Enforcement of UK cyber rules likely to be stepped up

Cyber risk specialist David McIlwaine of Pinsent Masons, the law firm behind Out-Law.com, said the current 'light touch' approach to enforcement of the UK's Network and Information Security (NIS) Regulations is due to end soon, and that a recent study has highlighted the scale of cyber attacks that critical infrastructure is being subjected to.

According to research carried out by the Ponemon Institute, commissioned by cybersecurity business Tenable, 90% of professionals working at organisations dependent on industrial control systems and other operational technology, such as those in utilities, health care, manufacturing and transport, said their systems had fallen victim to at least one successful cyber attack in the past two years.

In the UK, the NIS Regulations came into force on 10 May 2018. Those rules implement the EU's NIS Directive, which were introduced in response to the increase in cyber risks facing critical infrastructure.

The NIS rules apply to operators of 'essential services' in energy, health, financial markets and transport, among other sectors, as well as to 'digital service providers' – online marketplaces, online search engines and cloud computing service providers.

Both operators of essential services and digital service providers are subject to requirements to keep their networks and information secure under the new rules, and to notify security incidents to "competent authorities" when they occur. 

In the UK there is no single competent authority – instead, a number of government ministers and departments, and regulators such as Ofcom and the Information Commissioner's Office (ICO) are tasked with overseeing compliance across the various sectors in which the rules apply.

The NIS Regulations provide the competent authorities with powers to compel organisations subject to the regime to address any compliance failings identified and they can issue significant financial penalties to organisations that do not do so or which give unsatisfactory responses to enforcement notices they have been served.

A tiered system of penalties applies, but in the most serious of instances fines of up to £17 million can be levied where there has been a "material contravention which the enforcement authority determines has caused, or could cause, an incident resulting in an immediate threat to life or significant adverse impact on the United Kingdom economy".

"The findings from this study are a timely reminder of the scale of the threat to the security of critical infrastructure as a result of attacks by state actors and other organised cyber criminals," McIlwaine said. "If critical national infrastructure network and systems fail this has the potential to have a huge impact on the country and the economy as a whole – you can imagine the disruption caused if there is a widespread electricity blackout or if air traffic control systems are knocked offline. This is why EU policy makers and legislators moved to introduce the NIS Directive."

"In the UK, the government initially encouraged competent authorities to engage in a spirit of cooperation with organisations subject to the NIS regime rather than rush to penalise those for non-compliance. This 'light touch' approach was endorsed for a year from the introduction of the NIS Regulations in May 2018 as a way to drive improvements in cybersecurity practices. While this moratorium of sorts on enforcement has applied, there has been significant work ongoing in the background by UK authorities to build a more accurate picture of cybersecurity measures implemented by operators of essential services," he said.

"Operators have been requested to fill out a 182-point 'cyber assessment framework' (CAF) prepared by the UK's National Cyber Security Centre, and validate against three outcomes – 'achieved', 'partially achieved' and 'not achieved'. In the coming months operators of essential services should expect the authorities to mandate improvements in areas where risks are not being managed effectively currently and for the information they have provided in the CAF exercise to be used as a point of reference by the regulators in consideration of financial penalties where they delay in delivering improvements," McIlwaine said.