Organisations that fail to implement effective cyber-security measures could face signficant fines, as part of plans to make Britain’s essential networks and infrastructure safe, secure, and resilient against the risk of future cyber-attacks.
Under the proposed plan, the Information Commissioner’s Office (ICO) would be empowered to issue fines of up to £17 million or 4 per cent of global turnover in cases of the most serious data breaches against organisations that fail to implement effective cyber-security measures. Fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack, the U.K. government stated in a press release.
The plans are being considered as part of a consultation launched by the Department for Digital, Culture, Media and Sport seeking views on how to implement the EU’s Network and Information Systems directive (NIS Directive), which is due to come into force in May 2018.
The NIS Directive relates to loss of service rather than loss of data, which falls under the EU’s General Data Protection Regulations (GDPR). The intent of the NIS Directive is to ensure U.K. operators in electricity, transport, water, energy, transport, health, and digital infrastructure are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT such as power failures, hardware failures and environmental hazards, the government stated.
Compliance measures. The NIS Directive, once implemented, will form an important part of the government’s five-year £1.9 billion National Cyber Security Strategy (NCSS), which was announced in November 2016. The strategy includes opening the National Cyber Security Centre and offering free online advice, as well as training schemes to help businesses protect themselves.
“We welcome this consultation and agree that many organisations need to do more to increase their cyber security,” NCSC CEO Ciaran Martin said in a statement.
The government is proposing several security measures in line with existing cyber-security standards. Operators will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems. Operators that take cyber-security seriously should already have such measures in place, the government stated.
The government said it soon will hold workshops with operators so they can provide feedback on the proposals. Hancock said he encourages all public and private organisations in essential sectors to take part in the consultation.