Cybersecurity Market Profile [1] - Romania

Transcription

1 Cybersecurity Market Profile [1] - Romania March 2014 Produced by the Canadian Trade Commissioner Service 1. Sector Overview Value of imports and exports In total Romanian Gross Domestic product for 2013 was estimated by National Statistics Institute to bn. RON ( approx bn. CAD [2] ), 3.5% higher than the one recorded in To this value, the Information and Communication sector has contributed with bn. RON (approx bn. CAD) and to the GDP growth with 0.1%. To illustrate the market potential, we have benchmarked Bitdefender SRL, one of the most prominent Romanian firms in the cybersecurity sector, which has recorded an average number of employees of 278 and net revenue mil RON (approx. 55 mil. CAD) [3]. Other market plans with this sector as a priority In a survey by Kapsch BusinessCom, the number of local companies that underwent external security audits in the past three years is only 38%, with the average being 46%. The same study reports that in the ICT Market Development Index, which compares the predictions for the future in the surveyed countries, Romania is already ranked as second, with 2 points behind Poland [4]. Both numbers indicate that there is a growth opportunity in this sector, especially in highly regulated industries, such as financial services (e.g. banks and insurance agencies), telecommunication and pharmaceutical industry. Main investors and recent investments Romanian Intelligence Service (SRI) will develop in the next period a national ICT infrastructure protection against threats from cyberspace, a project that will be financed with non- refundable EU funds worth 96.9 million RON (approx mil CAD [5] ). [6] The National Agency for Fiscal Administration (ANAF) is the Beneficiary of the project "Implementation of IT security policy in the context of the Modernised Customs Code", a EU funded project worth ,61 RON (approx. 4 mill CAD). The target group of the project is represented by both IT specialists from the Department of Information Technology, Communications and Customs Statistics of ANAF and the Regional Customs Directorates and customs officials using Integrated Customs Information System (SIIV). [7] Main local copmanies - highlighted organizations Cyber Smart Defence - One of the upcoming companies in Romania (abbreviation CSD), which originated from a web development company incorporated in Romania in As often in this industry sub- sector, the firm employed a former grey- hat hacker, now converted to an ethical IT

2 security expert, who hacked Pentagon, NASA and Royal British Army servers in the past. The company provides services such as penetration and vulnerability tests and IT security audit for a range of industries including Finance & Banking, Energy, IT&C and public sector. Bitdefender - An important Romanian company in this sector, which has launched in 2001 by SOFTWIN Group. Bitdefender detached from Softwin in According to German Independent Institute, AV- TEST has granted Bitdefender the awards for best protection and best performance, as a result of tests performed throughout Another major testing independent institute, AV Comparatives, awarded them a contract for proactive protection, consolidating Bitdefender s global leader position in detecting unknown threats. Among the services and software they provide, the following are included: Cloud security for Endpoints Bitdefender Security for File servers Bitdefender Security for Mail servers Main foreign companies Among many foreign companies which provide services related to cybersecurity in Romania, the most prominent are: Kaspersky - a well- known multinational computer security company founded in They have been ranked 4th in the IDC ranking Worldwide Endpoint Security Revenue by Vendor, IBM - a multinational technology and consulting company founded in In 2011, Fortune Magazine ranked IBM the 1st in magazine's 2011 Global Top Company for Leaders study IBM IT security services provide risk management solutions for protection against threats: Managed Security Services which includes: Security Intelligence Analyst, Firewall Management, Event and log management services, Vulnerability management, mobile device security, network detection etc.; IT Security consulting which includes: Application security services, emergency response services, data security services, penetration testing services, security compliance services etc,; Payment Card Industry (PCI) security solutions Security intelligence Number of jobs supported or persons employed in this sector in cybersecurity According to several independent studies, Romania ranks 6th in the world in IT specialists number reported to country s population, 7th in number of cybersecurity attacks originating from Romania, with 2.8% of the world s attack traffic during last 3 months of 2012 having Romania as source of attack. [8] According to Data Breach Investigations report prepared in 2013 by Verizon. [9] Romania s IT market is one of the fastest growing markets in Central and Eastern Europe, where 45% of IT Managers having their budgets increased in the next years and 17% being confident about the strong growth of the market. This in turn, implies that the portion of this increase will also go for boosting cybersecurity teams and overall defenses of many organizations, especially in traditionally highly- regulated industries.

3 Also 20% of IT managers in Romania are planning to offer BYOD (Bring Your Own Device) opportunity in the next 3 years, which will also in turn implicitly increase a demand for cybersecurity products, services and human resources both in terms of implementation as well as compliance. According to a survey by Kapsch BusinessCom, Romania is comparably strong in offering mobile access to enterprise applications via smartphone or tablet and the opportunity to integrate own mobile devices into company networks. In 2012, in Romania there were 4,777,152 people employed, out of which 43,591 were the in telecommunication sector and 47,049 in Information Technology services. The average salary for IT specialists was 4,954 RON (approx. 1, CAD [10] ), as reported by National Statistics Institute in the October 2012 report on employees. Number of jobs supported or persons employed in this sector in cybersecurity Occupation Number of employees Medium Average Number Number who have worked at gross gross of normal of least 23 days, full time, salary earnings working working in October 2012 hours in hours October paid in 2012 October 2012 System analyst 4,512 5,236 5, Software designers 18,501 5,632 5, Application programmers 5,951 4,841 4, Software programmer analysts not included in the above categories 3,904 5,159 5, Computer network specialists 3,359 3,901 3, In order to put the numbers from above in a bigger context, in 2012 in Romania 4% of enterprises have employed ICT specialists and 2% provide them a training. [11] Relative maturity of the sector (emerging, well-established, etc.) The cybersecurity market in Romania is still at an emerging stage and there is significant potential to be captured both domestically and internationally, especially having in mind intellectual potential that Romanian IT sector exhibited in the past few years as well as the exposure of Romanian market to cybersecurity threats and opportunities. As an example of emerging trends, a small IT company from Satu Mare has developed Peperton, a

4 dedicated server monitoring system which facilitates the process of analyzing, managing and reporting of complex data, in real time, for the parameters of each monitored component. In order to support local economies, they have created a programme for universities which can benefit from a free account with 50 monitors for a year. Server monitoring sector is not as explored as it is in other countries and it has a great potential for development. In terms of estimating a potential demand for cybersecurity services and products, it has to be noted that Romanian National Computer Security Incident Response Team CERT- RO has identified that in the in the second half of the 2013, the number of automatic alerts has grown, but the compromised IP addresses has lowered. The received alerts are usually referring to ".ro" domains affected by several types of incidents. CERT-RO Reports Summary Collected data January June 2013 Year 2013 Total number of automatic alerts received 17,511,109 43,231,149 Total number of unique IP addresses extracted from the total number of alerts 1,716,278 2,213,426 CERT- RO identified data corresponding to 5,678 compromised domains out of 691,419 domains registered in Romania, in August 2013; the number represents less than 1% of the total ".ro" domains. By the end of the year, the number of compromised.ro domains has almost doubled and got to the value of 10,239, representing 1.4% of the total.ro domains. More important, the full year report identified that 60% of these domains are infected with several versions of malware, which can spread among the sites guests. Please see below the monthly distribution of alerts for the compromised.ro domains: Based on the data analysed, CERT-RO has come to the conclusion that IT related threats on national cyberspace become more and more diverse, ascending trend in terms of quantity and technical complexity being identified. In this regard, it should be noted that among the difficulties identified in the process of response to

5 cyber security incidents are the following: the lack of explicit legal provisions relating to the responsibilities of notification, response, combating and eliminating the effects of security incidents by state authorities or entities in the private sector, leading to shortage of real- time response activities to such incidents. Information on the integrative trade perspective The Romanian Government signed a memorandum with Chinese company Huawei in November 2013 for support in critical structures of security. According to the Memorandum, the MSI (Ministry of Informational society) will support Huawei in developing critical IT systems such as National Informational and Communication System, Wide Band National Network and System for traffic monitoring and supervision. 2. Market and Sector Challenges (strengths and weaknesses) Policy and access issues In regards to laws, rules and regulations on the use of Internet, Romania has laws on electronic commerce, online author rights, electronic signature, electronic payment, online advertising, the protection of personal data, cybercrime, internet pornography and electronic communications. There are also some project laws developed by the Ministry of Communications and the Information Society for minimum security conditions of the digital systems for the Public Administration and the national electronic records. The major threats regarding cyber space for Romania are inclined to be around critical infrastructure, and targeting other infrastructures by their connection with this one (for example: financial/banking systems, energy systems, national defense). Also, to confidential data access adds the possibility to modify this information or use it in several purposes. [12] Changes to policies with implications to trade and investment International developments have also an impact on Romania s views and options on cyber security, such as within the European Union, NATO, OSCE, that have adopted rules on the use of Internet and which are striving to adopt strategies for cyber security. The European Union The European Commission has identified significant enforcement gaps between members in the case of cyber security that could act as a barrier in enforcing judicial cooperation. Therefore, in November 2010, a first pan- European cyber security exercise was concluded to determine ways for strengthening Europe s cyber defence. Some of the objectives identified by the exercise were: to increase understanding of how management of incidents is done in different member states; to test the communication channels, communication points and procedures between member states; to increase mutual support procedures during incidents or massive cyber attacks NATO As a NATO member, Romania will also benefit from the Alliance s efforts, developments, and information and it will need to adapt and develop its own prevention and defence capabilities in order

6 to keep up with the Alliance requirements. OSCE The Organization for Security and Co- operation in Europe (OSCE), with 56 States from Europe, Central Asia and North America, is the world s largest regional security organization. It therefore addresses a wide range of security- related concerns, as well as cyber security. OSCE considers cyber security a transnational issue that can be overcome through coordination and cooperation between countries. That is why it organizes frequent workshops, forums and meetings on cyber security and cyber defense, through which countries can discuss and share know- how and expertise to improve their capability to defend their digital infrastructure from cyber- attacks. Expected sector growth The increasing importance of cyber security in our societies also creates the need for new tools for managing cyber vulnerabilities, especially when we examine the exponential growth in users of the Internet worldwide. If in December 2000 there were about 360,985,492 users in the world, in 2010 there were 1,966,514,816. By comparison, in Romania there were approximately 7,786,700 users in 2010, registering an 873.3% growth in just ten years. Having in mind this indicator, as well as indicators showing future increases in IT budgets, it is expected that this sector will grow proportionally with local industry demand for improving overall cybersecurity defenses s overall cybersecurity awareness grows, but also will be proportionally boosted by new EU and local compliance requirements especially in highly regulated industries, such as financial services. Tax and financing issues There are several aspects to be considered for potential investors. A company is considered tax resident in Romania if its head office is registered in Romania or has its place of effective management in Romania, the standard corporate income tax rate being 16%. As a general rule, foreign entities are subject to Romanian tax on the income derived in Romania. The extent to which a foreign entity is subject to Romanian taxation depends on the activities undertaken in Romanian and / or with Romanian residents. A foreign entity can become subject to taxation by establishing a branch, a permanent establishment, a representative office or by becoming subject to withholding tax on the income obtained in Romania. Branches have to be registered with the Romanian Tax Authorities. The registration, taxation (taxable profits are taxed at 16%) filing and payment requirements are similar to those for a Romanian company. A branch is considered to have the same legal personality as the parent company and, therefore, is not a separate legal entity (no own share capital, no separate name, etc.). The branch s object of activity cannot be more extensive than that of the parent company. Funds distribution to the head office country are not regarded as dividend distribution, therefore, no withholding tax liability arises. As with limited liability companies, however, profits are transferred at year- end, after the head office approves the branch s financial statements. Accelerated depreciation

7 Under the Fiscal Code, machinery and equipment, computers and their peripherals, as well as patents, may be depreciated using the accelerated method, under which a maximum of 50% of the asset s fiscal value may be deducted during the first year of usage, while the rest of the asset s value can be depreciated using the straight line method over the remaining useful life. Special incentives for expenses related to research and development activities Companies can benefit from an additional deduction of 50% of the eligible expenses for research and development. Moreover, accelerated depreciation may be applied for devices and equipment used in research and development activity. In order to benefit from this supplementary deduction, the eligible research and development activities must be applicative research and / or technological development relevant to the taxpayer s activity and must be performed in Romania or in the EU / EEA member states. The above incentive is granted separately for each research and development project. State aid schemes available for large investments From 2011, the following types of investment incentives have been granted based on state aid schemes or on individual aid: Non- refundable amounts for the acquisition of tangible or intangible assets; Financial contributions from the state budget for newly- created jobs; Subsidised interest on contracted loans, as well as other types of incentives prescribed by the legislation in force (for example, state guarantees). At the same time, depending on the specifics of each regulator bill, state aid schemes/individual aid for investments can be granted for the following objectives: Acquisition of tangible or intangible assets regarding the setting- up of a new unit, the extension of an existing unit, the production diversification or a fundamental change of the production process; Acquisition of fixed assets directly linked to a closed unit or to one that would have been closed; Commencement of certain research and development projects; Creation of new jobs; Professional training of employees; Commencement of projects regarding the use of renewable energy resources, environment protection and sustainable development. Moreover, in order to benefit from state aid for investments made in Romania, the latter should contribute to the achievement of one of the following objectives: Development and regional cohesion; Environment protection and rehabilitation; Increasing energy efficiency, production and use of energy from renewable resources; Encouragement of research and development and innovation processes; Employment and workforce training.

8 IT and communications industry is one of the main areas of activity which are eligible for this incentive. 3. Sub-sector Identification Based on information collected, potential subsector segments in this particular market would include: Data protection and data security Antivirus products and related services Consulting services for boosting cybersecurity defenses in many organizations 4. Case Study Ottawa- based TITUS Inc. is one of a leading provider of security and data governance software that helps organizations share information securely while meeting policy and compliance requirements. With over 2 million users worldwide, their solutions enable enterprises, military and government organizations to classify information and meet regulatory compliance by securing unstructured information. In Romania, their most notable activity is represented by: 1. Data Protection Project for UniCredit Tiriac Bank [13] Every single day, UniCredit Tiriac Bank s more than 3,000 employees are handling sensitive financial information for individuals and business, making security a top priority. To handle this challenge, UniCredit Tiriac Bank had deployed a DLP solution to handle information at the desktop and infrastructure level, therefore preventing information from leaving the organization. While effective, the DLP relies on artificial intelligence to determine what information should be blocked and can result in false positives. Upon deploying the DLP solution, the team that was in charge quickly identified the need for another layer of security. This layer incorporated a user- driven classification in order to make users responsible for their data and extend the value of the DLP solution. Taking this into consideration, the UniCredit Tiriac Bank team started to investigate approaches and solutions that would work with their existing DLP and add user-driven security to the mix. In particular, they wanted a solution that would be easy to use and implement and cover both and documents. After assessing several solutions, the team selected TITUS Messaging Classification (TMC, including Blackberry Enterprise Server Interoperability), and TITUS Classification for Microsoft Office. 2. Partnership with Crucial Systems & Services SRL [14] Crucial Systems & Services SRL is a company founded in 1998 in Constanta/Romania, which offers integrated applications (ERP- Enterprise Resource Planning, CRM- Customer Relationship Management, Business Intelligences Solution (QlikView), Archiving solutions, Document Management Solution, Security Solutions, IT Consulting, Warranted Networks, Authorized Support on HP, Dell and Fujitsu products).

9 The company is listed as a Titus Distributor for the following services: [15] Data Loss Prevention Intelligent Archiving and E- Discovery Automated Protection of and Documents Blackberry Filters Canadian Government Contacts Canadian Embassy in Bucharest, Romania Neil Swain Foreign Affairs, Trade and Development Canada 125 Sussex Dr. Ottawa, ON K1A 0G2 Footnotes [1] PwC Audit SRL Romania has prepared this report based on primary and secondary sources of information. Readers should take note that the PwC Audit SRL Romania does not guarantee the accuracy of any of the information contained in this report, nor does it necessarily endorse the organizations listed herein. Readers should independently verify the accuracy and reliability of the information. [2] Foreign exchange rate RON to CAD as of March 12, 2014 [3] Financial statements published on Ministry of Finance website [4] business-review.eu/ [5] Foreign exchange rate RON to CAD as of March 12, 2014 [6] Interview by Dumitru Cocoru, SRI General for Hotnews website - economie.hotnews.ro [7] [8] [9] phys.org/ [10] Foreign exchange rate RON to CAD as of March 12, 2014 [11] epp.eurostat.ec.europa.eu/%e2%80%8e [12] [13] [14]

10 [15]