The National Cyber Security Centre (the NCSC) was officially opened on 14 February 2017 with a remit to help protect the UK’s critical services from ever increasing cyber-attacks. The NCSC is the public facing part of GCHQ, its main purpose being to reduce cyber security risk by working together with UK organisations and businesses to improve cyber resilience, including offering advice on tackling cyber security issues. Indeed, one of its first tasks since it opened last year was to work with the Bank of England to produce advice for the financial sector to manage cyber security effectively.
Other guidance issued by the NCSC focusses on particular types of technology and significant cyber incidents or threats that require action by UK organisations are highlighted on its website. Businesses can join the Cyber Security Information Sharing Partnership as well, which is a free online platform enabling threat information to be shared and updates from industry and government analysts to be received.
So, with data and IT security now an essential element of strategic management controls, the NCSC may become a useful resource for us all.
There is also the wider context. In 2016 the Network and Information Security Directive was adopted at EU level and is due to be implemented in Member States on or before May 2018. This is the first of a series of EU wide legislation concerning cybersecurity and it both aims to enhance co-operation across member states and to impose certain obligations aimed at improving cyber security on operators of essential services such as water, energy, transport, health, financial services and internet service providers. Although Brexit means that there could be a question mark over the longer term application of this Directive, it is more likely than not that the UK will implement it in 2018.
And of course good cyber security means good data protection. The proposed General Data Protection Regulation will apply in the UK from May 2018 to police data flows, including those cross border. Post Brexit, when the UK is treated as a third country under this new data protection regime, data flows may be restricted unless the UK adopts a level of data protection recognised as equivalent by the European Commission. The adequacy of cyber and data security systems and controls will be an essential consideration.