Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

While the NCSC and ICO offer advice on cybersecurity, there are no prescribed policies or procedures in law or regulation that organisations must implement to protect data or IT systems. Instead, organisations must achieve the technical and organisational security standards expected of them under the applicable legislation using the plethora of cybersecurity advice available from governmental and industry bodies. The ability to demonstrate the steps taken to achieve such standards is a key element of the GDPR and NISR and failure to provide them may lead to regulatory action or exacerbate any penalties imposed as a result of a cyber incident.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

Apart from the practical utility for organisations of maintaining records to identify systemic issues and improve standards, as part of the overarching GDPR accountability obligation (see question 1), data controllers must maintain records of personal data breaches even where no reporting obligation arises under articles 33 and 34. No particular format is prescribed for such records, though they must contain the facts relating to each data breach, its effect and remedial action taken. The ICO requires that similar information is recorded by network and service providers regulated by PECR in the event of a personal data breach. In the event that a reportable data breach takes place, the ICO may demand to see a data controller’s records.

Under NISR, OES and RDSPs must maintain records evidencing the appropriate and proportionate technical and organisational measures taken to manage risks to their systems. In the event of a security incident involving a personal data breach, as well as notifying their respective competent authorities, OES and RDSPs must also notify the ICO and be able to provide documentation demonstrating compliance with their security obligations as well as prescribed details about the incident itself.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

There are currently no rules in England, except for public electronic communications service providers. Under Regulation 5A PECR, these communication service providers must notify the ICO of any personal data breaches. In 2015 (up to 19 November), 143 breaches were reported under this Regulation (see questions 3 and 24). Although there is no legal obligation on data controllers to report breaches of security that result in loss, release or corruption of personal data, the Information Commissioner believes serious breaches should be brought to her attention. Further, the UK government has taken action to make the reporting procedure simple and straightforward by establishing integrated reporting tools.

There are numerous ways to report cybersecurity breaches, fine-tuned to meet the needs of specific organisations. For government agencies and other public bodies, the two organisations are CESG (originally Communications-Electronics Security Group) the information security arm of Government Communications Headquarters and GOVCERT, the CERT for government and public sector bodies. For private companies and organisations, the two main reporting agencies are the National Cyber Crime Unit (a part of the NCA), and ‘Action Fraud’, an online national fraud reporting centre. The Cyber Incident Response scheme also exists, which provides access to industry expertise.

Since the GDPR came into effect in May 2018, all cybersecurity breaches must be notified to the national supervisory authority and that notifiable breach reporting to the national supervisory body will be mandatory within 72 hours of an organisation becoming aware of it and, in serious cases, public notification will be required.

Timeframes

What is the timeline for reporting to the authorities?

See question 28.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

See question 28.