The UK government says it will levy hefty fines for companies with poor cyber security, as it looks to implement tougher EU rules for critical infrastructure and digital services.
In January, the government warned critical infrastructure providers that they need to boost cyber security or face fines for leaving themselves vulnerable to an attack. As part of its implementation of the EU’s Security of Network and Information Systems Directive (NIS Directive), the UK says it will fine organisations up to GBP 17 million if they fail to maintain effective cyber security measures.
Cyber security incidents in recent years have shown that critical infrastructure providers are an attractive target for hackers, and that they are also susceptible to disruption through single points of failure.
According to the National Cyber Security Centre (NCSC), the magnitude, frequency and impact of network and information system security incidents in the UK is increasing. The NCSC warns that the technical barriers to launching successful attacks is decreasing and that hackers regularly attempt to penetrate UK networks, including those in the defence, finance, energy, telecommunications and government sectors.
Head of the NCSC, Ciaran Martin recently stated that he expects that the UK will face a “category one” cyber attack against critical infrastructure within the next two years. The UK has already seen significant disruption to critical services from malicious cyber events. Last year the National Health Service (NHS) was affected by the WannaCry ransomware attack, which locked down the IT systems of hospitals and medical practices.
The NCSC is also concerned that the UK could suffer an attack similar to those seen in other parts of the world. In January it emerged that suspected North Korean hackers planted malware on the IT systems of a Canadian train operator, Metrolinx.
In 2015 and 2016 Ukraine experienced cyber attacks that took down part of its power grid – the attack in 2015 against three power companies left a quarter of a million people without power.
The Cambridge Centre for Risk Studies estimates that a significant cyber attack on a UK regional electricity distribution network could cause economic damage as high as GBP 86 billion, including consequential disruption to transport, digital communications and water supplies.
The decision to set maximum fines at GBP 17 million follows a consultation on the UK government’s plans to implement the NIS Directive, which becomes UK law in May 2018.
The requirements will apply to “operators of essential services”, which broadly means power, energy, transport, water, health and digital infrastructure firms. However, companies and regulators will need to assess exactly which entities meet the criteria and thresholds for compliance.
The implementation of the NIS Directive in the UK will give regulators new powers to assess cyber security for critical industries, as well as to investigate and inform the public of a cyber incident.
Crucially, it will also see the government establish a mandatory notification system for organisations to report cyber breaches and IT failures so they can be quickly identified and acted upon.
The WannaCry attack would have been required to report the incident to the regulator to assess whether appropriate security measures were in place. The regulator could issue legally-binding instructions to improve security, and potentially impose financial penalties.
In its implementation of the NIS Directive, the UK says it will require organisations to report a cyber incident “without undue delay and, where feasible, no later than 72 hours after having become aware of an incident”. This aligns the notification requirements of the NIS Directive with the General Data Protection Regulation (GDPR), which also comes into force in May.
The NIS Directive gives member states some leeway when implementing the legislation. Following the UK’s consultation on implementing the NIS Directive, the government did not opt to gold-plate the rules and even softened its stance on proposed penalties.
The UK government had previously expressed a desire to align the penalties under the NIS Directive with the GDPR, which could see fines as high as EUR 20 million or 4% of group worldwide annual turnover. However, after consultation, the UK decided to remove the percentage of global turnover element from the proposed regime, while maintaining its originally proposed upper limit of penalties at GBP 17 million, although this is only for the most severe cases.
The government also resisted calls to extend the requirements to other sectors, including government, chemicals and food and agriculture. However, it said it will consider extending the scope of the legislation when it reviews the implementation in three years’ time.
The government also confirmed its intention to maintain the requirements of the NIS Directive after the UK leaves the EU in 2019.
The government says that operators will be given time to implement the necessary security measures. They will however be expected to have begun assessing existing security measures and identifying where work needs to be done.
To help companies comply with the NIS Directive, the NCSC recently published detailed guidance. It is also planning to release details in April of a Cyber Assessment Framework, a systematic method for assessing the extent to which operators of essential services are achieving the outcomes specified by the NIS principles. Competent authorities are also expected to produce clear guidance on notification requirements, including the actual thresholds to establish definitions for a reportable incident.
Download Cyber Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org