For many people, 2022 began with the hope that there were better times ahead. That hope didn’t last long. The economic and political security situation in Europe has deteriorated over the course of the year. Everyone is therefore required to be more aware of risks and to adopt security measures to prevent threats. That means, in turn, greater focus on laws aimed at protecting Sweden’s security. One such law is the Protective Security Act (2018:585).
The Protective Security Act had been updated a number of times in previous years, most recently in December 2021. The Act imposes specific obligations on those engaged in security sensitive business activities. Among other things, the Act requires such operators to report on their business activities, draw up a security protection analysis, adopt security measures and observe specific requirements in the case of transfers of business or shares in a security sensitive business.
A specific security protection assessment and suitability test must also be carried out before an operator can transfer a security sensitive business or part thereof. There must also be prior consultation with the supervisory authority. Shareholders of private limited companies must also consult before they transfer shares in a security sensitive business. The consultation authority may order those sellers to adopt measures to fulfil their obligations under the Act and may ultimately prohibit the transfer. A transfer in breach of a prohibition becomes invalid.
Operators which are subject to the Protective Security Act but which have failed to adopt measures to comply with its provisions risk administrative fines that may amount to 50,000,000 SEK.
The updated Protective Security Act and the prevailing circumstances lead to stricter supervision which means that more and more businesses can be subject to the obligations under the Act, while many remain unclear as to whether they are running a security sensitive business. The person running a business is responsible him or herself for investigating and assessing whether the business is security sensitive.
In view of the greater importance of security protection, it is important for operators to investigate their responsibility. At the same time, it remains difficult to assess which businesses or parts thereof are considered to be security sensitive. It is therefore useful to carry out a security protection analysis in order to investigate the need to adopt measures in your own business.
HOW TO KNOW IF YOUR BUSINESS IS SECURITY SENSITIVE
“Security-sensitive business” is a broad concept and there are no concrete frameworks to identify who is carrying on security sensitive business. Each operator is therefore individually responsible for carrying out the assessment, particularly taking into account the fact that what constitutes a security sensitive business may vary over time, depending on the threat to Sweden. Security-sensitive businesses are common in sectors such as telecoms, banking and finance, energy and water supply, transport, financial services and information systems for electronic communications. Businesses that process large quantities of information or personal data, which are not themselves subject to security classification but which may be considered to be security sensitive for other reasons, may also be included.
The basis for the assessment is whether a security sensitive business is important for Sweden’s security. One way to assess whether your business is important for Sweden’s security is to investigate whether an enemy attack on your business could cause damage to Sweden’s external or internal security, economy or national activities of key public importance. This can often be the case in businesses such as financial payment systems, airports or communications network providers.
Businesses that process data that are not in themselves classified as security sensitive but that are used in a security sensitive activity can be considered to be security sensitive. For example, a supplier of products with associated technical solutions to Sweden’s healthcare and medical services can constitute a security sensitive business because an IT attack on such a supplier may entail great difficulties for necessary tasks in Swedish healthcare and medical services. One relatively recent example of a similar incident is the cyberattack on Coop in 2021 in which 800 stores’ payment systems were closed down. A similar attack on a supplier in the medical industry could lead to major consequences.
CARRY OUT A SECURITY ANALYSIS
A security protection analysis can be started by answering the following questions in order to gain a clearer picture of your need to carry out security protection in accordance with the Act:
- What is the goal of the business?
- Are there any parts of the business that are considered worthy of protection with regard to Sweden’s security?
- What threats exist? For example, what types of attackers exist?
- What consequences could an attack or interference have?
- What threats and vulnerabilities are associated with the business?
Do you want help with carrying out a business analysis? Do you have any questions about what the requirements relating to security sensitive businesses mean for you or are you about to undergo a transfer of a business? At Lindahl we will guide you to a successful result!