New fines for organisations with poor cyber security

Organisations who fail to implement effective cyber security measures could be fined as much as £17 million.

As part of plans to make Britain’s essential networks and infrastructure safe, secure and resilient against the risk of future cyber attacks, organisations could be fined as much as £17 million or four per cent of global turnover if they fail to implement effective cyber security measures.

The plans are being considered as part of a consultation launched by the Department for Digital, Culture, Media and Sport to decide how to implement the Network and Information Systems (NIS) Directive from May 2018.

The NIS Directive relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations (GDPR).

It would ensure UK operators in electricity, transport, water, energy, health and digital infrastructure are prepared to deal with the increasing number of cyber threats. It will also cover other threats affecting IT such as power failures, hardware failures and environmental hazards.

Fines would be a last resort, and will not apply to operators that have assessed the risks adequately, taken appropriate security measures, and engaged with authorities but still suffered an attack.

The NIS Directive, once put in place, will form an important part of the government’s five-year £1.9 billion National Cyber Security Strategy. It will compel essential service operators to make sure they are taking the necessary action to protect their IT systems.

The government is proposing a number of security measures in line with existing cyber security standards.

Operators will be required to develop a strategy and polices to understand and manage their risk, to implement security measures to prevent attacks or system failures, and to report incidents as soon as they happen.

They will also be required to have systems in place to ensure they can recover quickly after any event, with the capability to respond and restore systems.

Matt Hancock, Minister for Digital, said: “We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.

“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim.”

Cairn Martin, NCSC CEO, said: “We welcome this consultation and agree that many organisations need to do more to increase their cyber security.

“The NCSC is committed to making the UK the safest place in the world to live and do business online, but we can’t do this alone.

“Everyone has a part to play and that’s why since our launch we have been offering organisations expert advice on our website and the government’s Cyber Essentials Scheme.”

Please register to comment on this article