Multimillion-pound fines proposed for UK service operators with poor cyber security
Tuesday 22nd August 2017
The plans are being considered as part of a consultation launched by the Department for Digital, Culture, Media and Sport on how to implement the Network and Information Systems (NIS) Directive.
The Directive was adopted by the European Parliament on 6 July 2016 and Member States have until 9 May 2018 to transpose it into domestic legislation.
Once implemented the NIS Directive, which relates to loss of service rather than loss of data, which falls under the General Data Protection Regulations, will form part of the government's five-year £1.9bn National Cyber Security Strategy.
It will compel operators of essential services (OESs) in the UK's electricity, transport, water, energy, health and digital infrastructure sectors to take the necessary measures to protect their IT systems. It will also cover other threats affecting IT such as power and hardware failures and environmental hazards.
OESs include water suppliers and distributors, electricity suppliers, NHS trusts, air carriers, harbour authorities, railway operators and providers of domain name services.
Such systems present risks to the public if cyber-attackers gain remote control of control systems. In 2014 the German Federal Office for Information Security announced that a steel mill had suffered "massive damage" after hackers gained access to its control system and left the plant's operators unable to shut down a blast furnace (www.ioshmagazine.com/article/weakest-link).
Under measures proposed by the government, operators would be required to:
develop a strategy and policies to understand and manage security risks to their network and information systems
implement methods to avoid cyber-attacks or system failures, such as preventing unauthorised data access, actively managing software vulnerabilities, and increased staff awareness and training
ensure system security defences are effective so as to detect attacks
report incidents as soon as they happen and take steps to understand the root cause
have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.
The consultation says that "any operator which takes cyber security seriously should already have such measures in place", but adds: "Given the theoretically high impact of a loss of an 'essential service', including possible loss of life (not all services) or major economic loss to associated industry or regions, the government believes that the NIS Directive needs to set a high bar for the maximum level of penalty."
The government has proposed two penalty bands. The first is a £9m fine, or 2% of global turnover, for organisations that commit lesser offences, such as failing to report an incident. Under the second band, operators that do not implement appropriate and proportionate security measures would be fined up to £17m, or 4% of their global turnover -- whichever is greater.
Fines would not apply to operators that have assessed the risks adequately and taken appropriate security measures but still suffered an attack.
The consultation covers the proposed essential services, the penalties, the competent authorities to regulate and audit specific sectors, the security measures, and timelines for incident reporting. The closing date for responses is 30 September 2017.
The UK digital minister Matt Hancock said: "Recent events such as the WannaCry ransomware attack, the 2016 attacks on US water utilities, and the 2015 attack on Ukraine's electricity network clearly highlight the impact that can result from adversely affected network and information systems.
"There is a need to therefore improve the security of network and information systems across the UK, with a particular focus on essential services [-¦] which if disrupted, could potentially cause significant damage to the UK economy, society and individuals' welfare.
"We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber-attack and more resilient against other threats such as power failures and environmental hazards."