chungking - Fotolia

UK mulls hefty fines for CNI providers with poor cyber security

The UK is considering the same hefty fines for critical national infrastructure (CNI) providers with poor cyber security as those failing to protect the personal data of UK citizens

Providers of essential services who fail to implement effective cyber security measures could be fined as much as £17m or 4% of global turnover under measures being considered by government.

The government is proposing a number of security measures in line with existing cyber security standards that will require operators of essential services to develop a strategy and policies to understand and manage their risk; implement security measures to detect and prevent attacks or system failures; develop security monitoring, and to raise staff awareness and training.

The government will also require the operators to report incidents as soon as they happen and to have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.

The measures are part of plans to make the UK’s essential networks and infrastructure safe, secure and resilient against the risk of cyber attacks.

The government wants to ensure that UK operators in electricity, transport, water, energy, transport, health and digital infrastructure are prepared to deal with the increasing numbers of cyber threats.

The proposed measures also cover other threats affecting IT such as power failures, hardware failures and environmental hazards.

The infrastructure security plans are being considered as part of a consultation launched on 8 August 2017 by the Department for Digital, Culture, Media and Sport (DCMS) to decide how to implement the European Union’s (EU’s) Network and Information Systems (NIS) Directive from May 2018.

The government plans to hold workshops with critical national infrastructure (CNI) operators so they can provide feedback on the proposals.

In addition to security measures and fines, the government is consulting on the essential services the NIS directive needs to cover; the competent authorities to regulate and audit specific sectors; timelines for incident reporting; and how this affects digital service providers.

Under the proposed measures, fines would be a last resort, and they will not apply to operators which have assessed the risks adequately, taken appropriate security measures, and engaged with competent authorities, but still suffered an attack.

The NIS Directive relates to loss of service by IT networks and information systems rather than loss of personal data, which falls under the General Data Protection Regulation (GDPR) which provides for fines of up to €20m or 4% of global turnover, whichever is greater.

Together, the NIS Directive and the GDPR are expected to force companies operating in the EU to become more cyber resilient and develop robust incident response plans.

Read more about the NIS Directive

Despite Brexit, the UK government has committed to aligning its data protection law with the GDPR and transposing the NIS directive into UK law.

The launch of the consultation comes a day after the UK government detailed proposals for new data protection legislation to update and strengthen UK data protection laws and bring them in line with the GDPR to enable unhindered flows of information between the UK and the EU post-Brexit.

The proposed Data Protection Bill is expected to be published in the autumn and enacted by parliament early in 2018 to replace the Data Protection Act of 1988.

Like the GDPR, the new legislation will require organisations to obtain explicit consent from UK citizens to collect and use their personal data.

The data protection regulator, the Information Commissioner’s Office (ICO), will also be given more power to defend consumer interests and issue bigger fines, of up to £17m or 4% of global turnover, in cases of the most serious data breaches.

Commenting on the proposed measures for essential service providers, digital minister Matt Hancock said the government wants the UK to be the safest place in the world to live and be online, with essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards.

“The NIS Directive is an important part of this work and I encourage all public and private organisations in those sectors to take part in this consultation so together we can achieve this aim,” he said.

The NIS Directive, once implemented, will form an important part of the government’s five-year £1.9bn National Cyber Security Strategy, the government said.

The strategy includes opening the National Cyber Security Centre (NCSC) and offering free online advice as well as training schemes to help businesses protect themselves.

NCSC chief executive Ciaran Martin said: “We welcome this consultation and agree that many organisations need to do more to increase their cyber security.

“The NCSC is committed to making the UK the safest place in the world to live and do business online, but we can’t do this alone. Everyone has a part to play and that’s why, since our launch, we have been offering organisations expert advice on our website and the government’s Cyber Essentials Scheme.”

Read more on Hackers and cybercrime prevention