A few days ago, the UK government made a bold statement regarding the cyber security of the nation. Organisations working in “critical industries” could face fines of up to £17 million if their cyber security measures aren’t up to scratch.
Companies that operate in the energy, transport, water, health and digital infrastructure sectors are all affected by the new rules, which will see new regulations being brought in to oversee these industries and monitor compliance.
As well as ensuring that organisations have appropriate security measures in place, there’s also an emphasis on proper reporting of incidents. According to the government’s press release on the matter, “A simple, straightforward reporting system will be set up to make it easy to report cyber breaches and IT failures so they can be quickly identified and acted upon.”
This comes as part of the Directive on Security of Network and Information Systems (NIS Directive), which was adopted by the European Parliament on 6th July 2016. After coming into force in August 2016, Member States were given 21 months to transpose the directive into the own national laws, plus another six months to work out which companies the rules will apply to.
If you’re running an average SME, which doesn’t work into any of the critical sectors identified by the NIS Directive, then you won’t be directly affected by it.
Nevertheless, this piece of legislation, which forms part of the National Cyber Security Strategy, should still be of interest, because it marks a clear signal of intent from UK and EU policy makers. With cyber crime an ever-present threat and state-sponsored cyber attacks hitting critical infrastructure, the authorities are making it clear that sticking your head in the sand is not an option.
Smaller, non-critical organisations may not be subject to the NIS Directive, but they are affected by General Data Protection Regulation (GDPR), which also places a good deal of emphasis on cyber security. In this context, they have a duty to protect personal data, using “appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. (Interestingly, the potential fines for non-compliance with GDPR can also be up to £17 million, but presumably companies in critical industries with have to adhere to both sets of rules.)
While the authorities are giving themselves greater power to hit companies in the pocket, neither the NIS Directive nor the GDPR are mainly about issuing fines. Perhaps the potential life-and-death nature of work in the critical industries will mean such organisations will be judged more strictly, but certainly in the case of GDPR, fines will be the standard response. According to the Information Commissioner, Elizabeth Denham:
“Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.
“And we have yet to invoke our maximum powers.”
Ultimately, how the Information Commissioner’s Office (ICO) will view businesses will depend on how much effort they make with their cyber security. If a business suffers a security breach and is found to have woefully inadequate security, then they can expect to be treated less favourably than one that takes precautions but which gets hacked anyway.
How good is your business's cyber security? Find out with a Cyber Essentials certification. Click here to find out more.