Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Although much guidance has been issued by governmental bodies, ultimately, it has been left to organisations themselves how they achieve the legal standards expected of them in respect of cybersecurity (see question 6).

In 2016, the government updated its ‘10 Steps to Cyber Security’, which is now complemented by ‘Common Cyber Attacks: Reducing the Impact’ setting out security and process controls organisations may establish to protect against online risk. The Cyber Essentials Scheme also recommends all organisations implement five basic controls to protect against cyberattack, including the creation of effective firewalls and the use of the latest supported application versions and patches. Additional useful information is available from the NCSC’s ‘Cyber Security: Small Business Guide’; the cross-governmental Cyber Aware campaign; the ICO’s 2016 publication ‘A Practical Guide to IT Security’; and the ActionFraud website of the National Fraud and Cyber Crime Reporting Centre. The NCSC’s website also contains helpful pages on specific IT security issues, including protecting against ransomware, phishing attacks and email security.

At a non-governmental level, there is some mandatory sectoral-specific guidance such as the Payment Card Industry Data Security Standard, ISO/IEC 27001, published in 2013, enforcing tight controls surrounding the storage, transmission and processing of cardholder data handled by business. In addition, BS 10012:2017 provides a GDPR-compliant personal information management system available to organisations seeking to achieve best standards.

Recently, the FCA has prioritised cybersecurity through senior-level speeches to raise industry awareness and publishing guidance on cybersecurity (https://www.fca.org.uk/firms/cyber-resilience and https://www.fca.org.uk/publication/documents/cyber-security-infographic.pdf). These have been supported by the CBEST framework designed to test the cyber-resilience of systemically important financial institutions through bespoke vulnerability testing.

Where industry codes exist, adhering to them may demonstrate compliance with a data controller’s obligation to maintain appropriate cybersecurity. Additionally, the ICO’s Regulatory Action Policy (awaiting parliamentary approval) suggests adherence to such codes will be considered when the regulator decides whether and by how much to penalise an organisation for a data breach.

How does the government incentivise organisations to improve their cybersecurity?

In December 2016, the government published its Cybersecurity Regulation and Incentives Review, which in part addressed incentives to boost cyber risk management across the wider economy. After widespread stakeholder consultation, the review concluded that, without wishing to overburden business, increased regulatory requirements should be matched by a wider uplift in support and information. An option that garnered considerable support from stakeholders was the introduction of an ‘official’ cyber health check, which would demonstrate the appropriateness and sufficiency of an organisation’s security measures. Though many private organisations contributing to the review also enthusiastically sought financial incentives to improve cybersecurity, the government pointed out that basic rate tax relief was already available for business expenditure in this area and the potential cost to government of enhanced tax relief would be high.

Notwithstanding financial constraints, one of the 2017/2018 objectives of the government’s Innovate UK scheme, which offers investment in micro, small and medium-sized business projects, was the encouragement of smart and resilient infrastructure fit for the digital revolution. Additionally, the government’s ‘G-Cloud’ framework on the digital marketplace enables public sector authorities to invite private sector organisations to provide cloud-hosting, software and support without the need to resort to a formal tender process. The NCSC now offers reassurance by certificating expertise, products and services offered for sale to end users (https://www.ncsc.gov.uk/marketplace). Organisations bidding for central government contracts have needed to be ‘Cyber Essentials’ certified since 1 October 2014.

See also question 13.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

There is no equivalent of the IT Industry Council ‘Cybersecurity Principles for Industry and Government’ which appeared in the US. However, the Confederation of British Industry has sought to raise awareness of data security issues amongst its members, publishing the results of its survey ‘Building Trust in the Digital Economy’ (www.cbi.org.uk/index.cfm/_api/render/file/?method=inline&fileID=FFA34BD4-686F-4AEB-953DB1588A4D3764) in September 2018, hosting an annual cybersecurity conference in partnership with leading governmental bodies in the field, including the NCSC and ICO, and making a podcast available containing best practice advice on becoming cyber secure (www.cbi.org.uk/news/podcast-cybersecurity/). In addition, industry regulators will often direct those seeking cybersecurity advice to government sources such as the ‘10 Steps to Cyber Security’.

See questions 13 and 14.

Are there generally recommended best practices and procedures for responding to breaches?

Under the GDPR, data controllers must normally report personal data breaches to the ICO without undue delay and within 72 hours of becoming aware of them unless there is unlikely to a risk to the rights and freedoms of natural persons. Where the data breach results in a high risk to those rights and freedoms, the data controller must also inform the relevant data subject without undue delay. Under the PECR, which apply to organisations sending electronic marketing to the public, organisations such as telecoms providers and internet service providers are obliged to notify the ICO within 24 hours of detecting a breach.

Notification may be made to the regulator by telephone during normal office hours or online (https://ico.org.uk/for-organisations/report-a-breach/). The online forms indicate the information that the ICO expects to be provided by those making such reports. Incidents that are notifiable to the ICO under NISR (see question 27) may also be made to the ICO via these methods.

In addition to ICO reporting obligations, in May 2017, the FCA published guidance confirming that regulated firms must report ‘material’ data breaches under their Principle 11 obligations.

Despite the increased stringency of reporting obligations, there is no single source of best practice for responding to data breaches. Instead, multiple sources of public and private, national and overseas guidance exists. Reflecting the often overlapping nature of such guidance, joint advice is increasingly offered such as the GDPR Security Outcomes guidance from the NCSC and ICO (https://www.ncsc.gov.uk/guidance/gdpr-security-outcomes). This includes sections on avoiding, and planning for, breaches.

Carefully thought-out cybersecurity policies and rehearsal are crucial, particularly given the time constraints for reporting to the ICO. However, according to the 2018 Cyber Security Breaches Survey commissioned by the Department of Culture, Media and Sport (DCMS), only 27 per cent of UK businesses currently have a formal policy. That figure is likely to rise as cybersecurity incidents become more commonplace and awareness of the potential penalties under the GDPR increases through regulatory action. Though a cybersecurity policy should include technical matters such as antivirus software use, patch and security update downloads as well as backup recovery plans, a company would also be well advised to implement regular staff training to try to prevent situations arising in the first place. Adequate training should be undertaken to ensure staff recognise, understand and avoid the risks, as well as know what to do and who to alert in the event of a breach so that, should an incident occur, a company can accurately assess the situation and take immediate steps to minimise the harm.

A company’s cybersecurity policy should incorporate an incident response management plan, identifying who should handle the incident and the steps that should be taken. Internally, a senior member of the company should ideally take control, enlisting the assistance of in-house counsel, the IT department and Human Resources, as well as external advisers (eg, forensic experts, lawyers and PR consultants) as necessary. Such external consultants should ideally be identified before an incident occurs.

In the event of an incident, best practice suggests that the first priority must be to ascertain and record precisely what has occurred, who was involved and what data has been lost. A proper assessment can then be made of the nature and seriousness of the data breach, whether it is ongoing, how it can be stopped, as well as the likely implications for both data subjects and the organisation.

Having done this, a reasoned assessment can be made about whether the GDPR reporting threshold has been reached, and whether and how data subjects affected should be informed so they may take precautionary measures and mitigate any financial losses arising. Consideration should also be given to whether any contractual or professional notification obligations arise. For example, authorised firms should consider notifying the FCA and solicitors’ firms should consider informing the Solicitors Regulation Authority (SRA). If necessary, sensible remedial measures can also be implemented within the company such as reviewing remote working practices, modifying data access and changing passwords. If a company believes it has been the victim of crime, it may decide to inform the police, the NCA or the NCSC and will consider whether any ensuing harm could be prevented by seeking injunctive relief. Simultaneously, once news of a data breach gets out, a company may face questions from its staff and possibly external sources, necessitating a coordinated media response.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Encouraging organisations to report attacks is seen as key to combatting such incidents. There are no government requirements or incentives as such, although the government has tried to promote the sharing of information about cyberthreats through CiSP (see question 9). The UK authorities have also set up the ActionFraud website for reporting online fraud, scams and extortion. Cyber incidents may be reported directly to the NCSC where they impact on the UK’s national security, economic well-being, affecting a large proportion of the UK population or jeopardise the continued operation of an organisation. Statutory measures to encourage cyberthreat information include the ‘information gateways’ in the Counter Terrorism Act 2008 and the Crown and Courts Act 2013, albeit where personal data is provided via these gateways, compliance with the DPA is still required (see question 9). The encouragement of collaboration is evidenced by the ICO’s ‘Protecting personal data in online services: learning from the mistakes of others’ report (https://ico.org.uk/media/for-organisations/documents/1042221/protecting-personal-data-in-online-services-learning-from-the-mistakes-of-others.pdf).

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

In November 2016, the National Cyber Security Strategy up to 2021 (www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021 acknowledged the transformation that digital connectivity was bringing about for both public and private enterprise but emphasised the significant role played by businesses and organisations in the UK’s national response to cyberthreats.

Recognising the importance of partnership between government and private sector in the development of cybersecurity standards, the NCSC’s website has a dedicated partnership page listing efforts aimed at developing cross-sector cybersecurity capabilities within the UK. Included are details of educational bursaries and work placements to nurture the future cybersecurity workforce, educational events aimed at existing cybersecurity professionals, and the Industry 100 initiative to facilitate close collaboration with private sector talent in the field of cybersecurity by encouraging part-time secondment to the NCSC to promote the exchange of knowledge and expertise.

On the industry side, ‘techUK’, represents more than 950 commercial entities involved in the cyber-sphere, including FTSE 100 companies, small and medium-sized enterprises and start-ups. The body works with key stakeholders to inform debate about the future development and application of technologies. As part of the Cyber Growth Partnership, a joint initiative between industry, academia and government that aims to boost the UK’s global market position in cybersecurity products and services, techUK promotes the Cyber Exchange, enabling participants across industry, academia and government to interact on issues arising in cybersecurity. Recognising the under-representation of women in the cybersecurity sector, techUK has also launched an initiative to promote and encourage the involvement of women in this heavily male-dominated field.

In conjunction with industry, the DCMS has developed the Cyber Security Suppliers scheme whereby businesses can advertise that they supply cybersecurity products and services to the UK government and use the government’s logo in their marketing material. The intention is to provide assurance to the private sector of the efficacy and operability of cyber-defence products.

In 2017, DCMS launched its Digital Skills Partnership (DSP) through which UK government, businesses, charities and voluntary organisations joined forces to give people of all ages the opportunity to boost their online know-how by offering free training in areas such as basic online skills through to cybersecurity and coding. DSP has set itself four priorities: increasing digital skills provision, developing local or regional partnerships, assisting small businesses and charities to digitally upskill their employees, and supporting educationalists in the field of computing.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

In principle, insurance cover is available to mitigate cybersecurity risks. Although, the market is often considered underdeveloped. As a result of the potential risk exposure and the shortage of actuarial data resulting from underreporting, insurers have been cautious to provide policies. Nevertheless, as incidents and consequences of cybersecurity breaches increase, demand for such insurance is also increasing, particularly given the mandatory reporting requirements under the GDPR.

The UK government has been working with the insurance sector for some time to highlight the importance of cybersecurity insurance in an attempt to bolster the UK’s reputation as a world centre for cybersecurity insurance. On 5 November 2014, they issued a joint statement (www.gov.uk/government/uploads/system/uploads/attachment_data/file/371036/Cyber_Insurance_Joint_Statement_5_November_2014.pdf ), emphasising the ‘strong role’ of cyber insurance in mitigating cyber risks, specifically in relation to ‘malicious attacks’.

A government report in 2015 noted the gap in awareness of the use of insurance, evidenced by the large number of firms unaware that insurance was even available; around 50 per cent of CEOs believed their companies have some form of coverage in place. As of April 2017, however, only 38 per cent of UK companies said they had specific insurance cover for cyber risk, with many continuing to rely on general insurance policies. Companies may find that, as breaches become more commonplace, insurers will restrict reliance on such general policies.