As businesses continue to digitise their assets and operations, the need to continually assess IT infrastructure and the technical measures in place to safeguard key information assets and data becomes ever more important. Implementing a cybersecurity programme that adequately protects against would-be attackers and ensures compliance with applicable laws presents many challenges. This is made more complex given that there is no single overarching "cybersecurity law" in the UK. Rather, there are laws imposing cybersecurity obligations that apply to all businesses, and laws imposing cybersecurity obligations that apply to businesses falling within specific sectors and satisfying specific criteria.
Businesses are generally afforded freedom and discretion concerning their approach to compliance with cybersecurity obligations. This flexibility is essential, as the threats posed are constantly evolving at a rapid pace. Businesses must deploy their limited resources in a manner that ensures the defence techniques and tools used continue to be effective in guarding against the greatest identified threats and known vulnerabilities.
The cost of non-compliance can be significant for organisations, from both a financial and reputational perspective. Although businesses will not necessarily face punishment for simply falling victim to cyber-attacks, sanctions may be imposed when a business has failed to implement measures to safeguard systems and data from would-be attackers and for inadequate responses to attacks. Once a cyber-attack becomes public knowledge, customer and market confidence can be adversely impacted.
GDPR obligations: what businesses need to know
The introduction of the General Data Protection Regulation (GDPR) and the complementary Data Protection Act 2018 (the “2018 Act”), materially altered the risk landscape for entities involved in the processing of personal data. Both require businesses to implement security measures to safeguard the personal data that they process.
The GDPR and the 2018 Act also impose restrictions on third party access to personal data, requiring third parties to provide sufficient guarantees regarding the security of their processing activities.
Businesses must implement measures that are both technical (e.g., firewalls, anti-virus programs, perimeter scanning tools) and organisational (e.g., policies and procedures that must be followed by personnel regarding cybersecurity) to safeguard personal data. Businesses are required to protect against unauthorised or unlawful use of personal data and against loss, destruction and damage of the same.
Businesses must take account of various factors when determining what security measures to implement. Clearly, the more sensitive the personal data that is being processed (e.g., health data), the more robust the associated security measures should be. Failing to implement appropriate security measures to safeguard personal data can result in enforcement action, including the imposition of significant fines. These can be up to a maximum of the greater of €20 million or four per cent of annual global turnover. It should also be noted that enforcement action can be taken even in the absence of cyber-attack or data breach (e.g., where an employee simply loses personal data).
NIS Regulations obligations on the security of information systems
Whereas the GDPR is concerned with the security of personal data, the Network and Information Systems Regulations 2018 (the “NIS Regulations”) are concerned with the security of information systems. The NIS Regulations impose cybersecurity obligations on operators of "essential services" (such as businesses in the energy, transport and/or health sector) and "digital service providers" (such as cloud service providers and providers of online marketplaces) that offer services to individuals within the UK.
Businesses subject to the NIS Regulations are required to implement appropriate and proportionate measures to manage risks posed to network and information systems, preventing and minimising the impact of incidents. As with the obligations in the GDPR and 2018 Act, businesses subject to the obligations have the freedom to determine what measures are appropriate and proportionate. In order to satisfy this obligation, an organisation must have a comprehensive understanding of the risks posed.
Businesses subject to the NIS Regulations should be familiar with the work of the National Cyber Security Centre ("NCSC") in the UK and the guidance it publishes with respect to compliance. The NCSC oversees the "cyber essentials" certification scheme. This is a government-backed and industry supported scheme that provides self-assessment certification to help organisations protect themselves against common cyber-attacks and aids compliance with the NIS Regulations. It includes a security questionnaire and external vulnerability testing to assist businesses in assessing their cybersecurity.
A failure to meet the requirements of the NIS Regulations can result in enforcement action, including the imposition of significant fines, up to a maximum of £17 million.
Other legal requirements and considerations
In addition to the aforementioned regulations, businesses operating in the UK may be subject to other laws, regulations, industry rules and the common law. An example of this is businesses providing electronic communications networks and services. Such organisations have specific obligations to implement technical and organisational measures to appropriately manage risks to the network and services, to prevent or minimise the impact of security incidents on end-users and to protect data in transmission. Businesses in the financial services sector face similarly specific obligations. Financial services firms must establish and maintain appropriate systems and controls for managing operational risks that can arise from inadequacies or failures in its processes and systems. Foreign businesses in the UK will also have to consider the requirements of the law in their own jurisdiction.
Maintaining customer confidence requires businesses to communicate effectively with customers regarding the security measures in place and, in the event of a cyber-attack, how customer data is being protected against misuse. Poor communication with customers in the event of a cyber-attack can be seriously damaging to the customer relationship, and mismanagement of an incident has the potential to cause irreparable damage to customer and market confidence.
Impact on businesses
Businesses must adopt a multi-faceted and risk-based approach to cybersecurity. The implementation of comprehensive cybersecurity mechanisms, policies and procedures is a crucial part of a business' overall strategy for cybersecurity compliance and for protecting key IT systems and information assets. Testing implemented measures regularly to assess their effectiveness, as well as upgrading and enhancing them from time to time to remain current with wider technical developments, is key.
Legal compliance requires the implementation of robust cybersecurity measures. Maintaining customer confidence requires businesses to continually adapt and react quickly as attack vectors change and new vulnerabilities are identified. Understanding the evolving nature of the threats faced, recognising the weaknesses in their systems and identifying high-value information assets will enable businesses to deploy a strategy that offers the best protection.
John Timmons, Associate, and Tim Hickman, Partner, White & Case