This IT and Outsourcing e-bulletin contains summaries of recent developments in law and regulation in the EU and the UK:

  1. Government plans to create new cyber security standard

The UK Government has announced that, following a consultation, it intends to develop a new industry led organisational standard in relation to cyber security, based on the ISO27000-series.

This is part of a range of policies being implemented by the Department of Business, Innovation and Skills ("BIS") under the umbrella term 'Keeping the UK safe in cyber space'. Following a consultation that BIS launched in March 2013, the Government issued its response on 28 November 2013.

The BIS report explains that businesses involved in the consultation said that a cyber security standard should:

  • be internationally recognised;
  • promote international trade;
  • allow systems to exchange and use information; and
  • be auditable, like those in the ISO 27000-series.

The ISO27000-series of standards received the greatest amount of support from business groups to be adopted as the Government's preferred standard. However, BIS rejected a straightforward adoption of those ISO standards due to the complexity and cost of implementation, in particular for SMEs.

BIS said that a new "implementation profile" will be developed based on ISO27000-series standards and that this will become the Government’s preferred standard. The Government will work with industry to develop the standard, which it is planning to launch early this year. BIS also said that it would look to create a new "assurance framework" around the new cyber security standard to allow businesses that meet the standard to distinguish themselves on this basis.

The Government's response to the consultation can be found here.

  1. London financial institutions simulate a series of cyber-attacks

Hundreds of staff from the UK's main financial institutions stress tested their collective resistance to cyber-attacks on 12 November 2013.

The exercise, dubbed "Waking Shark II" was overseen by officials from the Bank of England, Treasury and Financial Conduct Authority and monitored by the Government's cyber agencies. The UK's first "Waking Shark" exercise was held in 2011, involved over 100 representatives from 33 institutions and tested for a major cyber-attack during the busiest period of the London Olympics.

Waking Shark II focused on wholesale markets and in particular considers situations where multiple shared and company-specific systems, such as clearing and risk management tools, are targeted simultaneously. The exercise also aims to establish clear lines of communication between in-house IT security experts and operation planners to practise making swift decisions and communicating effectively with the regulator and industry partners to contain the problems thrown at them.

The exercise comes in the wake of increased concerns about the vulnerability of the financial services industry to cyber-attacks. In particular, an attack on South Korean banks in March 2013, which paralysed financial transactions at one bank, and disrupted operations at five other banks, has given rise to serious concern amongst security experts. It also follows reports that agents from GCHQ, the Government communications headquarters, met with senior figures from large asset management companies in October last year to urge them to push cyber security higher up the corporate agenda.

Results and recommendations from the exercise will be published early this year.

  1. European Commission sets up cloud computing expert group

Following announcements made last summer, the European Commission has set up an "expert group" including cloud providers, lawyers and academics in an effort to set out standard terms for cloud computing contracts.

The European Commission has said that this expert working group will help ensure that safe and fair terms in cloud service contracts become best practice. It aims to address the concerns of consumers and small companies, who often seem reluctant to purchase cloud computing services because contracts are unclear. Use of these terms will be optional.

The 30-strong group of individuals and companies, which includes Telecom Italia and UK-based cloud provider Skyscape, is a key part of the Commission's general strategy for "unleashing the potential of cloud computing in Europe". European Commission Vice President Viviane Reding said that 2.5 million new jobs could be created in Europe if the full potential of cloud computing within the area is realised.

One of the working group's tasks will be to consider how the development of new cloud computing contract terms could interact with the proposed Common European Sales Law currently under development.

The Commission stated that, "The expert group will do specific complementary work for those issues that lie beyond the Common European Sales Law to make sure that other contractual questions relevant for cloud computing services can be covered as well, by a similar optional instrument." The terms will also help with the application of EU data protection rules to the extent that they are relevant to cloud computing contracts.

The first expert group meeting was scheduled for 19-20 November 2013 and the group is expected to report back with recommendations in spring 2014. These recommendations will feed into a policy paper launching a broad public consultation on possible ways forward on cloud computing contracts for consumers and SMEs.

The European Commission's press release can be found here.

  1. A lien over electronic data?  

In November last year, the Court of Appeal agreed to hear an appeal from a County Court judgment relating to a dispute between a customer and its supplier who provided database management services. A particular issue was the question of liens over intangible property (in this case, the customer's electronic data).

Under English law a person has the right, under certain circumstances, to hold on to tangible property in his possession pending payment of a debt owed. In Your Response Ltd v Datateam Business Media Ltd [2013] EWCA Civ 1468, the Court of Appeal granted leave to appeal an unreported decision of the County Court in which it dismissed a counterclaim against a database maintenance service provider in a case relating to unpaid invoices.

Arden LJ said that an issue that was worthy of further consideration by the court was whether or not a service provider can claim a lien over electronic data that the service provider manages for a client. She stated that normally a lien at common law can only be claimed over tangible property and that there is no authority that establishes that a lien is exercisable over intangible property. She also gave permission to appeal on the question of whether or not the claiming of the lien by the respondent was inconsistent with the contract in question.

The full judgment can be found here.

  1. Funds industry responds to regulator's outsourcing concerns

The Outsourcing Working Group ("OWG") comprising asset managers, key service providers and the Investment Management Association set up to address issues raised in the FSA's "Dear CEO Letter" on outsourced services of December 2012, has published practical measures that firms should take into account.

The FSA had criticised, in particular, the tendency for asset managers to rely on a service provider's own regulatory compliance as a substitute for proper oversight, and insufficient planning for service provider failure.

The OWG's response presents its conclusions in terms of 'Guiding Principles' and 'Considerations' that firms should take into account based on the nature, size and scope of their outsourcing arrangements. The OWG considered that there was considerable room for asset managers to improve both oversight and exit planning for outsourced services and made a series of recommendations.

The OWG concluded that:

Firms must properly understand the scope and terms of the outsourced services and perform a risk-based assessment of the arrangements. Firms must ensure that a suitably senior individual is given 'ownership' over the outsourced activities and an appropriate framework of oversight is put in place. Firms must ensure a comprehensive exit plan is put in place and periodically reviewed, and should include considerations associated with exit in the event of a service provider's financial or operational distress.  

The OWG's full response can be found here.

  1. UK Government agreed Guiding Principles on cyber security with ISPs

In December 2013 the UK Government agreed a series of voluntary 'Guiding Principles' to improve online security for ISPs' customers and limit the rise in cyber attacks. The Guiding Principles represent a series of principles that the signatories, in partnership with the Government, aspire to reach as a minimum.

As part of the principles, ISPs have recognised, and agreed to raise customer awareness of, cyber security issues, and in particular provide information in a clear and accessible place, such as on their website, on cyber security and how customers should protect themselves.

The Government has agreed to educate and raise awareness among businesses of the importance of effective cyber risk management, provide advice on cyber security and increase the security of Government online services.

The ISPs have also agreed to work together with the Government to explore a number of issues, including information sharing for law enforcement purposes, raising awareness of behaving safely online and considering further ways of bringing cyber security issues to the attention of customers.

The Guiding Principles can be accessed here.