UK government 'exploring' how to improve cyber risk management among businesses

Out-Law News | 17 Oct 2016 | 3:15 pm | 1 min. read

The UK government is considering whether to introduce new "incentives" to improve the way businesses manage cyber risk.

It confirmed that it is "exploring" the issue in a statement issued in response to a report by MPs published in June on the protection of personal data online.

In its report, the Culture, Media and Sport Committee said that chief executives (CEOs) should assume "ultimate responsibility for cybersecurity within a company" but that "day to day responsibility" for cybersecurity should be allocated to another person in the business, such as the chief information officer or head of security.

Those tasked with everyday cybersecurity responsibilities should be subject to "Board oversight" and sanctions if "the company has not taken sufficient steps to protect itself from a cyber attack", it said. To ensure cybersecurity is given sufficient attention at the top of businesses, however, "a portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board", the Committee said.

In response the UK government said it is "currently exploring whether we have the regulatory framework and incentives needed to drive effective cyber risk management across the UK economy" and that "organisational responsibilities are part of these considerations".

The government said it expects to conclude its work on the issue this autumn.

In its statement the government encouraged businesses to establish "incident management plans" to prepare for being breached in a cyber attack and said companies should also consider "data protection and cybersecurity in the supply chain". It said it was "leading by example" because it already generally requires government IT suppliers to be certified under its Cyber Essentials scheme.

"It is important for third party suppliers (which process data) as well as data controllers themselves to comply with data protection rules," the government said. "Under the EU General Data Protection Regulation (GDPR), data controllers and third party data processors will be jointly liable for breaches of the Regulation. The government is assessing the impact of the GDPR, following the EU referendum on 23 June and will take this issue into account when looking at next steps."

The government also said it plans to give the UK's Information Commissioner's Office (ICO) the powers to conduct compulsory data protection audits of "data brokerage organisations". The ICO already has compulsory audit powers over central government departments and NHS bodies. The ICO currently requires the consent of other organisations to carry out a data protection audit on them.