Eversheds Sutherland comment: companies failing to protect against cyber security threats could face fines of up to 4% global turnover
8 August 2017
Paula Barrett, Partner and Head of Privacy and Cyber Security (International), says:
“The consultation announced today (8th August) confirms the UK Government remains committed to implementing the NIS Directive (agreed last year) and is following that of China, Singapore and the US which have all recently strengthened measures on organisations that provide essential services.
“Against the backdrop of recent attacks, the potential impacts are becoming far too great. The package of measures will therefore include adherence to minimum security standards and breach notification reporting within 72 hours of awareness.
“Although launching alongside the news yesterday about the statement of intent on the Data Protection Bill, which will bring in compulsory breach reporting and standards for protection of personal data, for those organisations that are classed as providers of essential services and for providers of digital service providers who also fall within its remit, its application is broader.
“This is not just about “cyber” events. It can be other events which have an adverse effect on security or continuity of network or information systems. In the Government’s view continuity is impacted if there is reduction or impairment of an essential services – not just actual loss.
“Voluntary reporting of incidents is also being encouraged, but interestingly, whilst not mandatory, there is a “carrot and stick” in the background as engagement in that process will be considered as part of demonstrating appropriate risk-management processes.
“Even if not directly deemed to be either an operator of essential services, or a digital service provider within scope, the reach of this legislation will inevitably extend to those in its supply chain, most obviously those supplying the computer & network systems and services. The proposed high level security principles annexed to the consultation start to add some colour to the standards that will be applied and this specifically mentions supply chain management, as well as broader governance, risk and asset management as being key. That these aspects are drawn out as requirements, alongside access controls, security and resilience by design, and adopting security policies and processes that are communicated within the organisation with appropriate training, serves to reinforce the fact that a more holistic approach to managing this risk is required.
“Inevitably, the proposals contain a “stick”. Compliance will be reinforced by fining powers – another area where alignment with the GDPR comes to the fore. The UK Government is proposing a similar level and style of fines for non-compliance – with a two-tier band – so up to 4% global turnover or Eu20M (if higher) is at stake for the most “egregious incidents”. In practice, though, for these essential operators, that will be but the tip of the iceberg for consequences, when the impacts of disruption and actual damage get taken into consideration, and as vulnerability to claims opens up.”