UK Government shows some teeth on cyber security defences

The UK Government has finally had enough of the data breaches which have been popping up over the last 18 months, threatening businesses with a fine up to £17 million if defensive standards are not met.

New sector-specific regulators will be set up to assess the individual needs of those sectors which are deemed critical to the UK, such as energy, transport or healthcare. The National Cyber Security Centre will publish new guidelines today (January 30) which will roughly outline the rules and expectations, though businesses will be encouraged to actively engage with the newly-formed regulator.

“Today we are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online,” said Margot James, Minister for Digital and the Creative Industries.

“We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

While the majority of data breaches do occur in the US, there are of course examples everywhere else as well, with the UK hosting its fair share. In November, shipbrokers Clarkson warned shareholders of an upcoming breach as it refused to pay a ransom to the hacker, Deloitte suffered a breach as it was believed the firm did not have two-step verification set up and BUPA suffered a leak affecting 500,000 customers on its international health insurance plan.

Moving forward, incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. These regulators will also have the power to issue legally-binding instructions to improve security, and hand out fines. A £17 million fine is certainly a deterrent, though it won’t be handed out willy-nilly. Companies which have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack, will not face a fine.

Interestingly enough, that irritating ‘up to’ qualifier has appeared again. £17 million is the maximum fine which can be placed on an organization, but there has not been any guidance about how the amount will be assessed. The guidance from the National Cyber Security Centre will possibly offer more detail, but for the moment we’ll have to wait for the formation of the new regulators. These watchdogs might well be feisty, or they might be just another bloated government body.