UK companies which suffer a data breach may face lower fines if they proactively report and engage with the National Cyber Security Centre (NCSC), according to a new agreement between the agency and the Information Commissioner’s Office (ICO) – the UK’s data protection regulator.
The chief executives of the NCSC and the ICO (Lindy Cameron & John Edwards) signed a memorandum of understanding (MOU) on Tuesday the 12th September.
The MOU sets out how the two parties will work together in an attempt to improve cyber security standards and prevent data breaches without compromising the confidentiality of reports given to either party.
Included in the MOU’s is a commitment from the ICO to explore “how it can transparently demonstrate that meaningful engagement with the NCSC will reduce regulatory penalties.”
Confidentiality upheld
The MOU stresses that reporting any information to either agency does not allow them to share that data to the other, with the NCSC stressing that this would be illegal under the Intelligence Services Act 1994.
Neither agency will identify victims of cyber incidents to the other, unless express permission is given by the affected party. The MOU sets out how the ICO will share information with the NCSC “about cyber incidents, on an anonymised and aggregate basis, as well as incident specific details where the matter is of national significance.”
The MOU does set out the areas where the agencies will share information, for instance regarding cyber threat assessments affecting those organisations who are classed as delivering essential services, or digital services, as outlined under the NIS Regulations.
Both agencies are seeking to avoid provoking a lack of trust among the organisations reporting to them, as discouraging those reports could undermine their visibility into the true scale of cyber attacks affecting the country.
Improving cyber responses
In July, the two organisations published a joint blog post saying they had written a letter to the Law Society to remind members that they should not advise clients to pay ransom demands in the false belief that doing so may reduce risk to individuals.
The MOU also states that the ICO has agreed to promote NCSC’s guidance on cyber security to help organisations avoid suffering data breaches.
One of the tools provided by the NCSC which the ICO will promote is the Cyber Assessment Framework (CAF) which provides guidance for organisations responsible for vitally important services and activities.
The CAF provides a systematic and comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible. It is intended to be used either by the responsible organisation itself (self-assessment) or by an independent external entity, possibly a regulator or a suitably qualified organisation acting on behalf of a regulator.
The CAF provides 4 objective categories sub-divided into 14 principles. The ojvectives and princpiples include:
Objective A: Managing Security Risk
- A1 – Governance
- A2 – Risk management
- A3 – Asset management
- A4 – Supply chain
Objective B: Protecting against cyber attack
- B1 – Service protection policies and processes
- B2 – Identity and access control
- B3 – Data security
- B4 – System security
- B5 – Resilient networks and systems
- B6 – Staff awareness and training
Objective C: Detecting cyber security events
- C1 – Security monitoring
- C2 – Proactive security event discovery
Objective D: Minimising the impact of cyber security incidents
- D1 – Response and recovery planning
- D2 – Lessons learned
Working together
Whilst both organisations have their own agendas to improve the security and safety of its customers, the MOU states that:
“The NCSC seeks to influence the development of international standards and guidance on
cyber security in a manner that supports its work with regulators in the UK. Similarly, the
Commissioner contributes to international standards and guidance through working with a
range of regulatory partners across jurisdictions with the purpose of further international cooperation, including in relation to cyber security. The Commissioner and the NCSC agree to
inform each other about international developments and opportunities that would support
their respective abilities to achieve these outcomes.”
