Have you visited our online client cybersecurity resource portal: Ready, Set, Respond? Designed by our cross-practice team of global practitioners to provide in-house counsel with the tools they need to prepare for the inevitable cybersecurity incident and quickly and easily stay up to date on the evolving state of cybersecurity regulation around the world, the portal is regularly updated with new content. Today, we’re taking a closer look at the United Kingdom’s cybersecurity legal and regulatory landscape, courtesy of Conor Ward. Visit Ready, Set, Respond for more information or to take advantage of the tools and data available there.
To coincide with the London Conference on Cyberspace, the UK Government published its first UK Cyber Security Strategy paper in November 2011. Five years later in November 2016, the National Cyber Security Strategy 2016 was published listing three key objectives, namely:
- Defend: to have the means to defend the UK against evolving cyber threats; to respond effectively to incidents; to ensure UK networks, data, and systems are protected and resilient
- Detect: to understand, investigate, and disrupt hostile action taken against us, pursuing and prosecuting offenders and, to take offensive action in cyberspace, should the government choose to do so
- Develop: to have an innovative, growing cybersecurity industry, underpinned by world-leading scientific research and development
The strategy paper does not include any specific proposals regarding new legislation. However, the government has stated that it will make sure that it has the right regulatory framework in place to manage those cyber risks the market fails to address. Legislation that has been adopted, but not yet implemented, will come some way to achieve that objective.
Sector Resilience Planning
Sector resilience plans set out the resilience of the UK’s most important infrastructure relevant to the relevant risks identified in the National Risk Assessment. Individual plans are classified, but the Cabinet Office publishes a summary of the plans. Government departments have lead responsibility for ensuring appropriate steps are taken within their sectors to improve protective security. They also lead on the identification of critical infrastructure within their sectors in consultation with Centre for the Protection of National Infrastructure and sector organisations.
The following departments have lead responsibility for the sectors indicated below:
- Chemicals – Department for Business, Innovation and Skills (BIS)
- Civil Nuclear – Department of Energy and Climate Change (DECC)
- Communications – Department for Business, Innovation and Skills
- Defence – Ministry of Defence (MOD)
- Emergency services
- Ambulance – Department of Health (DH)
- Fire – Department for Communities and Local Government (CLG)
- Maritime and Coastguard Agency – Department for Transport (DfT)
- Police – Home Office
- Energy – Department for Energy and Climate Change
- Finance – HM Treasury (HMT)
- Food – Department for the Environment, Food & Rural Affairs (Defra) and Food Standards Agency (FSA)
- Government – Cabinet Office (CO)
- Health – Department of Health (DH)
- Space – Department for Business, Innovation and Skills
- Transport – Department for Transport (DfT)
- Water – Department for the Environment, Food & Rural Affairs (Defra)
The Office of Cyber Security and Information Assurance (OCSIA) in the Cabinet Office coordinates the work carried out under the National Cyber Security Programme. The office works with government departments and agencies, and the devolved administrations, to provide strategic direction and oversight. It coordinates the Cyber Security Programme for the government to enhance cybersecurity and information assurance in the UK.
Protecting Critical National Infrastructure
The UK government has had wide-ranging powers for securing public safety and the defence of the realm since World War I. Following the war, emergency powers legislation was retained to enable the government to declare a state of emergency in the event that action had been taken or was threatened:
“…. by any persons or body of persons of such a nature and on so extensive a scale as to be calculated, by interfering with the supply and distribution of food, water, fuel, or light, or with the means of locomotion, to deprive the community, or any substantial portion of the community, of the essentials of life….” Section 1(1) of the Emergency Powers Act of 1920.
Whilst the legislation may have changed over the years, the fundamental objectives of protecting and maintaining critical national infrastructure (CNI) continue under the Civil Contingencies Act 2004 and implementing regulations.
The government’s work in relation to CNI mostly takes the form of nonmandatory guidance and good practice initiatives by the Centre for the Protection of National Infrastructure and National Cyber Security Centre in partnership with industry. However, the Act requires Category 2 responders, many of whom are private sector bodies (e.g. utilities, transport companies), to cooperate and share information with Category 1 responders (e.g. emergency services and local authorities) to inform multiagency planning frameworks. Whilst the Act does not include explicit powers to require Category 2 responders to take specific actions as part of contingency planning, the government has express powers in legislation relating to regulated sectors (such as telecoms, utilities, transport) to impose terms in licences, or to suspend or withdraw licences, where necessary to protect the public from any threat to public safety or public health or in the interests of national security. Examples of these powers may be found in Section 132 of the Communications Act of 2003.
The government has publicly stated that for CNI, critical systems must be identified and secured and that entities must have tested capabilities in place to respond if an attack happens. If cyber risk is not being properly managed, government may intervene “in the interests of national security”.
With regard to industry generally, the government intends to use a number of nonlegislative methods to exert pressure on companies to ensure steps are taken to address cybersecurity risk. In particular in its National Cyber Security Strategy 2016 document, the government stated that:
“… we will work through organisations such as insurers, regulators and investors which can exert influence over companies to ensure they manage cyber risk.”
Information and Guidance
In February 2007, the government set up the Centre for the Protection of National Infrastructure (CPNI) from the merger of predecessor bodies the National Infrastructure Security Co-ordination Centre (NISCC) and the National Security Advice Centre (NSAC) in order to provide advice on physical security, personnel security, and cybersecurity/information assurance. NISCC existed to provide advice to companies operating critical national infrastructure, while NASC was a unit within MI5 that provided security advice to other parts of the government. CPNI is accountable to the Director General of the Security Service (MI5) and operates under the Security Service Act of 1989.
In October 2016, the government launched the National Cyber Security Centre (NCSC) as part of the Government Communications Headquarters, or GCHQ. GCHQ is a British intelligence and security organization responsible for providing signals intelligence to the Government and armed forces and defend Government systems from cyber threats. The NCSC brings together and replaces CESG (the information security arm of GCHQ), the Centre for Cyber Assessment (CCA), Computer Emergency Response Team UK (CERT UK), and the cyber-related responsibilities of the CPNI. Whilst CPNI will continue to lead on physical and personnel security, NCSC is now the lead cybersecurity technical authority in the UK, with overall responsibility for the technical content of all cybersecurity advice issued by the UK government. Guidance previously issued by the CPNI, and that is still relevant, is being archived on the NCSC website.
For organisations that have their own networks, the NCSC will run the Cyber Security Information Sharing Partnership. Whilst the NCSC will produce tailored advice and guidance for identified sectors, initially it will focus on sectors that form part of the critical national infrastructure alongside those of strategic or significant economic importance or the delivery of key public services. NCSC will offer limited bespoke support to a small number of the most critical organisations in the UK. It does not, however, offer an enquiries line for the general public: Action Fraud will continue to be the first port of call for victims to report suspected cybercrime.
There are currently no mandatory reporting requirements under UK law specific to cybersecurity incidents except in relation to those communications service providers that are subject to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended). However, where personal data has been compromised or destroyed, it is generally accepted practice to notify the Information Commissioner’s Office — as a failure to notify may well be taken into account when the ICO decides on what sanctions (if any) should be levied as a result of the incident.
For regulated entities, regulators may require notification of cybersecurity incidents in particular where they are as a result of a breakdown in systems and controls or where there was an actual or potential risk to the provision of the services or to customers.
However, this is all about to change as a result of the following EU legislation that has been adopted and that will come into effect during the course of 2018:
- The Network and Information Security Directive (NIS Directive): The NIS Directive is the cornerstone of the European Union’s cybersecurity legislative policy. EU Member states have until May 10, 2018 to adopt implementing legislation. The NIS Directive sets cybersecurity obligations for operators of essential services (as selected by individual Member States) and digital service providers. For many organizations, the directive imposes the first breach reporting requirement in Europe.
- General Data Protection Regulation (GDPR): The GDPR represents a major overhaul to existing European data protection law. The key provisions impose security obligations directly on data controllers and processors of personal data and introduce mandatory personal data breach reporting obligations. As it is a Regulation, the GDPR will take direct effect in the UK on May 25, 2018.
- Payment Services Directive 2 (PSD 2): PSD 2 is a sector-specific European Directive that will impose cybersecurity requirements on payment service providers (PSPs), including banks. The Directive must be implemented by member states by January 13, 2018. Affected organizations will be obliged to report security incidents to regulators. If a security incident could impact a customer’s financial interests, those customers must also be notified.