Exclusive Q&A on Cyber Security with Lucy Pegler
Posted: 1st July 2016 11:17Who are the main regulators and what are the key legislations that apply to the cybersecurity in your jurisdiction?
The key legislation relating to cybersecurity is a composite of national law and EU Directives which typically impose security obligations on businesses, e.g. security of data and security of networks.
Relevant legislation includes the:
- Communications Act 2003, which applies to public electronic communications network (PECN) providers and public electronic communications services (PECS) providers and imposes obligations on these providers to take technical and organisational measures appropriate to manage the security risks to such networks and services;
- Privacy and Electronic Communications (EC Directive) Regulations 2003, which applies to PECS and requires PECS providers to take appropriate technical and organisational measures to safeguard the security of its services in relation to personal data;
- Data Protection Act 1998, which applies to any business collecting or processing personal data (being data from which a living individual is identified or identifiable) and imposes a broad set of obligations on such businesses including taking appropriate technical and organisational measures to ensure the security of personal data;
- Computer Misuse Act 1990, which creates cybercrime offences; and
- Official Secrets Act 1989, which creates various offences and applies to servants of the Crown and government contractors.
Ofcom, the communications regulator in the UK, is responsible for the enforcement of breaches of the Communications Act 2003 by providers of PECNs and PECSs. The Information Commissioner’s Office is the office responsible for the enforcement of the both the Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998. It is also worth noting that the Financial Conduct Authority is responsible for enforcing breaches of regulations applicable to financial services industries.
Have there been any recent regulatory changes or interesting developments?
The new General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union on 4 May 2016, signalling the end of four years' work reforming and harmonising the EU's data protection framework. The GDPR will take effect from 25 May 2018 meaning that businesses have two years to get their houses in order.
In the context of cybersecurity this is an important development. Much of the regulation in respect of cybersecurity derives from obligations to protect the security of data. Whilst the obligations in respect of security of data are not drastically changing, the GDPR does impose mandatory notifications for breaches of personal data (unless the breach is unlikely to pose a risk to individuals' rights) and the headline-grabbing sanction regime is helping to push cybersecurity to the top of board agendas. Under the GDPR, enforcement powers will be significantly increased and this includes fines of up to 4% of a company's annual global turnover for the most serious infringements.
In May this year the European Council adopted the Network and Information Security (NIS) Directive. The NIS Directive is designed to:improve Member States’ national cybersecurity capabilities;
- improve co-operation between Member States, and between the public and private sectors; and
- ensure “operators of essential services” in critical sectors (such as energy, transport, banking and health) and “digital service providers” (such as providers of online marketplaces, search engines and cloud services) adopt risk management practices and report major cyber incidents to the national authorities. It is worth noting that Member States will be responsible for identifying “operators of essential services”.
Member States will be required to adopt a national NIS strategy and establish a NIS authority which can prevent, handle and respond to cyber threats and incidents. The next step is for the NIS to be approved by the European Parliament and it is expected to enter into force in August 2016. Member States will then be given 21 months to adopt national law implementing the NIS Directive.
Can you outline the role of geopolitics and the emergence of cyber deterrence?
In a recent speech given by the UK Chancellor, George Osborne, at GCHQ, cyber deterrence was noted as becoming an increasingly important part of governments’ defence strategies. Western nations see it as a vehicle with which they can robustly respond to threats posed by terrorists and/or rogue states. The concept of cyber deterrence has therefore evolved from its earlier, defence-orientated incarnation, into a simple approach to neutralising the risk of breaches of critical state-run systems occurring. Established powers are being forced to be increasingly proactive in engaging with and policing the so-called "dark web", and to using all technological tools available to them to safeguard national security against some very 21st Century threats.
Are there any compliance issues or potential pitfalls that firms need to be cautious about?
In addition to the well-documented reputational damage associated with cybersecurity threats (and any sanctions imposed by sector-specific regulators), companies need to be focused on the data protection compliance responsibilities that they hold. The sanctions available to data protection regulators are becoming increasingly severe and consumers are developing a sophisticated awareness of their privacy rights. These trends mean that the financial, operational and regulatory consequences of getting it wrong are more serious than ever.
Firms which were not previously caught by the Data Protection Act 1998 will now need to reassess whether they are caught by the GDPR, which will catch data controllers and processors outside of the EU whose processing activities relate to the offering of goods or services to, or monitoring the behaviour of, EU data subjects.
Have you witnessed any particular trends in cyber threats?
There is no doubt that cybersecurity attacks are becoming increasingly sophisticated in scale and complexity – as demonstrated by the large-scale distributed denial of service (DDoS) attack launched against TalkTalk last year. Whilst awareness of the dangers posed by such attacks is certainly increasing, the efforts that companies are required to undergo to minimise the risk of suffering a breach (as far as is possible) are becoming more and more onerous. Given the highly significant reputational, consumer trust and regulatory issues at play, companies cannot, unfortunately, afford to see the consequences of such attacks simply as a cost of doing business.
Which industries are at highest risk for threats to their cybersecurity?
Those companies which hold the greatest volumes of sensitive data – and in particular personal data – have the most to lose in the face of a cyber-security attack. Large, consumer-facing organisations (such as banks or those in the retail or utilities sectors) are therefore victims of frequent attacks. However, those players are also the most likely to have well-tested, market-leading defences in place – meaning it might actually be that mid-sized operators (including professional services firms) are some of the most vulnerable.
Firms should be ready to manage a cyber-attack; a well-planned and coordinated response to a cyber-attack will be key to mitigating the potential damage that can be caused by such attacks. The UK government's recent 'Cybersecurity Breaches Survey', published in May 2016, found that two thirds of large businesses experienced a cyber-breach or attack in the past year. The survey identified that whilst one in four large firms which experienced a breach did so at least once a month, only half of all firms have taken any recommended actions to identify and address vulnerabilities. About a third of all firms had formal written cybersecurity policies in place and only 10% had an incident management plan in place. The figures are quite startling, and serve to highlight the real threat posed by cyber-attacks and the need for firms to be prepared.
How is technological innovation – such as drones, wearable devices, cognitive thinking and the Internet of Things – altering the cybersecurity landscape?
These developments are exciting examples of the way in which technology is having an ever-increasing beneficial impact on our lives. However, devices such as these – and the networks, systems and operators which stand behind them – rely on vast amounts of data in order to realise their potential. The increased surface area of threat together with the size of the data processing required to service these devices, and the complexity of ways in which the many players in this sphere conduct such data processing, serve to dramatically increase the opportunities for, and the consequences of, significant cybersecurity attacks taking place.
What can we do to combat the security risks and challenges created by technological innovation? How do we balance innovations with cybersecurity and privacy risk exposures?
A key principle under the incoming GDPR is the concept of "privacy by design". The adoption of this idea is intended to balance the protection of privacy rights with the desire to realise the full potential of new and exciting technologies. By factoring in and addressing data security concerns from the outset of any new development project, stakeholders can ensure that appropriate and effective protections are put in place without the need for obstructive or compromising changes later in the design process. It is a symptom of the inter-connected state of today's global economy that any new developments will need to take account of security concerns in order to be truly successful. These concerns are no longer a secondary issue – they must be at the forefront of thinking.
Lucy Pegler is an associate with Burges Salmon LLP. She is a member of the firm’s technology team and advises clients from a wide range of industries on commercial, transactional and regulatory technology, outsourcing, data protection and cyber security matters.
Lucy can be contacted on +44 (0) 117 939 2000 or by email at firstname.lastname@example.org