Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

UK legislation does not mandate specific policies or procedures in this respect. The security principle set out in the UK GDPR requires organisations to process personal data securely by implementing appropriate technical and organisational measures. Similarly, the Network and Information Systems Regulations (NISR) require operators of essential services (OESs) and relevant digital service providers (RDSPs) to undertake measures to manage the risks posed to the security of their networks. Under the UK GDPR and the NISR, organisations should assess the security risk associated with their own operations and implement appropriate controls, which could be in the form of organisational policies, physical and technical measures and/or conducting risk analysis.

Organisations regulated by the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) will need to comply with the data security obligations set out in the Financial Services and Markets Act and are required to have in place adequate systems and controls to monitor, detect and prevent financial crime.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Under the UK GDPR organisations are required to record all personal data breaches, regardless of whether they are reported to a regulator. There is no specific rule on format or timing for retaining the records, although the record must contain the facts relating to each data breach, its effect and the remedial action taken.

Under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), the Information Commissioner’s Office (ICO) requires that communications network and service providers keep a log of any personal data breaches, and that they submit this to the ICO on a monthly basis. The log should contain the facts of the breach, the consequences and any remedial action taken.

Under the NISR, regulated entities must maintain records evidencing the appropriate and proportionate technical and organisational measures taken to manage risks to their systems. The NISR do not prescribe any format or retention period for these records. Records should be accurate and accessible to the competent authority.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

For breaches that compromise network security, the NISR require OESs and RDSPs to notify the ICO of security incidents without undue delay. The government is consulting on changes to the NISR which would require enhanced cyber incident reporting to other regulators, such as Ofcom and Ofgem. The government also proposes a requirement to notify regulators of all incidents that pose a significant risk to resilience and security, not just those that directly impact services.

In relation to cybersecurity breaches that involve personal data, the UK GDPR and the DPA 2018 requires data controllers to notify the ICO without undue delay, and no later than 72 hours after becoming aware of the incident, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. The notification must provide details of (1) the nature of the breach; (2) the organisation’s Data Protection Officer (if relevant); (3) the likely consequences of the breach; and (4) the measures taken, or proposed to be taken, to deal with or mitigate any possible adverse effects.

The PECR require telecoms and internet service providers to notify the ICO if a personal data breach occurs within 24 hours of becoming aware of the facts of the breach. The notification must include the name of the service provider, circumstances of the breach, nature and content of the personal data and the technical and organisational measures applied to the affected personal data.

The ICO website provides links for the reporting of incidents under the UK GDPR, PECR, and NISR.

The FCA also requires regulated organisations to notify the FCA and PRA in the case of a data security breach.

Time frames

What is the timeline for reporting to the authorities?

The UK GDPR places a legal obligation on all organisations to report cybersecurity breaches to the ICO within 72 hours of becoming aware of any given breach. The threshold for notification to the ICO will be met if the breach leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A notification to the ICO will not be required where the business can demonstrate that the breach is unlikely to result in a risk to rights and freedoms.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the business that is subject to the breach must inform those affected individuals without ‘undue delay’. In practice, the notification to the data subject will be required as soon as possible provided the breach is sufficiently severe to be considered high risk.

While the obligations under the GDPR have general application, additional notification obligations may arise depending on the nature of the organisation. For example, UK trust service providers must notify the ICO of a security breach that may include a personal data breach within 24 hours under the eIDAS Regulation.

The NISR also impose reporting standards on these organisations in essential services, with mandatory notification to the relevant authority within 72 hours of becoming aware of an incident occurring.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

There are no generally applicable requirements to reports threats or breaches to industry, customers or the general public.

In relation to cybersecurity breaches that involve personal data, the UK GDPR requires data controllers to inform affected individuals about breaches that are likely to result in a high risk to their rights, without undue delay, after becoming aware of the incident. The communication must provide details of (1) the organisation’s data protection officer (if relevant); (2) the likely consequences of the breach; and (3) the measures taken, or proposed to be taken, to deal with or mitigate any possible adverse effects.