UK Government publishes review of UK cyber security landscape

12 December 2016

In December 2016, the Government published its conclusions of a review ('Cyber Security Regulation and Incentives Review') of the adequacy of the current UK cyber security landscape in the context of the wider economy (i.e. not essential service sector-specific).

The headline to take from this report is that it seems very likely that the UK will implement the Network and Information Security (NIS) Directive notwithstanding the result of the 23 June 2016 referendum, stating that "[whilst the] Government is separately considering whether additional regulation might be necessary for critical sectors, including in the context of the NIS Directive due to be implemented in 2018 as well as wider national infrastructure considerations…The detailed scope and security requirements for NIS implementation will be set out by Government in 2017, informed by the work of the NCSC and lead Government departments with relevant sectors alongside broader Government consideration of critical infrastructure". This being said, the focus of this report was essentially whether the Government needed to introduce additional regulation above that which will be imposed on businesses (generally) under the General Data Protection Regulation ("GDPR") when it comes into force on 25 May 2018.

The Government's conclusion is clear: "For now, Government will not seek to pursue further general cyber security regulation for the wider economy over and above the GDPR. It should ultimately be for organisations to manage their own risk in respect of their own sensitive data (e.g. intellectual property) and online presence". The Government states that there is a "strong justification for regulation to secure personal data as there is a clear public interest in protecting citizens from crime and other harm, where it may not otherwise be in organisations’ commercial interests to do so". However, it reserves its role to improving/ enhancing this protection by means of its implementation of the GDPR. The reasons for not adding to the GDPR's red-tape are as follows:

  1. It is satisfied that both the data breach notification obligations which will be imposed on both controllers and processors, and the "aggravating and mitigating factors affecting the size of fines imposed for cyber security-related breaches", under the GDPR are sufficient means of effectively incentivising "organisations to adopt good cyber security practices".
  2. Various measures will be implemented in due course which are designed to connect the field of data protection with the field of cyber security, for example, the collaboration of the ICO and the National Cyber Security Centre on relevant projects.
  3. Government intervention must be proportionate: "It does not want to overburden businesses and organisations with unnecessary regulatory requirements".

This does not mean that businesses should become complacent: in addition to beginning to devise and implement data breach detection and notification procedures and policies, they must devise and implement "formal incident response plans to deal with hackers and the consequences" i.e. procedures dealing with the full 'life cycle' of a breach and its consequences.

The review is available here.