UK critical operators risk £17m fines for poor cybersecurity practices

UK essential service operators risk fines of up to £17 million if they fail to implement robust protections against cyber attack.

UK critical operators fines

The penalties will apply to energy, transport, water, digital infrastructure, and health firms.

“A simple, straightforward reporting system will be set up to make it easy to report cyber breaches and IT failures so they can be quickly identified and acted upon. It will also cover other threats affecting IT such as power outages, hardware failures, and environmental hazards. Under the new measures recent cyber breaches such as WannaCry and high profile systems failures would be covered by the Network and Information Systems (NIS) Directive,” the UK government said.

“These incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. The regulator will have the power to issue legally-binding instructions to improve security, and – if appropriate – impose financial penalties.”

The new rules are the result of the UK implementation of the EU Network and Information Systems (NIS) Directive, and will go in effect on May 10.

Margot James, Minister for Digital and the Creative Industries, encouraged all public and private operators in these essential sectors to consult NCSC’s advice on how they can improve their cybersecurity.

A welcome directive

“It’s only a matter of time before we see a category 1 attack and we need to be prepared. GDPR compliance stole many of the headlines last year, but the NIS Directive is the most important deadline in May for the future protection of the nation,” Steve Malone, Director of Security Product Management at Mimecast, told Help Net Security.

“Robust business continuity strategies have never been more important to ensure organizations can continue to operate during an attack and get back up on their feet quickly afterwards. This legislation signals the move away from pure protection-based cybersecurity thinking.”

Lorena Marciano, EMEAR Data Protection and Privacy Officer at Cisco, noted that the UK government’s announcement demonstrates its awareness of the risks cyber attacks pose to organizations and the ramifications of not having appropriately robust provisions in place.

“Yet, the financial implications of these sanctions are set to go well beyond the suggested £17m fines,” she says.

“According to Cisco’s Data Privacy Benchmarking Study, 74% of organizations which are seen as privacy-immature experienced losses of more than £350,000 in 2017, as a result of data breaches. This comes in stark comparison to those companies which went beyond data privacy compliances, with only 39% of privacy mature organizations seeing losses of a similar amount. These figures indicate that provisions shouldn’t be adopted for the single purpose of avoiding fines, but that organizations which are willing to go beyond the set compliances will reap the long-term financial benefits as well as protecting customer data.”