It seems that cyber security has been hogging ever-greater headlines in recent times, due to both continued high-profile lapses and regulators paying increasing attention to this arena.
As far as the former is concerned, it was only in September that British Airways suffered a cyber attack that led to customer personal data being compromised. A no less significant development, however, occurred on 1st October, when the Financial Conduct Authority (FCA) hit Tesco Personal Finance plc with a monumental £16.4 million fine due to a 2016 cyber incident.
An evolving regulatory picture – but still sluggish attitudes
Furthermore, one would only need to look back to May to see another key step in the rapidly changing story of how cyber security is treated in the United Kingdom – albeit, the news was somewhat overshadowed at the time by all of the fuss about the General Data Protection Regulation (GDPR) coming into force.
The news in question was the UK’s first legislation specifically focused on cyber security, the Network and Information Systems Regulations 2018, coming into force.
Despite this major development, it seems that organisations around the UK still aren’t necessarily as well-prepared as they ought to be to respond appropriately in the event of a cyber attack.
Over the last few years that cyber security presentations have been made to clients, industry bodies and other businesses, about 80% to 90% of attendees have confirmed that their business has identified cyber security as a significant, top-five risk.
Only about 30% to 40% of the same guests, however, have answered an immediate follow-up question to confirm that their firm has a cyber incident plan. This equates to around 60% to 70% of individuals accepting that a cyber attack is a significant threat, but not being prepared to take the most basic steps to prepare for how to respond in the event of an attack happening.
How do the Network and Information Systems Regulations 2018 compare to the GDPR?
Whereas the GDPR concentrates on personal data, the 2018 Regulations are to do with networks and information systems. However, there is clear potential for the GDPR and the 2018 Regulations to overlap, given that a cyber attack breaching a network may result in personal data being lost. This raises the possibility of multiple financial sanctions being imposed in relation to a single incident.
The 2018 Regulations require regulated entities to adopt appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their networks and information systems. In addition, entities are required to adopt appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of those networks and information systems. A 72-hour deadline also applies for entities to notify the relevant competent authority of a significant incident.
Contravening the 2018 Regulations can result in competent authorities issuing information notices, carrying out inspections, issuing enforcement notices and/or imposing financial penalties. The maximum penalty under the regulations is £17 million, which only applies for material contraventions that have caused or could cause an incident resulting in an immediate threat to life or having a significant adverse impact on the UK economy.
With such a maximum financial sanction only narrowly below the £16.4 million fine imposed on Tesco Bank for a pre-2018 Regulations incident that seemingly did not have such catastrophic effects, it will be intriguing to see whether and how regulators will operate together to ensure their sanctions are balanced and – if cumulative – proportionate.
If your organisation is on the lookout for the most professional and capable company incorporation agents and company secretarial services, please don’t hesitate to contact the London Registrars team today, by calling +44 (0)20 7608 0011 or emailing [email protected].