UK GDPR fines could be linked to NCSC engagement

The memorandum of understanding (MoU) (8-page / 313KB PDF) signed by the NCSC and Information Commissioner’s Office (ICO) commits the ICO to increasingly “recognise and incentivise appropriate engagement with the NCSC on cyber security matters in its approach to regulation”.

It said: “Specifically, the commissioner will publicise (on its website, in guidance, and in relevant press releases) that it looks favourably on victims of nationally significant cyber incidents who report to and engage with the NCSC and will consider whether it can be more specific on how such engagement might factor into its calculation of regulatory fines.”

Cyber risk experts Laura Gillespie and Stuart Davey of Pinsent Masons said businesses should factor the MoU into their cyber incident response plans.

Davey said the MoU also confirms the position as set out in the UK’s Network and Information Systems (NIS) Regulations 2018, whereby the ICO has certain obligations to make a report to the NCSC in its capacity as the UK’s Cyber Security Incident Response Team (CSIRT), and that the NCSC and ICO will consult each other before making any public communications about an incident.

He added: “The NCSC’s CAF is used by a number of regulators to assess compliance with the NIS Regulations 2018. It will be interesting to see whether the ICO intends to use the CAF to assess regulatory compliance, either as the regulator of ‘relevant digital service providers’ under NIS, or more broadly, including in relation to data protection regulation. Whilst the CAF is likely to be really useful for organisations to consider their own cyber posture, clear guidance would be expected from the ICO if it intends to use the CAF to assess compliance with regulatory obligations.”

Separately, the NCSC, together with the UK’s National Crime Agency (NCA), published a new paper which highlights the criminal ecosystem that underpins ransomware attacks.

Ransomware is a form of malicious software that criminals use to restrict business’ access to their own systems and data and entice a ransom payment in returning for restoring that access. The NCSC has recognised ransomware as the biggest cyber threat facing the UK, while data made public by the ICO shows an increase in ransomware-related personal data breach incidents in recent years.

Davey said the NCSC and NCA’s paper reemphasises the importance of good cyber regulatory oversight – including the role of the ICO under the UK General Data Protection Regulation (GDPR)

“Data leak sites became popular in the hope of pressuring victims that could face large fines under laws such as UK GDPR and the Data Protection Act 2018,” the NCSC and NCA said. “While the threat of leaking sensitive data (whether intellectual property or personal data) often carries real weight with victims, the victim can be liable for not protecting the data, regardless of whether it becomes public on the leak site.”

Davey said that it is important for businesses to understand the full implications involved in making a ransom payment, including the risks of breaching financial sanctions and how payment of an ransom demand will not help them avoid regulatory repercussions for the original incident.

The NCSC and NCA said: “While cyber crime exists in most countries around the world, the major threat to the UK emanates from the Russian-speaking community that have benefited from the larger OCGs (organised criminal gangs) helping shape the forums where these services are traded. Like other criminal services, ransomware has been adapting to this marketplace to become more accessible and scalable through groups selling ransomware as a service (RaaS). The resulting increase in criminals adopting ransomware and extortion tactics means that smaller criminal groups, working together, can make a large impact.”