Latest news: Cybersecurity in drinks

The pan-sector European Cybersecurity Organisation (ECSO) has highlighted problems with NIS2, an EU directive on measures for a high common level of cybersecurity across the bloc. 

With the European Commission collecting feedback on the draft implementing act under the directive, ECSO shared concerns over costs, vague requirements, and incident reporting. 

While acknowledging the progress towards enhancing cybersecurity across Europe, ECSO said it had identified areas of concern and provided recommendations to improve the Act’s effectiveness. 

One of the primary concerns raised by ECSO was the potential for excessive and disproportionate costs associated with implementing the requirements outlined in the directive. 

The organisation said cybersecurity measures should be risk-based and tailored to the specific threats and vulnerabilities faced by individual entities. 

Doing so would help avoid unnecessary financial burdens on organisations while ensuring adequate protection against cyber threats, ECSO said. 

The membership body also sought to highlight the ambiguity in some of the security requirements, which, it argued, could hinder the implementation of the act. The lack of clarity might lead to inconsistent application of the rules across different entities, potentially undermining the overall security objectives. 

ECSO also warned an extensive list of criteria for defining significant incidents, increasing both the financial and administrative load on affected entities. It suggested the act should require two or more criteria to be met for an incident to be considered significant, ensuring a more proportional approach. 

The body, meanwhile, recommended aligning the act’s requirements with existing compliance schemes, such as ISO/IEC 27001. This alignment would help streamline the implementation process and reduce the burden on entities, particularly those with technical limitations.

Crimson Wine Group has reported a cybersecurity breach that “likely had a material impact” on its operations, the US wine producer said. 

Crimson Wine detected the breach on 30 June when it discovered a third party had gained access to the company’s internal information systems, including sensitive consumer and corporate data. 

The group said hackers accessed its systems and exfiltrated data and files that “potentially” contained sensitive information. 

“The company is still investigating the extent of any personal or otherwise sensitive information contained in the files acquired by the unauthorised third-party, including if any personal information of customers was impacted,” Crimson Wine said in a Securities and Exchange Commission filing yesterday (25 July). 

Crimson Wine said it would send notifications to any parties affected by the cybersecurity breach. 

Operations were disrupted when the company  reacted to the breach, as it shut down certain systems and isolated its functions from the internet. Business application systems such as financial and operating reporting systems were also affected as Crimson Wine looked to mitigate the risk of further breaches. 

The vintner said it had “adequate” cybersecurity insurance to offset the cost of the breach. However, it said there was still a risk of related losses not covered by insurance, such as “potential litigation, changes in customer behaviour [and] additional regulatory scrutiny”. 

Crimson Wine owns and manages around 870 acres of vineyards across five regions in California, Washington and Oregon. Its brands include Pine Ridge Vineyards and Archery Summit. 

Coca-Cola HBC, one of the world’s largest bottlers of Coca-Cola products, has struck a deal on identity-security with CyberArk. 

The contract, for which financial terms were not disclosed, will see CyberArk “safeguard” Coca-Cola HBC’s cloud migration, “secure critical assets and to manage sensitive access for both internal and external users”, the security firm said. 

The bottler will use CyberArk’s “identity security platform” to shore up staff access and when working with vendors in distribution and IT. 

“We were feeling the pressure that many other FMCG and CPG companies experience. We have so many potential attack vectors and it is challenging to secure all of them without hindering operations,” Theodoros Stanimerakis, cybersecurity platforms manager at Coca-Cola HBC, said. 

“From software and factories to shipping supply chains, our business has multiple areas for potential interruption. To minimise risk, we needed a partner who could help us secure access for employees, vendors and other partners across multiple geographies – ideally from a single tool.” 

Coca-Cola HBC has more than 33,000 employees across 29 different markets in Europe and Africa. 

In the company’s 2023 annual report, the group reflected on the wider cybersecurity threat, acknowledging that it “saw continuing cyber attacks against government operations and companies in many of our markets” and that “the number and sophistication of cyber incidents is expected to increase in the short to medium term”. 

Coca-Cola HBC listed a number of “focus” areas in cybersecurity in 2024, including improving “prevention and detection capabilities in plants”. The company also said it would “introduce targeted cyber training to sensitive user groups” and “develop an annual programme of testing controls over sensitive cyber and IT domains”.