Cyber Security Regulation in the UK

The law governing cyber security is somewhat of a complex (and dare I say it unintentional) amalgam of various pieces of legislation enforced by a number of regulatory bodies who do not necessarily act in concert. Currently, the only legislative obligation for cyber security is found in section 105A of the Communications Act 2003, which regulates telecoms companies and ISPs. However, the security provisions (seventh data protection principle) of the Data Protection Act 1998 have been interpreted (and enforced) by the ICO to include cyber space and to contain a duty for cyber security ie to protect personal data from cyber security vulnerabilities, including cybercrime. The Financial Conduct Authority (formerly the FSA) is also active in the regulation of data security using its powers under the Financial Services and Markets Act 2000 to police cyber security in relation to FCA regulated entities.

However, there is new legislation on the (not very distant) horizon. The Directive on Network and Information Security, colloquially known as the NIS Directive or the Cyber Security Directive will create a legal duty for cyber security for various public administrations and market operators, requiring them to take appropriate technical and organisational measures to manage the risks posed to the security of the network and information systems which they use and to notify incidents (ie breaches) to the authorities. New national Regulators for cyber security will be appointed with significant enforcement powers. And infrastructures to coordinate national and EU responses to threats, risks and incidents will be created.

The purpose of the Directive is to ensure a high common level of network and information security (NIS) within the EU. The Directive is not yet finalised, but as it is the final buy generic levitra with dapoxetine trialogue negotiations stage it is now a case of ‘when’ not ‘if’ it will be passed. One of the most important issues to be ironed out in the on-going trialogue negotiations concerns the range of market operators who will be under the duty to be cyber secure. However, critical infrastructures and services in the energy, transport, financial services, health and financial services sectors are will very likely be subject to the new regime.

The impact of the Cyber Security Directive and the new EU Data Protection Regulation on your cyber security obligations is significant and both are likely to be passed (in the author’s view) in early/mid 2016 and be effective two years thereafter. Therefore, cyber security plans must become a priority for all organisations and in particular for boards of medium to large sized organisations. Those at the very top need to recognise the real risks facing their businesses (and them personally!) and take steps now to minimise those risks by preparing more fully for breaches. What should you do? Start by implementing a detailed cyber security plan with adequate systems, safeguards and processes –and test it regularly. You should also draft, implement and road-test a data breach, crisis and notification policy.

There is significant legislative change looming for cyber security in the UK and across the EU. If you are caught by it, it will have significant legal, commercial and operational impact on your organisation. Do not delay – start gearing up to manage it now. The clock is ticking…

[box type=”shadow” align=”” class=”” width=””]

Craig is a London based commercial partner at law firm Gateley Plc and he
is technology, payment services and
data protection specialist. He advises customer and supplier clients across multiple industry sectors (including financial services) on complex commercial transactions including IT and business process outsourcing projects. He has specialist payment services expertise and the regulatory compliance environment that governs payment services in the UK, including the payment services and e-money regulations and the Data Protection Act.

 

[/box]