Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Enhanced cybersecurity protections, beyond those mandated by law, are recommended by a number of different authorities, with guidance notes and advice widely available.

The National Cyber Security Centre (NCSC) is an organisation within the UK government that provides advice and support for the public and private sector to promote cybersecurity. The central pillar of its advice is Cyber Aware, which provides a set of guidelines built around six key actions. In addition, it also maintains 10 Steps to Cyber Security, guidance aimed at medium-sized to large organisations that employ cybersecurity professionals, and a ‘Small Business Guide: Cyber Security. On top of this, the NCSC publishes various focused guides on passwords, ransomware, phishing, devices, personal data malware, operational security and the cloud.

Other authorities also recommend enhanced protections. The Global Cyber Alliance, Action Fraud, the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) are among other authorities that also recommend protections beyond those strictly mandated by law.

It should be noted that while industry and regulatory codes or guidance do not constitute protections mandated by law, failure to follow such codes may still give rise to adverse consequences. For example, the ICO states, in its Regulatory Action Policy, that failure to follow an approved or statutory code of conduct is an aggravating factor when it considers sanctions.

How does the government incentivise organisations to improve their cybersecurity?

Following a 2019 consultation, on 19 January 2022 the government published a policy paper entitled ‘2022 cyber security incentives and regulation review’. In that it noted that it was for the market to incentivise better security practices for organisations, but recognised that those incentives (such as consumer pressure and competitive advantage) have not yet formed effectively. To mitigate this, the government plans to take a more interventionalist approach through guidance, further market participations and strengthening of UK cyber legislation.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

The NCSC publishes a guide dealing with issues such as cyber defence, threat and ransomware. The NCSC’s 10 Steps to Cyber Security sets out a number of key areas for medium-sized to large organisations to ensure that technology, systems and information are protected against cyberattacks. In doing so the guide emphasises the need to take a risk-based and proactive approach to cybersecurity.

Organisations operating within the regulated financial services sector are also guided by a range of materials produced by the FCA in order to achieve compliance with its Principles, and the standards set out in the SYSC sourcebook. One such example is the FCA’s publication on Good cyber security – the foundations, which demonstrates the FCA’s approach to working with other organisations (namely, the NCSC) in order to achieve effective levels of cybersecurity within the sector.

Are there generally recommended best practices and procedures for responding to breaches?

The best way to mitigate the impact of a data breach is to ensure you are properly prepared. A number of public organisations have published guidance for responding to data breaches (including the ICO and the NCSC). You should already have a detailed cybersecurity policy and within that should be a data breach response plan. Such a plan should be accessible to all employees and form part of standard onboarding training.

The first recommended step is to identify the extent of the breach and preserve relevant evidence. Although basic, it is important to document how the breach was identified and keep a careful note of steps taken. Such steps might include ensuring the correct internal stakeholders have been contacted (eg, HR, security), determining whether the breach contained personal data, and identifying

which jurisdictions may have been affected. Answering these questions will inform the scope of external bodies that need to be involved in the crisis response team (eg, forensic experts to track the extent of the breach).

Next, your focus should shift to analysis, that is, understanding the ‘how’. For example, how did the breach occur and is it ongoing? If so, what steps need to be taken to fix (or ‘patch’) the breach? At this stage, you should consider whether stopping the breach might ‘tip off’ the attacker and lead to the destruction of evidence; this should be balanced against your data protection duties. You should also consider any external and internal communications. For example, you might want to consider a formal press release, or an internal notice reminding employees of the sensitivities of publicly discussing the breach with the media.

You should then consider the remedies and next steps available to you. Depending on the circumstance of the breach, this can range from initiating legal action to instigating a PR strategy.

Finally, you should consider your long-term response. If the breach identified any holes in your security system or staff training, these should be addressed as a matter of urgency. You should also reflect on whether you need to strengthen the relationships with necessary third parties; you may want, for example, to have forensic experts or legal counsel on retainer for data breaches.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

It is considered best practice to share information on cybersecurity threats, although this usually occurs after the threat has been properly resolved. You can share this information informally, for example through social media, or more formally on a voluntary basis to Action Fraud or the NCSC.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The UK government’s Strategy sets out an aim for the UK to establish itself as a global cyberpower, which includes strengthening the UK cyber ecosystem between government, academia and industry. The Strategy intends to build on the existing relationships between NSCS and industry stakeholders, most notably the regional cyber clusters recently formalised by the UK Cyber Cluster Collaboration.

Industry experts have also organised to help direct the UK technology sector. In particular, techUK (the UK’s technology trade association) brings together organisations to enhance government collaboration and accelerate innovation. techUK has over 800 members across the UK, from sector leaders, such as Amazon and DeepMind, to law firms and emerging start-ups.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance for cybersecurity breaches is available in the jurisdiction and has become more prevalent and available in the past five years, although the cyber insurance market has hardened significantly over the past year. Previously, insureds that suffered cyberattacks or were involved in cyber incidents would try to claim under their existing commercial insurance policies (such as, for example, those relating to property or commercial risks). While some of these ‘silent’ cyber risks could attach, many would not fall within cover. This state of affairs helped drive the ‘affirmative’ cyber insurance marketplace forward.