Organisations that supply “essential” services, but which fail to implement “effective” cyber-security measures, could be fined as much as £17m (U.S.$22m) or 4 percent of global turnover as part of plans to make the United Kingdom “safe, secure and resilient” from cyber-attacks.
The plans are being considered as part of a consultation launched on 8 August by the Department for Digital, Culture, Media, and Sport to decide how to implement the European Union’s Network and Information Systems (NIS) Directive from May 2018, which is aimed at ensuring that essential services are able to minimise disruption caused by cyber-threats, as well as power and hardware failures, and environmental hazards. The consultation closes on 30 September.
The NIS Directive, which relates to loss of service rather than loss of data (the latter falls under the General Data Protection Regulation, or GDPR, and is also due to come into effect in May 2018), was drafted in 2013 and approved by the European Union last July. Once implemented, it will form an important part of the government’s five-year £1.9bn (U.S.$2.47bn) National Cyber Security Strategy announced in November 2016, which includes opening the National Cyber Security Centre and offering free online advice and training schemes to help businesses protect themselves.
U.K. operators in electricity, transport, water, energy, transport, health, and digital infrastructure will need to show that they have plans in place to show how they review cyber-risks, and how they could restore services in the event of an attack.
The consultation proposes similar penalties for flaws in network and information systems as those coming for data protection breaches with the GDPR. The government says that fines would be a last resort, and they would not apply to those operators that have suffered an attack but who can demonstrate that they assessed the risks “adequately,” have taken appropriate security measures, and have engaged with competent authorities.
“We want the U.K. to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards.”
Matt Hancock, Minister for Digital
“We want the U.K. to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards,” says Minister for Digital Matt Hancock.
The consultation coincides with a government survey released on 21 August that shows that one in ten FTSE 350 companies operate without a response plan for a cyber-incident and less than a third of boards (31 percent) receive comprehensive cyber-risk information.
The government is consulting on a number of issues, including:
The essential services the directive needs to cover;
The penalties it should impose;
The competent authorities to regulate and audit specific sectors;
The security measures it wants to impose;
Timelines for incident reporting; and
How the directive affects digital service providers.
The government proposes a number of security measures that organisations in these sectors should implement, which the government believes are in line with existing cyber-security standards anyway. For example, operators will be required to develop a strategy and policies to understand and manage their cyber-risk. They will also need to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training. Organisations will also need to report incidents as soon as they happen, and to have systems in place to ensure that they can recover quickly after any event with the capability to respond and restore systems.
“Any operator that takes cyber-security seriously should already have such measures in place,” says the government, which will shortly hold workshops with operators so they can provide feedback on the proposals.
Several problems, however, have already come to light. IT security experts point out that it can take on average around six to seven months for an organisation to detect that it has been hacked, and even longer to assess the damage and remediate it. This makes incident reporting a contentious issue. Also, while the consultation spells out which sectors are to be covered under the directive, it is not overly prescriptive about which companies operating within these sectors would be subject to the rules. Presently, the threshold is determined on the number of customers that could be affected but this varies wildly in some instances: For example, electricity firms that supply 250,000 customers are covered under the rules, but in Northern Ireland—due to a much lower population—operators with just 8,000 customers will have to comply with the regulations.
Below is some useful advice compliance professionals may want to consider to ensure that they are prepared for the legislation due to come into effect next May
1. To follow “best practice,” organisations need to be able to demonstrate they follow security standards and guidelines such as ISO27001 or the UK Governments “CyberEssentials.”
2. Compliance functions should ensure that their organisations conduct a thorough risk assessment, and understand the dependencies between systems. They should also use threat detection to monitor attacks, and contextualise results with business context in order to prioritise events.
3. Organisations should review their policies, procedures, training and technology to ensure best defences.
4. Compliance should ensure that the organisation conducts an audit of corporate systems and a risk assessment to highlight the areas where the business is susceptible to attack. Organisations should also analyse the internal and external risks to their networks and data, gather and assess threat intelligence, and have an effective incident response in place.
5. Compliance professionals should identify what constitutes “sensitive data”; determine who has access to it; and ensure preventive and detective controls are tight.
6. Make sure that staff are aware of the potential consequences their company could face and provide them with understanding about what measures the business is undertaking to stay compliant.
7. Compliance should make sure that the organisation adopts a policy that encourages staff to receive advice and training from experts. Provide a work environment where staff feel confident that they will be supported if they fall foul of a targeted attack
Source: Neil Hodge
Lawyers have also pointed out that the planned legislation may be not as prescriptive as it should be regarding the degree of effort organisations need to do to comply, particularly when companies that will be applicable to the rules only need to demonstrate “adequate” risk assessment policies. “The difficulty with this approach is in defining ‘adequate’ for each industry, business size, complexity, and available resource,” says Emma Roe, partner and head of commercial at law firm Shulmans. “Learning a lesson from a similar approach taken under the Bribery Act 2010, one would hope that the government would prepare sufficiently detailed guidance in advance of implementation to enable businesses enough transition time and information to implement procedures that meet those ‘adequacy’ thresholds.”
Others are concerned about how organisations will be treated under two sets of rules that will come into effect at the same time that regard cyber-breaches differently. Sam Curry, CSO at cyber-security company Cybereason, points out that if an operator suffers a cyber-attack that exposes customer data and also disrupts the service it is meant to provide, then the organisation could be hit twice under NIS and the GDPR and be liable for fines worth up to 8 percent of global turnover in total.
Oz Alashe, CEO of cyber-security vendor CybSafe, says that there is a “discrepancy” between the policies outlined in the forthcoming GDPR and those in the recent government consultation. “Adoption of the GDPR would mean large fines for companies that expose private data, regardless of whether that data was compromised accidentally or through malicious means. However, the recent government NIS consultation proposals are somewhat more lenient—fines would not apply to operators that had followed proper procedures but still suffered an attack.”
Nathalie Moreno, partner at law firm Lewis Silkin, says, however, that the NIS Directive and the GDPR are “complementary” and have “significant overlaps” in so far as they require the implementation of risk-based security measures and they mandate notification in the case of incident. Moreover, she says, they both have some extra-territorial effect as they apply to organisations based in the European Union, as well as outside the European Unikon (but which offer services within the European Union).
But where the legislations differ, she says, is in the type of organisations targeted, the nature of the breach, and the types of incidents involved.
“In practice, it is expected that a majority of organisations will be subject to both the security and breach reporting requirements under the GDPR and the NIS Directive,” says Moreno. She adds, however, that “the overlap between the two pieces of legislation could mean that organisations may face conflicting obligations, multiple notification requirements and liabilities in cases where an organisation has violated the provisions of both laws.”