Cyber security: the regulators bare their teeth
Written By
Cyber security continues to make eye-catching headlines. On 10 May 2018, in almost a blink-and-you-missed-it moment, the first UK cyber security-specific legislation, the Network and Information Systems Regulations 2018 (SI 2018/506) (2018 Regulations) came into force (www.practicallaw.com/w-014-9609). This event was pretty much lost amid the commotion of the General Data Protection Regulation (2016/679/EU) (GDPR) coming into force (see News brief “EU General Data Protection Regulation: on your marks, get set, go!”, www.practicallaw.com/w-014-9290).
More recently, in September 2018, the British Airways cyber attack that led to the accessing of customer personal data drew the attention of the compensation and fine-hungry media; and on 1 October 2018 the Financial Conduct Authority (FCA) issued an eye-watering £16.4 million fine to Tesco Personal Finance plc (Tesco Bank) for a 2016 cyber incident.
Industry attitudes
In cyber security presentations made to clients, industry bodies and other businesses over the last couple of years, a fairly steady average of 80% to 90% of the people attending confirmed that their businesses have identified cyber security as a significant, top five risk. Yet, on average, only 30% to 40% of the same audiences answer an immediate follow-up question to confirm that they have a cyber incident plan. This means, perversely, that while 60% to 70% of these individuals accept that a cyber attack is a major threat, they are not prepared to take the most basic of steps to prepare for what to do on the baleful day they get hit (see feature articles “Cyber security: top ten tips for businesses”, www.practicallaw.com/3-621-9152; and Cyber attacks: shoring up the defences”, www.practicallaw.com/3-525-0011).
That attitude is also perhaps reflected in the way that businesses are responding to cyber risk. It appears to be significantly more popular for businesses to spend money on logical defences and cyber security software than on policies, incident plans, simulation exercises and staff education. The focus is firmly on protection in the hope of stopping a cyber attack succeeding rather than preparation for how to respond to, and mitigate the effects of, an attack that gets through that protection.
Given the extensive list of high-profile businesses that have fallen prey to attack, many of whom it can safely be assumed had at least industry-grade cyber protection in place, the present focus is unbalanced (see News briefs “Panama papers: time to firm up on cyber security?”, www.practicallaw.com/8-627-0529; and “Ransomware cyber attacks: lessons learned at last?”, www.practicallaw.com/w-009-3512). In light of the 2018 Regulations and the FCA‘s enforcement powers, it is clear that continuing that unbalanced approach could be a very expensive mistake, especially for the regulated sectors.
2018 Regulations in a nutshell
As opposed to the GDPR, which focuses on personal data, the 2018 Regulations are concerned with networks and information systems. It is clear that the 2018 Regulations may overlap with the GDPR as a cyber attack that breaches a network may be the causative factor of a loss of personal data (see feature article “Data use: protecting a critical resource”, www.practicallaw.com/w-012-5424). If considered in terms of domestic security, the 2018 Regulations are interested in the locks on a house’s doors and windows, and the burglar and smoke alarms, whereas the GDPR deals with how the contents of the house are looked after.
The entities that are required to comply with the 2018 Regulations are split between operators of essential services (OES) and relevant digital service providers (RDSP). The OES are broken down into industry sectors, each with assigned competent authorities and with thresholds to ensure that the 2018 Regulations apply to entities that, in simple terms, are responsible for the operation of critical national infrastructure (see box “Entities covered by the 2018 Regulations”). RDSP are the operators of online marketplaces, online search engines and cloud computing services. They are handled slightly separately to OES and the Information Commissioner has been assigned as their competent authority.
While it is the OES and RDSP that have the immediate obligation to comply with the 2018 Regulations, in its January 2018 response to the public consultation, the government indicated that OES and RDSP would also assume a responsibility for their supply chains (https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf). The government stated that it is the responsibility of OES or RDSP to ensure, through whatever levers or contractual arrangements they have, that their suppliers have in place appropriate measures. Therefore, suppliers to OES and RDSP can expect to be contracted into a form of compliance with the 2018 Regulations.
When it comes to the core question of what the 2018 Regulations require of their regulated entities, the obligation imposed is split between :
- The need to adopt appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their networks and information systems.
- The requirement to adopt appropriate and proportionate measures to prevent and minimise the impact of incidents affecting the security of those networks and information systems.
The 2018 Regulations also impose a deadline of 72 hours for notification to the relevant competent authority of a significant incident. OES should have already registered with their competent authority and RDSP should register with the Information Commissioner by 1 November 2018.
The sanctions for getting it wrong include the power for competent authorities to: issue information notices; inspect; issue enforcement notices; and to impose a financial penalty. The maximum penalty under the 2018 Regulations is £17 million and that is reserved for material contraventions that have caused or could cause an incident resulting in an immediate threat to life or having a significant adverse impact on the UK economy.
|
Industry sector
|
Sub-division |
Sub-sub division and thresholds for England |
Competent authority for England |
|
Healthcare |
|
NHS trust or foundation trust | Secretary of State for Health |
|
Transport |
Air |
Provider of aerodrome services: more than 10 million passengers. Provider of air traffic services (ATS): licenced by the Civil Aviation Authority or providing ATS at an airport with more than 10 million terminal passengers. Air carrier: more than 30% of passengers at airport with more than 10 million annual passengers and more than 10 million passengers in aggregate. |
Secretary of State for Transport and the Civil Aviation Authority |
| Water |
Shipping Operator: more than 5 million tonnes at UK ports annually and more than 30% of annual freight of a significant port or more than 30% of annual passengers at a UK port with annual passenger numbers in excess of 10 million. Harbour authority services, port facility operators and vessel traffic service providers: authorities, operators and service providers at ports with annual passenger numbers in excess of 10 million or that handle significant freight traffic (generally more than 15% of the country's port traffic such as roll-on roll-off and lift-on lift-off). |
Secretary of State for Transport | |
| Rail |
Operator of mainline railway assets except for: international rail services, metros, trams or light rail services; heritage railways or private railways. Operator of high-speed rail services. Operator of metros, trams and light rail services: more than 50 million passenger journeys per annum. Channel Tunnel train operator or manager of Channel Fixed Link infrastructure services. |
Secretary of State for Transport | |
|
|
Road |
Road transport services: responsibility for roads with more than 50 billion travelled vehicle miles. Road services: provider of intelligent transport systems to roads with more than 50 billion travelled vehicle miles. |
Secretary of State for Transport |
|
Energy Generation |
Oil |
Transmission: more than 500,000 tonnes per annum. Processing: 3 million tonnes per annum. Production, refining, treatment, storage: 500,000 tonnes per annum. Petroleum production: 3 million tonnes per annum. |
Secretary of State for Business, Energy & Industrial Strategy |
|
|
Gas |
Supply: more than 250,000 customers. Transmission: 250,000 customers or interconnectors at 20m3 metres per day. Distributors: more than 250,000 customers. Storage: more than 20m3 metres per day. |
Secretary of State for Business, Energy & Industrial Strategy, and Gas and Electricity Markets Authority. |
|
|
Electricity |
Supply: more than 250,000 customers. Transmission: more than 250,000 customers; offshore with 2 gigawatts; or interconnector with 1 gigawatt. Distribution: more than 250,000 customers |
Secretary of State for Business, Energy & Industrial Strategy, and Gas and Electricity Markets Authority |
| Digital Infrastructure Operators |
|
Top level domain registry: on average servicing more than 2 billion queries in 24 hours. Domain name service providers: more than 2 million clients daily or providing hosting or more than 250,000 active domain names. Internet exchange point operators: more than 50% of annual market share. |
Office of Communications |
| Drinking water suppliers and distributors |
|
Suppliers and distributors: Supply to more than 200,000 people. |
Secretary of State for Environment, Food and Rural Affairs |
| Relevant digital service providers |
|
Online marketplace Online search engine Cloud computing services |
Information Commissioner |
FCA's Tesco Bank fine
In its published rationale for its £16.4 million fine for Tesco Bank, the FCA focused on what it found to be Tesco Bank’s culpable failure to adequately address the cyber attack once it was aware of it. The FCA found that Tesco Bank had breached Principle 2 of the FCA Handbook because it failed to exercise due skill, care and diligence to:
- Design and distribute its debit card.
- Configure specific authentication and fraud detection rules.
- Take appropriate action to prevent the foreseeable risk of fraud.
- Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency.
The FCA’s determination echoed the two-pronged approach of the 2018 Regulations in that it required not only that Tesco Bank’s regulated financial institutions’ boards set an appropriate cyber crime risk appetite and ensure that its cyber crime controls are designed to anticipate and reduce the risk of a successful attack, but also that those boards ensure that their institutions’ response plans are clear, well designed and well rehearsed.
Looking at the FCA fi ne in the context of the 2018 Regulations, it is interesting to note that the FCA imposed a fine for a pre-2018 Regulations incident that was a whisker off the maximum 2018 Regulations financial sanction. Indeed, had Tesco Bank not cooperated with the FCA and accepted an early settlement, it would have faced a fine of over £33 million. As stated above, in the 2018 Regulations the £17 million fine is expressly reserved for incidents that pose an immediate threat to life or significant adverse impact on the UK economy. It seems hard to see how the events of Tesco Bank in 2016 came close to threatening life or the country’s economy, and it raises the question of whether and how regulators will operate together to make sure that their sanctions are balanced and, where cumulative, are proportionate.
Under the 2018 Regulations, it is possible for an entity to qualify both as an OES and a RDSP and, as mentioned at the outset, it is entirely possible that the same incident that triggers a sanction under the 2018 Regulations may also trigger a sanction from the Information Commissioner’s Office under the GDPR.
While fully accepting that the likelihood of it happening is negligible, to take the most extreme position, a single incident could conceivably bring about a fine of £17 million as an OES, a further fine of £17 million as a RDSP, and a GDPR fine of up to 4% of annual global turnover. It would be a sorry state of affairs if the aggregation of sanctions by regulators destabilised the financial security of their regulated entities.
This article first appeared in the November 2018 issue of PLC Magazine http://uk.practicallaw.com/resources/uk-publications/plc-magazine
