The UK government has released a comprehensive review of the country’s cyber security including existing and proposed regulations and incentives. Among other conclusions, the report advocates the implementation of a General Data Protection Regulation (GDPR) no later than 2018, which will include the use of financial sanctions to drive better cyber security behaviours in UK businesses.
Instituting a new set of regulations regarding cyber security in organizations is intended to provide a legislative basis to ensure businesses comply with data protection best practices.
The GDPR will require companies to officially report all cyber security breaches to the Information Commissioner’s Office (ICO) and to customers. Additionally, organizations will be required to conduct official data protection impact assessments, and data officers will be required at certain organizations.
Under the GDPR, stringent financial sanctions may be imposed on organizations for non-compliance with data security best practices. Companies may also be liable to customers through class action lawsuits, imposing further penalties on companies for breaches.
The rationale for government intervention in regulating compliance for cyber security comes from the elevated risk to businesses and their customers posed by cyber breaches, as well as the evidence in the report which suggests that companies are not doing enough currently to protect themselves and their clients in terms of technical controls, risk management, and incident response.
“Whilst 69 percent of businesses say their senior management consider cyber security is of a very or fairly high priority for their organization just over half (51%) of all businesses have actually taken recommended actions to identify cyber risks, and only 10% have a formal incident management plan.” Additionally, only 17% of businesses surveyed had staff that attended training for cyber incidents in the past year.
The government study also found that many companies did not fully understand the risk of cyber attack to their organization, and were unclear about who was actually responsible for their cyber strategy and implementation. Some thought that the responsibility was passed forward to their banks, or to outsourced providers rather than recognizing that the organization itself was ultimately responsible for data protection practices.
The study concluded that financial sanctions imposed on organizations suffering cyber breaches will incentivize organizations to adopt good cyber practices. Under the new GDPR, the government is also considering extending the audit power of the Information Commissioner’s Office to all organizations processing personal data. Should a change to the audit powers be warranted, it will be introduced to the General Data Protection Regulations prior to implementation, scheduled for May 2018.