The government confirmed it will set out "the detailed scope and security requirements for NIS implementation … in 2017" in a new report it has published. The statement provides some clarity on the government's intentions on implementation of the NIS Directive in light of the UK's vote to leave the EU.
The NIS Directive sets out measures designed to ensure critical IT systems in central sectors of the economy like banking, energy, health and transport are secure. It will apply to operators of such "essential services" and to "digital service providers". EU countries have until 9 May 2018 to implement the Directive into national law.
The government's report featured the results of a review into cybersecurity regulation and incentives (27-page / 559KB PDF) it carried out. According to the UK government's conclusions from the review, it is "not currently justified" to impose new cybersecurity regulations on businesses, above those set out in data protection law and those that will apply to some organisations under the NIS Directive.
However, the UK government confirmed that it is "considering whether additional regulation might be necessary for critical sectors, including in the context of the NIS Directive due to be implemented in 2018 as well as wider national infrastructure considerations". The UK's plans to implement the NIS Directive will in-part be shaped by the UK's new National Cyber Security Centre, the government said.
Technology law expert Luke Scanlon of Pinsent Masons has assessed which businesses can expect to be subject to the new NIS Directive. Expert in cybersecurity Kuan Hon, also of Pinsent Masons, identified some overlap between the NIS Directive and the EU's new General Data Protection Regulation (GDPR), but said the security requirements organisations face under each piece of legislation "may not be identical".
In its report, the government announced that it had dismissed a raft of options for new cybersecurity regulation and incentives it considered. These include setting out "specific cyber controls, risk management practices or systems testing" and mandating take-up of cyber insurance cover. It also rejected the options of introducing new director liability for cybersecurity failings and annual cyber risk reporting, as well as providing "enhanced tax relief" to organisations that become certified under its Cyber Essentials scheme, among other initiatives.
"It should ultimately be for organisations to manage their own risk in respect of their own sensitive data and online presence, and it should be in their commercial interests to invest in their protection," the government said. "Government is clear that all businesses have a responsibility to consider their own cyber security and act in their business interests to protect themselves from cyber attack."
However, the government announced that it plans "a general uplift in support and information" around the General Data Protection Regulation (GDPR) to match the new requirements of the new legislation.
The GDPR is EU legislation that was finalised last year and which is due to come into force on 25 May 2018. The government has already confirmed that the GDPR will apply in the UK at the time it comes into force despite the Brexit vote.
The government said it expects the implementation of the GDPR to help spur "significant improvements in cyber risk management" among UK companies, and cited new data breach notification rules in the Regulation as one of the measures which will drive better practices.
"Evidence indicates that the significant financial sanctions available for breaches, and the application of aggravating and mitigating factors, will drive the security behaviours we want to see," it added.
Civil fraud and asset recovery specialist Alan Sheeley of Pinsent Masons said: "It is pleasing to see that the government is going to take a proportionate response as to the intervention it needs to take and will not overly regulate the cyber world. However, corporates must not see cyber as an area that they do not need to budget for or invest in."
Sheeley said that it is "simply unacceptable" that, as recorded in the government's most recent cybersecurity breaches survey, nearly half of all businesses have not taken recommended actions to identify cyber risks, and only 10% have a formal incident management plan. He said businesses must "focus on prevention, detection and response".
"In failing to prepare, a business is undervaluing the information it has which is often personal data," Sheeley said. "This is a very valuable asset. People have placed their trust in the business by allowing it to have their personal data which can include anything from customers’ dates of birth, through to credit card details or possibly even really sensitive information such as health records. Business must not undervalue this information and should be protecting it as if it is the Crown Jewels."
Sheeley said that businesses that do not provide adequate protection against the cyber threat effectively undervalue the data they hold. When the GDPR comes into force, those businesses will be required to self-report breaches without delay and could face potential fines of up to €20 million, he said.
Businesses should implement formal incident response plans to deal with hackers and the consequences, Sheeley said. Such a plan should include instructing forensic IT experts who are able to secure evidence and identify the vulnerabilities and the weaknesses in the system, he said. That kind of expertise is unlikely to be available within a business' own IT department, he said.
Civil fraud solicitors can also help recover any funds or data that has been lost, Sheeley said.
"Civil fraud solicitors are well-skilled in working with effective IT service providers and forensic investigators to understand the vulnerabilities in IT systems and the technical and constantly changing markets which can be particularly daunting for large businesses; let alone small businesses," Sheeley said. "Civil fraud solicitors are also able to obtain disclosure orders against third parties such as internet service providers to trace the hackers and identify weaknesses in the IT systems."
"Businesses should not only assume that a hacker has acted alone, as sometimes employees are involved as well," he said.