What is the objective of the Cyber Security and Resilience Bill?
Is the objective to change corporate behaviour and improve cyber security and resilience? Or is it to create jobs for compliance officers and consultants?
If the objective is to change corporate behaviour then the recommendations of the 2016 CMS Select Committee Report: Cybersecurity: Protection of Personal Data Online , are apposite.
On February 3rd the Parliamentary Public Bill Committee on the Cyber Security and Resilience (Network and Information Systems) Bill is expected to take evidence from the CEOs of Ofcom and Ofgem on:
- the Regulatory approach to oversight and enforcement,
- regulator funding model,
- incentivising effective adoption and implementation of cyber regulation at company board level,
- effect of critical supply chain designation on MSPs.
I was specialist advisor for the 2016 CMS Select Committee Report: Cybersecurity: Protection of Personal Data Online .After the report was published I was given clearance by the Chair (now Shadow Leader of the House) to speak on why the recommendations were so important – including if the objective was to change corporate behaviour, not just be seen to take action, whether or not it changed anything in the real world.
The evidence to the CMS Committee, including from the regulator (in that case the ICO) had indicated that they was never likely to have the resources to do more than a fraction of what was expected of them. Fear of the scale of the penalties they might impose after egregious organisational behaviour had led to a serious breach could, however, be highly motivational – provided such risk was not hidden in a fog of compliance detail.
Meanwhile the evidence from the Professional Bodies and Trade Associations had indicated such a wide variety of evolving, overlapping (and sometimes conflicting) professional approaches and standards, each with their own pros and cons, that expecting the regulator to keep abreast of current best (as opposed to “acceptable”) practice would again require resources they were never likely to have. That evidence also indicated the width and depth of the gulf in understanding, priority and expectations between boardroom decision processes, user middle management behaviour and professional expectations.
I listened to the members of the Committee drawing their own conclusions, based on their knowledge of corporate and political behaviour across a wide range of organisations. The Clerks did their usual excellent job. My contribution, as specialist advisor, was merely to assure both that they were not missing anything, The Emperor’s clothes were indeed an illusion. I was also able to tell them how much was going on to improve the state of his underwear, (often by people who did not wish to give evidence until they knew their patches would work), and the need to avoid making tendentious recommendations that could get in the way of evolving better practice.
While the Committee’s recommendations were couched in terms of data breaches most apply to all forms of cyber breach. The most relevant to this Bill was Number 14 (cross referring to Para 38):
“Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:
- Staff cyber awareness training;
- When their security processes were last audited, by whom and to what standard(s);
- Whether they have an incident management plan in place and when it was last tested;
- What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
- The number of enquiries they process from customers to verify authenticity of communications;
- The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).
Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders that they take security seriously and have effective processes in place.
= = =
We did not expect the Regulator to actually “do” anything with the reports, other than to file them to look at when the organisation had to report a breach … and request an update/explanation before deciding the scale of penalty appropriate.
The expectation was that an annual return to a Regulator would need to be signed off by the Company Secretary. They would require a Board Minute. The answers to the questions would therefore need to be circulated to the Board.
That way the head of Cyber/Digital might expect to have Board Level attention for their plans/budgets at least once a year – when the report was agreed.
That might in turn lead to a member of the Board being given the task of monitoring action plans to reduce the risk of serious incidents, not just following compliance processes and nominating the sacrificial lamb after an incident too embarrassing to be covered up (e.g. M&S digital chief exits months after damaging hack | Reuters).
P.S. The implications of critical supply chain designation on MSPs are profound including, on Fixed and Mobile communications providers and their supply chains. The current proposals appear to bear little relationship to how UK CNI networks, including for the energy, financial services and research (JANET) are currently structured, monitored and regulated. The current Ofcom structures appear to be based on regulating consumer, as opposed to business, services. Creating regulatory and reporting structures that do not serve to increase vulnerability, by reducing choice of how to bypass common single points of failure and choke points (hardware, software, local, regional, national etc. etc.) will “not be easy”.