:25:33,400 for example, you can. 382 00:25:33,240 --> 00:25:35,960 Speaker 4: Say that there are kind of five. 383 00:25:35,960 --> 00:25:40,960 Speaker 1: Core obligations for manufacturers in the CIA. So the first 384 00:25:41,000 --> 00:25:45,359 obligation is compliance with NX one, which means you have 385 00:25:45,480 --> 00:25:52,319 to fulfill a list of cybersecurity requirements. And you don't 386 00:25:52,359 --> 00:25:58,119 only have to fulfill those cybersecurity requirements, but you also 387 00:25:58,240 --> 00:26:03,079 have declare and show compliance with an X one of THECIA, 388 00:26:03,200 --> 00:26:07,160 So it's a conformity assessment you have to undergo the 389 00:26:07,240 --> 00:26:11,839 other applications. Or number two is cyber risk assessment. If 390 00:26:11,839 --> 00:26:15,359 you're a manufacturer of a product with the digital elements. 391 00:26:15,039 --> 00:26:18,880 Speaker 4: You are obliged to assess cyber risks. 392 00:26:18,720 --> 00:26:22,799 Speaker 1: And not only during the development and the construction of 393 00:26:22,839 --> 00:26:28,599 your product, and also not only during the blazing of 394 00:26:28,599 --> 00:26:31,920 your product to the new market, but throughout the whole 395 00:26:31,920 --> 00:26:32,960 product life circle. 396 00:26:33,359 --> 00:26:35,079 Speaker 4: So if you have a product. 397 00:26:34,720 --> 00:26:36,880 Speaker 1: And you have it already based on a market, you're 398 00:26:36,880 --> 00:26:39,279 obliged to undergo. 399 00:26:40,480 --> 00:26:42,519 Speaker 4: A cyber risk assessments. 400 00:26:43,240 --> 00:26:47,759 Speaker 1: Then looking at a third oppligation, it's free security updates, 401 00:26:48,319 --> 00:26:54,720 so manufacturers have to provide free security updates throughout the 402 00:26:54,799 --> 00:26:59,920 expected product live circle. We have also mandatory incident reporting, 403 00:27:00,119 --> 00:27:03,759 so we have here also reporting and registration obligations such 404 00:27:03,799 --> 00:27:06,799 as we already talked about looking at as two directive 405 00:27:07,480 --> 00:27:11,119 and also like in each product safety law in the EU, 406 00:27:11,480 --> 00:27:15,440 we also have the obligation for technical documentation, so this 407 00:27:15,640 --> 00:27:20,119 is those Those are the five core obligations compliance, cyber 408 00:27:20,200 --> 00:27:25,039 risk assessment, free security update, reporting and documentation. 409 00:27:26,079 --> 00:27:30,559 Speaker 3: And you mentioned distributors. What are distributors and importers applied 410 00:27:30,680 --> 00:27:30,839 to do? 411 00:27:31,640 --> 00:27:35,400 Speaker 1: Yeah, there we have some graduated obligations so they are 412 00:27:36,039 --> 00:27:41,079 not such strict obligations such for manufacturers, but imports and 413 00:27:41,119 --> 00:27:45,240 distributors are obliged to assess if the product what they 414 00:27:45,240 --> 00:27:49,039 are importing and distributing to the EU market are compliant 415 00:27:49,160 --> 00:27:54,480 with the whole set of cybersecurity requirements of the CIA. 416 00:27:54,599 --> 00:27:57,599 So they have to check if the manufacturer and the 417 00:27:57,680 --> 00:28:01,559 product is compliant and if not, they have to inform 418 00:28:01,759 --> 00:28:07,160 and cooperate with the manufacturer to ensure cybersecurity compliance, but 419 00:28:07,519 --> 00:28:14,000 also importers are also obliged to impose. 420 00:28:14,079 --> 00:28:19,440 Speaker 4: Their own measures to fulfill with the CIA. 421 00:28:21,079 --> 00:28:24,240 Speaker 3: Okay, and you said there were five obligations, you sponsor 422 00:28:24,319 --> 00:28:26,720 them quickly. Some of them makes sense on their own. 423 00:28:26,759 --> 00:28:29,240 You know, do a risk assessment, do it from time 424 00:28:29,279 --> 00:28:31,359 to time, see if the risk has changed. That kind 425 00:28:31,359 --> 00:28:35,359 of makes sense. The first one, though, you know, comply 426 00:28:35,519 --> 00:28:38,640 with the NX one. That's like an appendix to the CIRE. 427 00:28:39,240 --> 00:28:44,119 What what's in there? What? What are the obligations. 428 00:28:43,839 --> 00:28:47,839 Speaker 1: NX one is Yeah, you can also say appendix one 429 00:28:48,240 --> 00:28:52,839 to the CIA, and there you can see there is 430 00:28:52,880 --> 00:28:57,880 a list of certain cybersecurity requirements which manufacturers have to fulfill. 431 00:28:58,519 --> 00:29:02,839 And the list is divided into two different main areas, 432 00:29:03,039 --> 00:29:07,759 and one area is cybersecurity requirement, so it focuses on 433 00:29:08,400 --> 00:29:15,319 no known vulnerabilities at the time of the marketplacement, securit 434 00:29:15,359 --> 00:29:25,440 default configurations, protection against unauthorized access, ensuring confidentiality, integrity and availability, 435 00:29:27,039 --> 00:29:30,599 and also secure deletion and export of user data. 436 00:29:30,680 --> 00:29:32,400 Speaker 4: So kind of all. 437 00:29:32,319 --> 00:29:36,720 Speaker 1: Of cybersecurity requirements such as them which. 438 00:29:36,519 --> 00:29:41,440 Speaker 4: I have mentioned. And the other area is vulnerability management. 439 00:29:41,960 --> 00:29:47,359 Speaker 1: So manufacturers have to ensure that they have an structured 440 00:29:47,440 --> 00:29:54,599 vulnerability management process, and they have to install the software 441 00:29:54,599 --> 00:29:59,960 bill of materials, they have to provide free security updates, 442 00:30:00,559 --> 00:30:04,720 they have to undergo cybersecurity testing and assessments. Then needs 443 00:30:04,759 --> 00:30:11,839 to be a process to publish information on resolved vulnerabilities. 444 00:30:12,400 --> 00:30:16,119 And again here we also need a clear reporting channel 445 00:30:16,359 --> 00:30:18,640 for known vulnerabilities. 446 00:30:19,400 --> 00:30:23,960 Speaker 3: It sounds like you said that a manufacturer is not 447 00:30:24,359 --> 00:30:31,319 allowed to ship a product with known vulnerabilities. Practically speaking, 448 00:30:31,359 --> 00:30:33,559 how does that work? I mean, a lot of manufacturers 449 00:30:33,559 --> 00:30:38,039 in the industrial space use Linux under the hood. Linux 450 00:30:38,160 --> 00:30:42,680 is a million lines of code of kernel, and these 451 00:30:42,720 --> 00:30:45,799 devices don't necessarily do a full desktop style Linux, but 452 00:30:45,839 --> 00:30:48,480 they still have a lot of code that they're pulling 453 00:30:48,519 --> 00:30:52,839 from an open source distribution. And in these millions of 454 00:30:52,920 --> 00:30:58,920 lines of code, from time to time, people discover vulnerabilities 455 00:31:00,160 --> 00:31:04,119 and they get announced, and so it's you know, it's 456 00:31:04,160 --> 00:31:07,559 almost a random process. Do I have to suspend shipments 457 00:31:07,640 --> 00:31:11,640 the day that Linux vulnerability comes to light until I 458 00:31:11,680 --> 00:31:14,200 can get the thing patched, and then three days later 459 00:31:14,839 --> 00:31:18,680 start shipments again? Practically speaking, how does this zero known 460 00:31:18,759 --> 00:31:20,240 vulnerabilities requirement work? 461 00:31:21,799 --> 00:31:27,720 Speaker 1: Basically, it is like as you said, because the cub Resilient. 462 00:31:27,480 --> 00:31:28,920 Speaker 4: Act focus on. 463 00:31:30,640 --> 00:31:35,559 Speaker 1: Or no known vulnerabilities not only in your product, but 464 00:31:35,640 --> 00:31:39,200 also in the whole supply chain. So does sub Resilience 465 00:31:39,240 --> 00:31:42,440 Act focus not only on products with the elements, but 466 00:31:42,519 --> 00:31:46,759 also focusing on the cybersecurity of the whole supply chain. 467 00:31:47,640 --> 00:31:51,039 So this means, looking at an X one and the 468 00:31:51,119 --> 00:31:55,759 cybersecurity requirements, products with digit. 469 00:31:55,559 --> 00:31:58,119 Speaker 4: Elements may only be placed. 470 00:31:57,799 --> 00:32:01,039 Speaker 1: On the EU market if they don't contain any known 471 00:32:01,200 --> 00:32:06,359 exploitable vulnerabilities. So it's not any vulnerability, but it's any 472 00:32:06,440 --> 00:32:11,599 known exploitable vulnerability that is a clear requirement under NX one. 473 00:32:12,680 --> 00:32:15,920 And also when you're looking at making a product available 474 00:32:16,000 --> 00:32:18,960 on a market, that doesn't. 475 00:32:18,599 --> 00:32:22,799 Speaker 4: Just mean selling it. It includes any kind of commercial activity. 476 00:32:22,920 --> 00:32:26,119 Speaker 1: And also what is also a very good question also 477 00:32:26,160 --> 00:32:31,240 in our daily work, looking at making a product available 478 00:32:31,279 --> 00:32:33,799 on a market, a lot of companies say, well, I 479 00:32:33,920 --> 00:32:38,240 have a badge of products, so and if I have 480 00:32:38,880 --> 00:32:42,799 placed this batch of products on the new market, I 481 00:32:42,920 --> 00:32:45,279 have already placed the product on the market, so for 482 00:32:45,480 --> 00:32:48,200 I can also place the other products. 483 00:32:47,880 --> 00:32:50,039 Speaker 4: Of this batch also in the future. 484 00:32:50,400 --> 00:32:53,680 Speaker 1: But it is not correct because looking at EU Product 485 00:32:53,759 --> 00:32:59,240 safety law, the regulation is focusing on each product. So 486 00:32:59,519 --> 00:33:03,559 looking at these requirements, you can say, first of all, 487 00:33:03,960 --> 00:33:08,079 you really have to check your own product, your own components, 488 00:33:08,200 --> 00:33:12,039 but also the products and the components you're using from 489 00:33:12,720 --> 00:33:15,359 the supply chain, and you have to check if there 490 00:33:15,400 --> 00:33:22,519 are any known exploitable vulnerabilities. So you have to impose 491 00:33:22,640 --> 00:33:29,319 a process to check the vulnerabilities and also to impose 492 00:33:29,519 --> 00:33:32,519 mechanisms to fix those vulnerabilities. 493 00:33:32,880 --> 00:33:35,240 Speaker 4: And if you have products already on the market. 494 00:33:35,079 --> 00:33:38,119 Speaker 1: You don't have to recall them because first of all, 495 00:33:38,200 --> 00:33:41,480 it's okay if you have a vulnerability management which is 496 00:33:41,519 --> 00:33:45,240 working and where you can fix those vulnerabilities. 497 00:33:46,160 --> 00:33:47,960 Speaker 4: And when you have products already in the. 498 00:33:47,920 --> 00:33:53,359 Speaker 1: Shipment process, there is up to each company to assess 499 00:33:53,720 --> 00:33:58,279 if they have to recall the products in the shipment 500 00:33:58,279 --> 00:34:01,200 process or if they say, okay, we leave in the 501 00:34:01,240 --> 00:34:04,599 shipment process because we know we can fix the vulnerability 502 00:34:04,680 --> 00:34:07,960 within two or three days. So in the end, it's 503 00:34:08,079 --> 00:34:11,480 kind of a risk based approach, and each company has 504 00:34:11,559 --> 00:34:16,800 to assess what measurements are applicable and also. 505 00:34:18,239 --> 00:34:21,679 Speaker 3: Necessary, So that makes a little more sense. I mean, 506 00:34:21,800 --> 00:34:28,360 the Linux kernel and sort of core functions in my 507 00:34:30,039 --> 00:34:32,599 I don't have the numbers, but I'm guessing that you're 508 00:34:32,599 --> 00:34:36,199 going to see a vulnerability every week or two in 509 00:34:36,480 --> 00:34:40,360 that large set of software. And if that's part of 510 00:34:40,480 --> 00:34:43,280 a router that you're shipping, or part of a firewall 511 00:34:43,280 --> 00:34:45,079 that you're shipping, or part of any kind of product 512 00:34:45,119 --> 00:34:48,719 that you're shipping. Does it make sense that you know, 513 00:34:48,760 --> 00:34:52,599 you discover the exploitable vulnerability on Thursday, and you have 514 00:34:52,679 --> 00:34:57,840 to suspend shipment until you know three weeks out, when 515 00:34:57,880 --> 00:35:00,800 you have incorporated the vulnerability in your build, and you've 516 00:35:00,840 --> 00:35:04,280 repeated all of your product testing, which can be extensive, 517 00:35:05,199 --> 00:35:08,400 and by the time you're ready to ship that fix, 518 00:35:09,239 --> 00:35:11,559 two other problems have been developed, and now you have 519 00:35:11,639 --> 00:35:16,480 to you can't ship until you know. It sounds like 520 00:35:16,599 --> 00:35:20,199 it's not quite that strict. It's not you know that 521 00:35:20,199 --> 00:35:22,280 that scenario sounds like nonsense to me. It just it 522 00:35:22,320 --> 00:35:25,760 would never work. You're saying that there is some flexibility 523 00:35:25,800 --> 00:35:29,320 to do reasonable things to keep bringing product to market 524 00:35:29,360 --> 00:35:31,960 as long as you're managing the vulnerabilities over time. Is 525 00:35:32,199 --> 00:35:32,639 that fair? 526 00:35:33,360 --> 00:35:33,599 Speaker 4: Yes? 527 00:35:33,679 --> 00:35:36,440 Speaker 1: Yes, that's right, because in a CIA, we have a 528 00:35:36,559 --> 00:35:42,079 risk based or broad and also you have to no 529 00:35:42,400 --> 00:35:46,679 the basis for each measure you have to impose under 530 00:35:46,719 --> 00:35:50,280 the CIA is your cyber risk assessment. So you have 531 00:35:50,360 --> 00:35:52,840 to take what kind of product am I using or 532 00:35:52,960 --> 00:35:55,920 am I manufacturing? Which kind of product am I right 533 00:35:55,960 --> 00:35:59,119 now placing on the you market? What are the cybersecurity 534 00:35:59,199 --> 00:36:01,280 risk right now? And also what of what are the 535 00:36:01,360 --> 00:36:06,400 specific cybersecurity risk of this known vulnerability? And then you 536 00:36:06,519 --> 00:36:09,000 have to check have I do I have a process? 537 00:36:09,079 --> 00:36:14,079 Do I have a process imposing appropriate measures to to 538 00:36:14,199 --> 00:36:19,519 fix those vulnerabilities? And if I have appropriate measures to 539 00:36:19,639 --> 00:36:24,519 fix the wailability is in a reasonable time and manner, 540 00:36:25,400 --> 00:36:29,679 then it's not the no you're then then you're not 541 00:36:29,800 --> 00:36:35,440 obliged to recall the product itself. Yeah, but at the end, 542 00:36:36,199 --> 00:36:44,360 looking at a risk bace abroad, abroad abroad, it's it's 543 00:36:44,480 --> 00:36:46,920 up to the decision of each company. 544 00:36:47,599 --> 00:36:49,599 Speaker 3: So this is a lot of a lot of change 545 00:36:49,639 --> 00:36:51,719 in in you know, for a lot of product vendors. 546 00:36:52,400 --> 00:36:54,320 Can I ask you how is it going? 547 00:36:54,599 --> 00:36:54,800 Speaker 4: You know? 548 00:36:55,400 --> 00:36:58,760 Speaker 3: Is it working? Are the vendors you know confused? Can 549 00:36:58,800 --> 00:37:00,639 you do you have any sort of insight in the 550 00:37:00,639 --> 00:37:01,280 how it's going? 551 00:37:02,280 --> 00:37:05,920 Speaker 1: So what we're seeing right now a lot of companies, 552 00:37:06,119 --> 00:37:12,320 both manufacturers but also suppliers. Yeah, getting ahead of the 553 00:37:12,360 --> 00:37:15,920 curve when it comes to the Cyber Resilience Act because 554 00:37:15,960 --> 00:37:18,920 they see that there is a change and that there 555 00:37:18,920 --> 00:37:23,079 will renew strict obligations not only on manufacturers, but also 556 00:37:23,079 --> 00:37:29,320 in the whole supply chain. So suppliers, distributors, importers are 557 00:37:29,360 --> 00:37:31,400 also coming to us and asking if. 558 00:37:31,239 --> 00:37:33,960 Speaker 4: They are under the scope of the CIA. So this 559 00:37:34,079 --> 00:37:34,960 is the first point. 560 00:37:35,079 --> 00:37:38,000 Speaker 1: If you're a distributor or an importer, you already have 561 00:37:38,079 --> 00:37:41,480 to check if you're in your company itself falls under 562 00:37:41,519 --> 00:37:44,639 the scope of the CIA, and if it is like this, 563 00:37:45,039 --> 00:37:48,400 then you are already obliged to ensure all. 564 00:37:48,280 --> 00:37:49,840 Speaker 4: The obligations of the CIA. 565 00:37:50,639 --> 00:37:54,400 Speaker 1: But it can also happen that suppliers are under the 566 00:37:54,440 --> 00:37:59,280 scope of the CIA in an indirect manner, because ensuring 567 00:37:59,679 --> 00:38:04,519 all those new cybersecurity requirements from a manufacturer point of view, 568 00:38:05,960 --> 00:38:07,559 you have to ensure it within. 569 00:38:07,320 --> 00:38:08,639 Speaker 4: The whole supply chain. 570 00:38:09,119 --> 00:38:13,519 Speaker 1: And the main instrument to ensure this was already in 571 00:38:13,519 --> 00:38:16,199 the few in the in the past and will also 572 00:38:16,199 --> 00:38:21,119 be in the future is contract management. So you have 573 00:38:21,199 --> 00:38:27,159 to impose or transpose all those new obligations to the suppliers. 574 00:38:27,480 --> 00:38:32,519 We are contract management and there we see different reactions, 575 00:38:33,719 --> 00:38:38,239 but there's definitely a growing awareness that cybersecurity needs to 576 00:38:38,239 --> 00:38:43,559 be addressed contractually, especially in relation to the CIA obligations. 577 00:38:44,280 --> 00:38:49,280 And yeah, looking at the contract negotiations, of course, we 578 00:38:49,400 --> 00:38:54,119 have some negotiations with the suppliers, and one of the 579 00:38:54,239 --> 00:38:59,480 main point which is negotiated is the regulation of enforcement, 580 00:39:00,159 --> 00:39:04,880 because when you have contractoral management looking at cybersecurity requirements, 581 00:39:05,280 --> 00:39:10,960 you cannot only transpose those obligations to the suppliers, but 582 00:39:11,079 --> 00:39:15,920 you also have rules on enforcing those new contractual obligations, 583 00:39:17,039 --> 00:39:22,159 for example, contractoral penalties. And there we see that contractor 584 00:39:22,280 --> 00:39:28,840 penalties often sparks some debate during negotiations. Yeah, but to 585 00:39:29,000 --> 00:39:32,480 sum up, in practice, we've always been able to find 586 00:39:32,480 --> 00:39:36,599 a balanced solution that works for all parties involved. 587 00:39:39,559 --> 00:39:42,880 Speaker 2: I suppose I could think about any number of potentially 588 00:39:42,960 --> 00:39:47,000 trivial electronics products Andrew. But you know, let's say that 589 00:39:47,559 --> 00:39:50,599 I or my neighborhoods a smart fridge, a fridge with 590 00:39:50,679 --> 00:39:56,760 a computer on it. I generally assume that those devices 591 00:39:57,480 --> 00:40:01,119 don't even really have security in minded. And you know, 592 00:40:01,159 --> 00:40:03,960 a security update is like so far from the universe 593 00:40:04,000 --> 00:40:07,159 of how anyone would interact with such a device. And 594 00:40:07,199 --> 00:40:09,639 now we're saying that that kind of thing is going 595 00:40:09,719 --> 00:40:11,639 to be regulated in these ways. 596 00:40:12,719 --> 00:40:16,320 Speaker 3: I think the short answer is yes. You might ask 597 00:40:16,679 --> 00:40:19,639 what good does this regulation do for a fridge? And 598 00:40:20,000 --> 00:40:22,760 you know, I think about this sometimes. I think the 599 00:40:22,800 --> 00:40:27,559 answer is it depends. If you know, a lot of 600 00:40:28,119 --> 00:40:31,960 the larger home appliances nowadays have touchscreens, there's a CPU inside, 601 00:40:32,000 --> 00:40:36,280 there's software inside. These are cyber devices. You might ask, well, 602 00:40:36,320 --> 00:40:38,519 when was the last time I updated the firmware in 603 00:40:38,639 --> 00:40:41,000 my fridge? How many times am I going to update 604 00:40:41,039 --> 00:40:45,119 the firmware in my fridge? Those are good questions. Most 605 00:40:45,119 --> 00:40:51,800 people never think about something like that. But the law might, 606 00:40:52,760 --> 00:40:57,360 you know, very reasonably apply to the fridge if the 607 00:40:57,440 --> 00:41:00,760 fridge is connected to the internet, so that I can see, 608 00:41:00,760 --> 00:41:04,360 for example, how much power my fridge is using on 609 00:41:04,400 --> 00:41:07,639 my cell phone app. You know, isn't that clever? But 610 00:41:07,880 --> 00:41:09,920 now I've connected the fridge to the internet. We all 611 00:41:09,960 --> 00:41:12,320 know what happened to What was it? The Maria botnet 612 00:41:12,360 --> 00:41:15,360 took over hundreds of thousands of Internet of Things devices 613 00:41:15,400 --> 00:41:18,960 and used them as attack tools for denial of service attacks. 614 00:41:21,199 --> 00:41:23,480 If you've got an Internet connected fridge, you risk that 615 00:41:23,599 --> 00:41:27,119 if you haven't updated the software. Worse, if someone gets 616 00:41:27,119 --> 00:41:31,280 into your fridge, takes over the CPU, you could change 617 00:41:31,320 --> 00:41:33,280 the set point on the temperature and cause all your 618 00:41:33,280 --> 00:41:38,920 food to spoil. This is a safety risk. Again, how 619 00:41:38,960 --> 00:41:41,280 many consumers are going to update the software in their 620 00:41:41,280 --> 00:41:44,519 fridge realistically? I don't think you know, the majority of 621 00:41:44,559 --> 00:41:50,320 consumers will even if there is a safety threat to me. 622 00:41:51,679 --> 00:41:54,079 You know the risk this is part of the risk assessment. 623 00:41:55,840 --> 00:42:00,480 If there's a safety threat because of these vulnerabilities, you 624 00:42:00,559 --> 00:42:06,559 might well need to I don't auto update the firmware. 625 00:42:06,880 --> 00:42:08,960 That might be part of your risk assessment so that 626 00:42:09,000 --> 00:42:12,239 the consumer doesn't have to do it, or better yet, 627 00:42:12,440 --> 00:42:16,480 design the fridge so that safety threats because of a 628 00:42:16,519 --> 00:42:20,159 call from ed CPU are impossible physically impossible. Make the 629 00:42:20,400 --> 00:42:24,239 temperature setting manual or something. But you know, this is 630 00:42:24,239 --> 00:42:27,639 a bigger problem than I think one regulation. The question 631 00:42:27,719 --> 00:42:30,760 of safety critical device is connected to the cloud. 632 00:42:31,760 --> 00:42:36,079 Speaker 2: Yeah, admittedly, the notion of a smart refrigerator safety threat 633 00:42:36,159 --> 00:42:38,880 isn't totally resonating with me. And then we haven't even 634 00:42:38,880 --> 00:42:42,280 discussed the matter of like, Okay, let's say that my 635 00:42:42,400 --> 00:42:45,320 refrigerator gets automatic updates or I just have to click 636 00:42:45,320 --> 00:42:47,880 a button in an app when it notifies me to 637 00:42:47,920 --> 00:42:52,480 do so to update my firmware at some point. You know, 638 00:42:52,559 --> 00:42:56,119 fridges sit in houses for a long periods of time. 639 00:42:56,639 --> 00:42:59,719 I can't recall the last time that my fridge has 640 00:42:59,760 --> 00:43:04,559 been replaced. In that time, any manufacturer could go out 641 00:43:04,599 --> 00:43:07,400 of business, and then how do you get those updates 642 00:43:07,480 --> 00:43:09,360 right exactly? 643 00:43:10,079 --> 00:43:14,239 Speaker 3: So you know to me, but this is outside the 644 00:43:14,239 --> 00:43:17,239 scope of the CRA But you know, to answer your 645 00:43:17,280 --> 00:43:22,639 question to me, the solution is two or threefold. We 646 00:43:22,639 --> 00:43:27,960 we need to design safety critical consumer appliances in such 647 00:43:27,960 --> 00:43:32,800 a way that the unsafe conditions cannot be brought about 648 00:43:32,880 --> 00:43:35,960 by a cyber attack. I mean, we talk about, you know, 649 00:43:36,000 --> 00:43:39,280 fixing known vulnerabilities, that's only one kind of vulnerability. What 650 00:43:39,280 --> 00:43:43,480 about zero days? There is there's there's logically no way 651 00:43:43,519 --> 00:43:47,039 that someone can you know, solve all zero days. It's 652 00:43:47,079 --> 00:43:49,840 a nonsensical proposition. So there's always going to be zero days. 653 00:43:49,840 --> 00:43:53,159 What if one is exploited and you know, a million 654 00:43:53,199 --> 00:43:58,559 fridges set to a set point that that's unsafe to me, 655 00:43:58,639 --> 00:44:01,039 We've got to design the fridges differently. But that's that's 656 00:44:01,039 --> 00:44:03,719 sort of a different conversation. In fact, that's the topic 657 00:44:03,760 --> 00:44:06,400 of my next book. But which is why I care 658 00:44:06,440 --> 00:44:10,559 so much about it. But but you know, it's it's 659 00:44:10,599 --> 00:44:13,320 these are important questions, and I think the CIRA is 660 00:44:13,760 --> 00:44:16,039 a step in the direction of answering them, But I 661 00:44:16,079 --> 00:44:20,320 don't know that it has all the answers. What you 662 00:44:20,480 --> 00:44:26,760 described there makes sense for you know, manufacturers like IBM, 663 00:44:27,119 --> 00:44:31,400 who can you know, produce high volumes of or you know, 664 00:44:31,559 --> 00:44:34,920 Sony or the big fish. But you know, if I'm 665 00:44:35,000 --> 00:44:39,840 a small manufacturer, I produce a thousand devices a year. 666 00:44:41,800 --> 00:44:45,400 I buy components for these devices, I buy software for 667 00:44:45,440 --> 00:44:50,760 these devices from big names like Sony and Microsoft and Oracle. 668 00:44:51,239 --> 00:44:54,800 And you know, I go to Oracle and say, you 669 00:44:54,880 --> 00:44:57,880 must meet my contract requirements or I won't buy my 670 00:44:58,039 --> 00:45:01,199 thousand products from you at a cost of eighty nine 671 00:45:01,239 --> 00:45:05,800 dollars a product. Oracle's going to say, take a flying leap, 672 00:45:06,440 --> 00:45:09,760 We're not signing your contract. Is this realistic? 673 00:45:11,320 --> 00:45:11,599 Speaker 4: Yes? 674 00:45:11,679 --> 00:45:14,159 Speaker 1: And we see this also in practice because we are 675 00:45:14,159 --> 00:45:19,400 not only consulting the big manufacturers but also the smaller 676 00:45:19,440 --> 00:45:24,440 companies in the supply chain. And there you can have 677 00:45:24,840 --> 00:45:32,199 different approaches because when you're buying products from the big companies, 678 00:45:33,760 --> 00:45:36,159 first of all, you have to know that they are 679 00:45:36,559 --> 00:45:40,320 or they might be obliged. Also, on the CIA, so 680 00:45:40,400 --> 00:45:44,920 they are fulfilling all those new cybersecurity requirements and you 681 00:45:45,000 --> 00:45:47,639 also have to check it though there you also have 682 00:45:47,719 --> 00:45:51,480 to check their contracts because there you can see already 683 00:45:51,559 --> 00:45:55,079 they have a lot of new regulations looking at cybersecurity, 684 00:45:55,559 --> 00:46:00,400 either if it's implemented into the general contractor into the 685 00:46:00,480 --> 00:46:06,360 general contractor documents, or are implemented into one cybersecurity appendix. 686 00:46:07,159 --> 00:46:11,599 So you see all the companies are looking at the 687 00:46:11,639 --> 00:46:14,840 Cyber Resilience Act and then are taking measures and also 688 00:46:14,920 --> 00:46:15,519 looking at. 689 00:46:15,440 --> 00:46:19,639 Speaker 4: Their contract management. So if you're if you're. 690 00:46:19,599 --> 00:46:22,519 Speaker 1: Lucky enough, you can see, okay, they have a contract 691 00:46:22,599 --> 00:46:25,559 which is already regulating all the obligations under the CIA. 692 00:46:27,480 --> 00:46:32,679 Speaker 4: And then if it's not like this, we take the approach. 693 00:46:32,400 --> 00:46:37,880 Speaker 1: That we establish a cybersecurity appendix, so when you're already 694 00:46:38,119 --> 00:46:42,800 in contractual relationship with the big players, you don't have 695 00:46:43,039 --> 00:46:46,039 to negotiate the whole contract from the beginning. 696 00:46:46,440 --> 00:46:48,360 Speaker 4: You can only show them your. 697 00:46:48,199 --> 00:46:53,039 Speaker 1: Appendix and then on basis of this appendix you can 698 00:46:53,119 --> 00:46:55,519 discuss the cybersecurity requirements. 699 00:46:55,960 --> 00:46:57,519 Speaker 4: So this is kind. 700 00:46:57,280 --> 00:47:02,039 Speaker 1: Of approach which has helped also smaller companies in the market. 701 00:47:02,639 --> 00:47:06,119 Speaker 3: For the record, does this apply to industrial products as well? 702 00:47:06,159 --> 00:47:10,679 I mean, our listeners care about programmable logic controllers and uh, 703 00:47:10,760 --> 00:47:16,119 you know steam turbines that have embedded computer components or 704 00:47:16,199 --> 00:47:19,039 is it strictly a consumer goods rule? 705 00:47:20,039 --> 00:47:22,679 Speaker 4: No, And this is a very important point to highlight. 706 00:47:24,119 --> 00:47:29,320 Speaker 1: Our resilience explicitly applies not only to consumer products but 707 00:47:29,360 --> 00:47:32,199 also to products in the B two B sector. So 708 00:47:32,480 --> 00:47:36,239 this means that all software and all hardware products along 709 00:47:36,280 --> 00:47:40,480 with any related remote data processing solutions for under the 710 00:47:40,519 --> 00:47:45,039 scope of the CIA, either in B two C or 711 00:47:45,079 --> 00:47:47,440 also in B two B relationships. 712 00:47:48,039 --> 00:47:50,920 Speaker 3: Well, Christina, thank you so much for joining us. Before 713 00:47:50,920 --> 00:47:52,559 we let you go, can I ask you? Can you 714 00:47:52,599 --> 00:47:55,280 sum up for our listeners what are the key messages 715 00:47:55,320 --> 00:47:58,599 to you know, take away to understand about what's happening 716 00:47:58,639 --> 00:48:02,840 with cyber regulations both to and CIRE in Europe and 717 00:48:03,320 --> 00:48:05,159 you know what we should be doing about them as 718 00:48:05,239 --> 00:48:06,920 both consumers and manufacturers. 719 00:48:07,920 --> 00:48:10,840 Speaker 1: Yeah, sure of course. So let me give you a 720 00:48:10,960 --> 00:48:15,679 quick recap. So, first of all, you see the e 721 00:48:16,280 --> 00:48:21,800 U legislators tightening the cyber security requirements significantly with both 722 00:48:22,199 --> 00:48:25,079 the NEESS two Directive and also the Cyber Resilience Act, 723 00:48:25,679 --> 00:48:29,920 and the new requirements affect any company that offers products 724 00:48:30,000 --> 00:48:32,679 or services to the EU market no matter where they 725 00:48:32,679 --> 00:48:35,719 are based, so it is it has a very broad 726 00:48:35,800 --> 00:48:40,119 scope of application. Looking at the ISS two Directive, it's 727 00:48:40,239 --> 00:48:43,639 very important to know that MIS two Directive is already enforced, 728 00:48:43,679 --> 00:48:47,079 but it has to be transposed international law which has 729 00:48:47,119 --> 00:48:50,639 not been fulfilled by all EU member states, and that 730 00:48:50,760 --> 00:48:54,559 the national implementation across the EU is still quite waried. 731 00:48:55,679 --> 00:48:59,360 Looking at the Cyber Resilience Act, the CIA brings new 732 00:48:59,559 --> 00:49:05,239 security obligations to products with digital elements, so for all software, 733 00:49:05,320 --> 00:49:09,880 for all hardware products, and it also is focusing not 734 00:49:09,920 --> 00:49:12,519 only on the cybersecurity on products, but also in the 735 00:49:12,639 --> 00:49:17,960 whole supply chain. So both frameworks require companies to take 736 00:49:18,119 --> 00:49:23,400 proactive steps right now, looking at risk assessment, risk management, 737 00:49:23,599 --> 00:49:28,280 reporting and also contract management, particularly when it comes to 738 00:49:28,360 --> 00:49:34,400 managing their supply chain. So looking at a short implementation 739 00:49:34,559 --> 00:49:39,159 deadlines ahead, both from the two Directive and also CIA, 740 00:49:40,079 --> 00:49:44,039 it's very important for companies to act now. And the 741 00:49:44,119 --> 00:49:48,159 first step we consult to do is to identify the 742 00:49:48,239 --> 00:49:52,920 relevant laws because we have a lot of new regulations 743 00:49:53,199 --> 00:49:56,760 looking at digital products and digital services. So yeah, first 744 00:49:56,800 --> 00:50:00,559 of all, check the relevant laws and irrelevant obligation which 745 00:50:00,559 --> 00:50:04,920 are applicable to your business. And here we offer a 746 00:50:05,039 --> 00:50:08,920 freeness To quick check and also a free CRIA QuickCheck 747 00:50:09,000 --> 00:50:12,000 where can where you can just click through the different 748 00:50:12,079 --> 00:50:15,320 questions to see if you are under the scope offness 749 00:50:15,440 --> 00:50:16,440 to NCIA. 750 00:50:17,840 --> 00:50:21,840 Speaker 5: And then after all, when you clarified that you're affected 751 00:50:22,000 --> 00:50:27,000 under one or both of the new regulations, the company 752 00:50:27,079 --> 00:50:32,000 needs to review and adapt their cybersecurity processes both technically 753 00:50:32,119 --> 00:50:38,920 and also organization organizationally, so it's very crucial to continuously 754 00:50:39,039 --> 00:50:44,719 monitor and ensure compliance with the ongoing legal requirements, especially 755 00:50:44,760 --> 00:50:49,440 also looking at contract management and focusing on the supply chain. 756 00:50:50,400 --> 00:50:54,719 And yeah, there we can help national but also international 757 00:50:54,800 --> 00:50:59,760 companies with kind of a three sixty decree approach to 758 00:51:00,039 --> 00:51:05,679 our security compliance because we ensure solutions with the range 759 00:51:05,719 --> 00:51:11,199 from product development and marketing to reporting and market measures. 760 00:51:12,000 --> 00:51:17,480 So yeah, we give companies practical and also action action 761 00:51:17,599 --> 00:51:21,639 enable guidance in an in an every step way, so 762 00:51:21,800 --> 00:51:26,159 looking at the first step to act and yeah, to 763 00:51:26,280 --> 00:51:31,639 identify the relevant laws and obligations to your business, companies, 764 00:51:31,800 --> 00:51:36,280 can yeah visit our free niss to quick check and 765 00:51:36,400 --> 00:51:40,440 our free cr A quick check which is available under 766 00:51:41,239 --> 00:51:45,039 nis to minus check dot com and also cr A 767 00:51:45,320 --> 00:51:48,559 minus check dot com. And yeah, if you have any 768 00:51:48,599 --> 00:51:52,800 further question, you are free and invited to write to me. 769 00:51:53,000 --> 00:51:54,679 Speaker 4: We are email, we are linked in. 770 00:51:55,280 --> 00:51:58,480 Speaker 1: Yeah, I'm happy to connect and thank you very much 771 00:51:58,519 --> 00:51:59,280 for the invitation. 772 00:52:03,079 --> 00:52:08,000 Speaker 2: Andrew. That just concludes your interview with Christina Kiefer, And 773 00:52:08,119 --> 00:52:10,519 maybe for a last word today, we could just talk 774 00:52:10,559 --> 00:52:15,320 about what all of these rules mean practically for businesses 775 00:52:15,360 --> 00:52:17,760 out there, because you know, it's one thing to mention 776 00:52:17,880 --> 00:52:20,360 this rule in that rule on a podcast, but it 777 00:52:20,480 --> 00:52:22,920 sounds like the kind of stuff we're talking about here 778 00:52:23,079 --> 00:52:25,280 is going to mean a lot of work for a 779 00:52:25,320 --> 00:52:26,480 lot of people in the future. 780 00:52:27,239 --> 00:52:30,199 Speaker 3: I agree completely. It sounds like a lot of new 781 00:52:30,239 --> 00:52:33,320 work and a lot of new risk, both for the 782 00:52:33,360 --> 00:52:36,639 critical infrastructure entities that are covered by this too or 783 00:52:36,679 --> 00:52:42,400 by the local laws, especially for businesses, the larger businesses 784 00:52:42,400 --> 00:52:45,679 that are active in multiple jurisdictions, and certainly for any 785 00:52:45,679 --> 00:52:50,800 manufacturer who wants to sell anything remotely cpu like you know, 786 00:52:51,000 --> 00:52:56,599 into the European market. You know, it sounds like a 787 00:52:56,599 --> 00:52:59,719 lot of work, but you know, I have some hope 788 00:52:59,800 --> 00:53:02,760 that it's also because it's such a lot of work, 789 00:53:03,079 --> 00:53:05,400 it's also a business opportunity, and we're going to see 790 00:53:05,480 --> 00:53:08,559 entrepreneurs and service providers and even the technology providers out 791 00:53:08,559 --> 00:53:13,760 there providing services and tools that will automate more and 792 00:53:13,800 --> 00:53:17,039 more of this stuff, so that not every manufacturer and 793 00:53:17,079 --> 00:53:21,480 every critical infrastructure provider in the European Union or in 794 00:53:21,480 --> 00:53:23,679 the world selling to the European Union, not every one 795 00:53:23,719 --> 00:53:26,679 of them has to invent all of this the answers 796 00:53:26,679 --> 00:53:28,519 to these new rules by themselves. 797 00:53:29,760 --> 00:53:32,360 Speaker 2: Well, thank you to Christina for elucidating all of this 798 00:53:32,440 --> 00:53:35,280 for us, and Andrew as always, thank you for speaking 799 00:53:35,320 --> 00:53:35,519 with me. 800 00:53:36,159 --> 00:53:37,480 Speaker 3: It's always a pleasure. Thank you, Nan. 801 00:53:38,280 --> 00:53:42,400 Speaker 2: This has been the Industrial Security Podcast from Waterfall. Thanks 802 00:53:42,400 --> 00:53:49,840 to everyone out there listening.