On 10 May 2018, the Network and Information Systems Regulations 2018 (NISR) came into force in the UK. NISR stems from the Network Information Systems Directive 2016 of the EU, which has been covered by this blog previously. Relatedly, on 25 April 2018, the UK government’s Department for Digital, Culture, Media and Sport (DCMS) published the Cyber Security Breaches Survey 2018. This survey details business and charity action on cybersecurity and the impact of cyberattacks.
Summary of NISR
These regulations outline measures to protect critical IT systems in economic sectors like energy, banking, transport and health. NISR applies to “operators of essential services” (OESs) and “digital service providers” (DSPs). It focuses on network and systems security and interruption to services.
The UK government has the power to designate which organisations are OEPs, and therefore within scope of the new laws – providing certain criteria is met. DSPs are directly subject to the new regulations, although micro and small businesses are exempt. OESs and DSPs are required to keep their networks and information secure, and to notify competent authorities of security incidents. Competent authorities vary by sector and include the Information Commissioner’s Office, Ofcom and various regulatory bodies.
NISR contains a tiered system of fines for breaches, dependent on the severity of their consequences:
- Up to £3.4 million where a security incident has or could cause a reduction in the provision of services for a significant period of time
- Up to £8.5 million where services have or could be disrupted for significant period of time
- Up to £17 million for serious cases where a security incident has or could cause “an immediate threat to life or significant adverse impact on the United Kingdom economy.
NISR appears to have been overshadowed by the General Data Protection Regulation, which comes into force on 25 May 2018. However, NISR should be closely examined by any potential OES or DSP, especially given the notification obligations and potentially large fines. The DCMS provided important clarity that operators who assess risks adequately, take appropriate security measures and engage with regulations can avoid fines, which should only be used as a last resort.
Cyber Security Breaches Survey 2018
The messaging around the survey is that UK businesses need to do more to protect themselves against cybercrime. The statistics in the survey show that 43 per cent of business and 19 per cent of charities suffered a cyber breach or attack in the past 12 months. For large businesses, the figure rises to 72 per cent.
Common breaches involve fraudulent emails, scammers impersonating the organisation, viruses, ransomware and malware. The impact of breaches and attack can range from temporary or permanent file loss, to reduced website functionality, to theft of money, assets and intellectual property. The survey urges businesses to consider their “organisational cultures”, seek guidance, engage in staff training and deploy cybersecurity policies, and undertake audits and monitoring regarding the efficacy of such policies.
The survey forms part of the UK’s broader National Cyber Security Programme, linking in with the introduction of NISR, the GDPR coming into force on 25 May 2018 and continued government investment in this area.