The security and reliability of the UK’s IT infrastructure remains a key priority for the government. In August 2017, the Department for Digital, Culture, Media and Sport launched a public consultation on its plans to transpose the Network and Information Systems Directive (‘NIS Directive’) into UK legislation. (As we reported earlier this year, the UK has until 9 May 2018 to implement the NIS Directive into its national laws.) The closing date for responses is 30 September 2017, and the consultation is aimed at industry participants, regulators and other interested parties.
Tackling growing cyber risks
As society becomes increasingly reliant on information technology, the potential impact of failure in those systems is also rising. Recent events point towards an increase in the scale, frequency and gravity of cyber attacks. The recent WannaCry ransomware attack illustrates only too well the adverse effects that can result from a security breach.
The European Commission’s aim with the NIS Directive is to increase the security of network and information systems within the EU. The government has announced that it supports that overall aim, and recognises the need to improve the security of UK network and information security systems, with a particular focus on “essential services”. The proposal is that (subject to meeting certain thresholds) service providers operating in the following sectors should qualify as an “essential service”: energy, health, digital and transport (air, road and maritime). Among the NIS Directive’s provisions are a duty for operators of essential services to:
- Take appropriate and proportionate technical and organisational measures to manage security risk; and
- Take appropriate measures to prevent and minimise the impact of any incidents affecting the security of the network and system used to provide the service.
The government intends to implement the NIS Directive through a national framework comprising four elements:
- Adoption of a national strategy on network and information security – The government proposes to amend the UK Cyber Security Strategy (published in November 2016) to reflect any of the NIS Directive’s requirements that are not already covered.
- Appointment of “one or more national competent authorities” to oversee implementation of the NIS Directive – The government prefers a multiple competent authority approach as it considers sector-specific regulators to be better placed to fulfil this role. If implemented, companies whose activities straddle more than one sector could find themselves answerable to several different regulators.
- Creation of a single point of contact to act as a liaison between the UK and the EU – the government nominates the National Cyber Security Centre (‘NCSC’) for this role.
- Designation of a Computer Security Incident Response Team, whose tasks will include monitoring incidents at a national level. The government considers that NCSC should adopt this role.
Given the significant adverse impact that a loss of an “essential service” could cause, the government is considering a penalty regime similar to that applicable under the General Data Protection Regulation (‘GDPR’). Two bands of fines are proposed – for ‘lesser offences’, the greater of €10 million or 2% of worldwide annual turnover; for failure to implement appropriate and proportionate security measures, the greater of €20 million or 4% of worldwide annual turnover.
How to prepare
Affected organisations should act now to put effective security measures in place to ensure secure information management. In addition to any review from a GDPR perspective, policies and procedures should be revisited from an NIS Directive standpoint. Additionally, staff at all levels should be appropriately trained to ensure they know how to put the new procedures into action, including compliance with the required breach reporting requirements.