Organisations who fail to implement effective cyber security measures could be fined as much as £17 million or 4 per cent of global turnover, as part of plans to make Britain’s essential networks and infrastructure safe, secure and resilient against the risk of future cyber attacks.
The plans are being considered as part of a consultation launched today by the Department for Digital, Culture, Media and Sport to decide how to implement the Network and Information Systems (NIS) Directive from May 2018.
Fines would be a last resort, and they will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities but still suffered an attack.
The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).
It will help make sure UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats. It will also cover other threats affecting IT such as power failures, hardware failures and environmental hazards.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” said Minister for Digital Matt Hancock.
The NIS Directive, once implemented, will form an important part of the Government’s five-year £1.9 billion National Cyber Security Strategy. It will compel essential service operators to make sure they are taking the necessary action to protect their IT systems.
The Government is proposing a number of security measures in line with existing cyber security standards.
Operators will be required to develop a strategy and policies to understand and manage their risk; to implement security measures to prevent attacks or system failures, including measures to detect attacks, develop security monitoring, and to raise staff awareness and training; to report incidents as soon as they happen; and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.
Any operator which takes cyber security seriously should already have such measures in place.
The Government is fully committed to defending against cyber threats and a five-year National Cyber Security Strategy (NCSS) was announced in November 2016, supported by £1.9 billion of transformational investment. The strategy includes opening the National Cyber Security Centre and offering free online advice as well as training schemes to help businesses protect themselves.
The consultation proposes similar penalties for flaws in network and information systems as those coming for data protection with the General Data Protection Regulation, due to be in force by May 2018. Failure to implement effective security could see penalties as large £17 million or 4 per cent of global turnover.
“The fines are high, and are a reflection of how dangerous today’s cyber criminals are and the threat they pose to our country. Unlike traditional warfare, cyber-attacks are ‘invisible’ and often easy to forget until you become a victim, and they have the potential to be far more catastrophic. To avoid these fines and ensure their services are protected from modern-day and future threats, businesses must have intelligence that gives them deep, consistent visibility across their entire network so hackers can be stopped,” said Ross Brewer, VP and MD EMEA at LogRhythm.