Cyber Security Breaches To Be Hit With New Fines

The UK Government has finally had enough of the huge amount of data appearing over the last 18 months, threatening businesses with fines of up to £17 million, if defensive standards are not met.

New sector-specific regulators will be set up to assess the individual needs of those sectors which are deemed critical to the UK, such as energy, transport or healthcare. The National Cyber Security Centre will publish new guidelines which will roughly outline the rules and expectations, though businesses will be encouraged to actively engage with the newly-formed regulator.

“Today we are setting out new and robust cyber security measures to help ensure the UK is the safest place in the world to live and be online,” said Margot James, Minister for Digital and the Creative Industries.

“We want our essential services and infrastructure to be primed and ready to tackle cyber-attacks and be resilient against major disruption to services. I encourage all public and private operators in these essential sectors to take action now and consult NCSC’s advice on how they can improve their cyber security.”

A lot of data breaches seem to happen in the US, however there are cases of cyber breaches across the globe, with the UK attracting a number of incidents. In November, shipbrokers Clarkson warned shareholders of an upcoming breach as it refused to pay a ransom to the hacker, Deloitte suffered a breach as it was believed the firm did not have two-step verification set up and BUPA suffered a leak affecting 500,000 customers on its international health insurance plan.

Future incidents will need to be reported to new regulators who will assess various aspects of the incident. Where there procedures in place? Was there enough security measures? The regulators will be able to issue fines, which will be legally binding. The maximum fine of £17 million will certainly make companies pay more attention the cyber security, although I’m unconvinced how many £17 million fines will be handed out. Companies who have assessed the risks adequately, taken appropriate security measures and engaged with regulators but still suffered an attack, will not face a fine.

Interestingly enough, that irritating ‘up to’ qualifier has appeared again. £17 million is the maximum fine which can be placed on an organization, but there has not been any guidance about how the amount will be assessed. The guidance from the National Cyber Security Centre will possibly offer more detail, but for the moment we’ll have to wait for the formation of the new regulators. These watchdogs might well be feisty, or they might be just another bloated government body.

As of yet, there is yet to be any guidance released on how the fine amounts will be assessed, and handed out. For the moment, we’ll have to wait until the new regulators have been created but one things for sure, if you carry on being negligent with your cyber security you will eventually come unstuck.