[BreachExchange] British Government: Companies Should Fight Cyberattacks Or Receive Fines

Thu Aug 10 05:12:57 EDT 2017

http://www.ibtimes.com/british-government-companies-should-fight-cyberattacks-or-receive-fines-2576070

British organizations failing to take proper measures to prevent
against a cyber attack that disrupts critical services could face
massive fines of more than $20 million under a new proposal being
considered by the British government.

The fines would not be levied against every company that falls victim
to a security breach or cyber attack, but would rather be considered a
“last resort” against companies that choose not to take proper
precautions in preparing to defend against an incident.

The proposed fines would be part of a government consultation on the
Network and Information Systems (NIS) Directive, which is set to go
into effect in May 2018. The fines suggested could range as high as
$22 million or four percent of global turnover and would primarily be
handed to companies that fail to protect networks that could result in
massive disruptions like transportation, health and utilities.

The potential penalty mirrors what the European Union has threatened
to hit organizations with if they fail to comply with the new General
Data Protection Regulation (GDPR), designed to set guidelines for how
sensitive data should be protected. The GDPR is also set to go into
effect in May 2018, making the month an especially important target
for organizations to hit when it comes to preparing their networks.

“We want the UK to be the safest place in the world to live and be
online, with our essential services and infrastructure prepared for
the increasing risk of cyber-attack and more resilient against other
threats such as power failures and environmental hazards,” Matt
Hancock, the UK’s digital and culture minister, said.

The Department for Digital, Culture, Media and Sport also said it
wanted to see organizations take a more proactive approach to
detecting threats, including developing security monitoring systems
and investing in programs to raise staff awareness of cyber threats.

The NIS Directive, once implemented next year, will represent a
significant portion of the UK government’s five-year, $2.2 billion
National Cyber Security Strategy. The program is designed to push
essential service operators to take necessary precautions to protect
their IT systems.

Ciaran Martin, the CEO of the National Cyber Security Centre, said his
organization welcomes this consultation that raised the possibility of
fines and agreed that many organizations need to do more to increase
and improve their security practices.

“The NCSC is committed to making the UK the safest place in the world
to live and do business online, but we can’t do this alone,” Martin
said. “Everyone has a part to play and that’s why since our launch we
have been offering organisations expert advice on our website and the
Government’s Cyber Essentials Scheme.”

The new requirements comes just months after several organizations in
the United Kingdom including more than 30 National Health Service
hospitals fell victim to global cyberattacks including the WannaCry
ransomware campaign that held more than one million computer systems
hostage and the Petya wiper attack that destroyed files on machines in
more than 60 countries.